[Topic 254248]

Kaspersky Secure Mobility Management help

[Topic 180199]

What's new

Version 5.0

In this version, we released the new Kaspersky Mobile Devices Protection and Management plug-in for Web Console of Kaspersky Security Center Linux. The new plug-in lets you manage both Android and iOS devices. We also released the new iOS MDM Server settings plug-in, which lets you configure iOS MDM Server Linux for managing iOS MDM devices.

The new plug-in supports the following features for managing Android devices:

• Create policies depending on the device operating mode:
  • Personal device (basic protection and management of a personal Android device).
  • Device with corporate container (isolated corporate environment on an Android device).
  • Corporate device (an extended set of settings for managing a corporate Android device).
• Features for protecting Android devices:
  • Real-time protection
  • Scan
  • Anti-Theft
  • Database update
  • Web Protection
• Features for security control:
  • Compliance Control
  • App Control
  • Web Control
  • Screen unlock settings
• Device features that you can configure:
  • Root certificates
  • Web Clips
  • Wi-Fi
  • SCEP and NDES
  • Custom wallpapers
• Features for configuring apps:
  • Exchange ActiveSync
  • Google Chrome settings
  • Configure other apps
  • App permission management
• Restrictions:
  • Device feature restrictions (for corporate devices only)
  • Kiosk mode
  • New screen unlock password
• Features that you can configure for Knox:
  • Device feature restrictions
  • VPN
  • Exchange ActiveSync
  • APN settings
  • Firewall
• Configure corporate containers
• Send commands to Android devices:
  • Wipe corporate data
  • Lock device
  • Unlock device
  • Reset to factory settings
  • Synchronize device
  • Locate device
  • Sound alarm
  • Send message
  • Wipe app data
  • Wipe data of all apps
  • Get location history
  • Take photos

The new Kaspersky Mobile Devices Protection and Management and iOS MDM Server settings plug-ins support the following features for managing iOS and iOS MDM devices:

• Create policies depending on the device operating mode:
  • Basic protection (protection against web threats and jailbreak detection on iOS devices).
  • Basic control (basic management of a personal iOS device).
  • Supervised (an extended set of settings for managing an iOS device).
• Features for security control:
  • App Control
  • Compliance Control
  • Web Control
  • Screen unlock settings
• Device features that you can configure:
  • Web Clips
  • Exchange ActiveSync
  • Custom fonts
  • Certificate management
  • Global HTTP proxy
  • Email
  • VPN
  • SCEP
  • Calendar
  • Contacts
  • Wi-Fi
  • LDAP
  • AirPlay
  • AirPrint
  • SSO
  • Calendar subscriptions
  • APN settings
  • Per App VPN for Safari
• Restrictions:
  • Content restrictions
  • App restrictions
  • Device feature restrictions
  • Kiosk mode
• Send commands to iOS MDM devices:
  • Change roaming settings
  • Set Bluetooth state (supervised only)
  • Lock device
  • Reset to factory settings
  • Wipe corporate data
  • Reset unlock password
  • Synchronize device
  • Enable Lost mode (supervised only)
  • Locate device (Lost mode only)
  • Sound alarm (Lost mode only)
  • Disable Lost mode (supervised only)
  • OS update (supervised only)
  • Install app
  • Update app
  • Delete app
  • Install configuration profile
  • Delete configuration profile

[Topic 216448]

Working in Kaspersky Security Center Web Console

This Help section describes protection and management of mobile devices by using Kaspersky Security Center Web Console (hereinafter also referred to as Web Console).

[Topic 274680]

About Kaspersky Secure Mobility Management

Kaspersky Secure Mobility Management is an integrated solution for protecting and managing corporate mobile devices as well as personal mobile devices used by company employees for corporate purposes.

[Topic 214493]

Distribution kit

The Kaspersky Secure Mobility Management distribution kit may include different components, depending on the chosen solution version.

Mobile device management in Kaspersky Security Center Web Console

This component is compatible with Kaspersky Security Center Linux 15.1. For information on the version compatible with Kaspersky Security Center Windows, see the Kaspersky Secure Mobility Management 4.1 Help.

• on_prem_ksm_policies_<version>.zip

  Archive that contains the files required for installation of the Kaspersky Mobile Devices Protection and Management plug-in:

  • plugin.zip

    Archive that contains the Kaspersky Mobile Devices Protection and Management plug-in.

  • signature.txt

    File that contains the signature for the Kaspersky Mobile Devices Protection and Management plug-in.

iOS MDM Server settings plug-in

This component is compatible with Kaspersky Security Center Linux 15.1. For information on the version compatible with Kaspersky Security Center Windows, see the Kaspersky Secure Mobility Management 4.1 Help.

• on_prem_iosmdm_<version>.zip

  Archive that contains the files required for installation of the iOS MDM Server settings plug-in:

  • plugin.zip

    Archive that contains the iOS MDM Server settings plug-in.

  • signature.txt

    File that contains the signature for the iOS MDM Server settings plug-in.

iOS MDM Server

This component is compatible with Kaspersky Security Center Linux 15.1. For information on the version compatible with Kaspersky Security Center Windows, see the Kaspersky Secure Mobility Management 4.1 Help.

• kliosmdm-<architecture>-<version>-<package manager>_<language>.tar.gz

  Archive that contains the files required for installation of iOS MDM Server, depending on the package manager and architecture:

  • kliosmdm.kpd

    iOS MDM Server description file.

  • akinstall.sh

    Script that lets you automate installation of iOS MDM Server.

  • kliosmdm-<version>.<architecture>.rpm or kliosmdm_<version>_<architecture>.deb

    iOS MDM Server installation package.

  • kpd.loc/

    Folder with CFG files specifying paths to End User License Agreements.

  • license/

    Folder with End User License Agreements and Privacy Policy in different languages in TXT format.

Kaspersky Endpoint Security for Android app

• <version>_sc_package.zip

  Archive that contains the files required for installing the Kaspersky Endpoint Security for Android app by creating installation packages:

  • installer.ini

    Configuration file that contains Administration Server connection settings.

  • KES10_<version>.apk

    Android package file of the Kaspersky Endpoint Security for Android app.

  • kesa.kpd

    Application description file.

  • eula/

    Folder with End User License Agreements in different languages in TXT format.

  • kpd.loc/

    INI files specifying paths to End User License Agreements.

File with Corporate App Catalog

Install_<version>.exe—Distribution package of Corporate App Catalog. The package includes the following components:

• Corporate App Catalog
• Corporate App Catalog Management Console
• Apache server

For more information about installing Corporate App Catalog, please refer to the Corporate App Catalog Help.

Documentation

• Help for Kaspersky Secure Mobility Management.

[Topic 214476]

About the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app ensures the protection of mobile devices against web threats, viruses, and other programs that pose threats.

The Kaspersky Endpoint Security for Android includes the following features:

• Anti-Malware. This component detects and neutralizes threats on the device by using the anti-malware databases and the Kaspersky Security Network cloud service. Anti-Malware includes the following components:
  • Protection. It detects threats in open files, scans new apps, and prevents device infection in real time.
  • Scan. It is started on demand for the entire file system, only for installed apps, or only for a selected file or folder.
  • Update. It lets you download new anti-malware databases for the app.
• Anti-Theft. This component protects the information on the device against unauthorized access in case the device is lost or stolen. This component lets you send the following commands to the device:
  • Locate device. Get the coordinates of the device's location.
  • Sound alarm. Make the device sound a loud alarm.
  • Wipe corporate data. Erase corporate data to protect sensitive company information.
• Web Protection and Web Control. Web Protection blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal the user's confidential data (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection uses the Kaspersky Security Network cloud service to scan websites before they open. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Control allows website filtering by categories defined in the Kaspersky Security Network cloud service. This lets the administrator restrict user access to certain categories of web pages (for example, Gambling, lotteries, sweepstakes or Internet communication).
• App Control. This component lets you install recommended and required apps to an Android device as well as remove blocked apps that violate corporate security requirements.
• Compliance Control. This component lets you check managed devices for compliance with corporate security requirements and impose restrictions on certain functions of non-compliant devices.

You can configure the components of the Kaspersky Endpoint Security for Android app in Kaspersky Security Center Web Console by defining the corresponding policy settings.

On personal devices and devices with a corporate container running Android 15, users can create their own private space. Kaspersky Endpoint Security for Android cannot scan apps, photos, and other files stored in a private space. Web Protection, Web Control, and App Control do not work for apps installed in a private space. Installation of Kaspersky Endpoint Security for Android in a private space is not supported.

[Topic 234086]

About the Kaspersky Security for iOS app

The Kaspersky Security for iOS app ensures protection of mobile devices against phishing and web threats.

The Kaspersky Security for iOS app offers the following key features:

• Web Protection. This component blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal confidential data of the user (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them, by using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. You can configure this component in Kaspersky Security Center Web Console by defining the settings of group policies.
• Jailbreak detection. When Kaspersky Security for iOS detects a jailbreak, it displays a critical message and informs you about the issue.

[Topic 274684]

About Kaspersky Mobile Devices Protection and Management

The Kaspersky Mobile Devices Protection and Management plug-in lets you manage mobile devices and mobile apps installed on them in Kaspersky Security Center Web Console. The Kaspersky Mobile Devices Protection and Management plug-in can be used to:

• Create group security policies for mobile devices.
• Remotely configure the settings of the Kaspersky Endpoint Security for Android app on users' mobile devices.
• Receive reports and statistics on the operation of the Kaspersky Endpoint Security for Android mobile app on users' devices.
• Remotely configure iOS devices connected using the iOS MDM protocol (hereinafter referred to as "iOS MDM devices") and iOS devices with the Kaspersky Security for iOS app.
• Remotely configure Aurora devices with the Kaspersky Endpoint Security for Aurora app.

The Kaspersky Mobile Devices Protection and Management plug-in can be installed when configuring Kaspersky Security Center Web Console. For more information about deployment scenarios, see Deploying mobile management plug-ins.

[Topic 102017]

Hardware and software requirements

This section lists the hardware and software requirements for the administrator's computer that is used to deploy apps on mobile devices, as well as the mobile device operating systems supported by Kaspersky Secure Mobility Management.

Hardware and software requirements for the administrator's computer

If you use Kaspersky Security Center Linux, the server host must meet the following requirements:

• Software requirements:
  • Administration Server of Kaspersky Security Center Linux 15.1 or later
  • Web Console of Kaspersky Security Center Linux 15.1 or later
  • Kaspersky Mobile Devices Protection and Management Plug-in 10.53 or later
  • iOS MDM Server for Linux 15.1 or later
  • iOS MDM Server settings Plug-in 15.1 or later
• Hardware requirements:
  • To deploy Kaspersky Secure Mobility Management, the hardware requirements for Kaspersky Security Center must be met.
  • For iOS MDM Server:
    • CPU with an operating frequency of 1 GHz or higher. For a 64-bit operating system, the minimum CPU frequency is 1.4 GHz
    • RAM: 4 GB
    • Available disk space: 4 GB

Compatibility with third-party EMM systems

Kaspersky Endpoint Security for Android can function within third-party EMM systems:

• VMware AirWatch 9.3 or later
• MobileIron 10.0 or later
• IBM MaaS360 10.68 or later
• Microsoft Intune 1908 or later
• SOTI MobiControl 14.1.4 (1693) or later

Hardware and software requirements for Kaspersky Endpoint Security for Android

For Kaspersky Endpoint Security for Android, the mobile device must meet the following requirements:

• Smartphone or tablet with a screen resolution of 320x480 pixels or higher
• 65 MB of free disk space in the main memory of the device
• Android 5 or later (including Android 12L, excluding Go Edition)
• x86, x86-64, Arm5, Arm6, Arm7, or Arm8 processor architecture
• The app can be installed only in the main memory of the device

Hardware and software requirements for Kaspersky Security for iOS

For Kaspersky Security for iOS, the mobile device must meet the following requirements:

• iOS 15 or later / iPadOS 15 or later
• Internet connection

Hardware and software requirements for a device management profile (iOS MDM profile)

For a device management profile (iOS MDM profile), the mobile device must meet the following requirements:

• iOS 10 or later / iPadOS 13 or later
• Internet connection

[Topic 274687]

Known issues and considerations

The following known issues are non-critical for the operation of the solution.

Known issues when connecting mobile devices to Kaspersky Security Center

• When connecting a new Android device to Kaspersky Security Center with Google Play as an app installation source, the mobile certificate will be issued for 365 days regardless of the validity period set in the Issuance rules. When the certificate is renewed, the validity period will be the one specified in the certificate settings.
• You cannot select and send the connection details to more than 75 users within a single session of Mobile device connection wizard.

Known issues when managing mobile devices

• If you edit the Name and Description fields on the General tab of the device properties, the changes will not be displayed in the list of mobile devices connected to Kaspersky Security Center due to technical limitations.

Known issues of Kaspersky Security for iOS

• The Kaspersky Security for iOS app does not operate properly when a VPN client with an active VPN connection is running on the same mobile device.

Known issues when installing apps

• Kaspersky Endpoint Security for Android is installed only in the main memory of the device.
• On devices running Android 7, an error may occur during attempts to disable administrator rights for Kaspersky Endpoint Security for Android in the device settings if Kaspersky Endpoint Security for Android is prohibited from overlaying other windows. This issue is caused by a well-known defect in Android 7.
• Kaspersky Endpoint Security for Android on devices running Android 7.0 or later does not support multi-window mode.
• Kaspersky Endpoint Security for Android does not work on Chromebook devices running the Chrome operating system.
• Kaspersky Endpoint Security for Android does not work on devices running Android (Go edition) operating systems.
• When using the Kaspersky Endpoint Security for Android app with third-party EMM systems (for example, VMWare AirWatch) without connecting to Kaspersky Security Center, only the Anti-Malware and Web Protection components are available. The administrator can configure the settings of Anti-Malware and Web Protection in the EMM system console. In this case, notifications about app operation are available only in the interface of the Kaspersky Endpoint Security for Android app (Reports).
• When installing Kaspersky Endpoint Security for Android on a corporate device using ADB, if you set a screen unlock password on the device after you reset it to factory settings, you must reset the device to factory settings again before installing the app.

Known issues when upgrading the app version

• You can upgrade Kaspersky Endpoint Security for Android only to a more recent version of the app. Kaspersky Endpoint Security for Android cannot be downgraded to an older version.

Known issues affecting Wi-Fi

• On iOS MDM devices, if you disable automatic connection to an existing Wi-Fi network in the policy settings, you will not be able to enable automatic connection to this network again. This is due to an issue known to Apple.

Known issues affecting Anti-Malware

• Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
• To further analyze a device for new threats for which information has not yet been added to anti-malware databases, you must enable the use of Kaspersky Security Network. Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the Kaspersky online knowledge base with information about the reputation of files, web resources, and software. To use KSN, the mobile device must be connected to the internet.
• In some cases, updating anti-malware databases from the Administration Server on a mobile device may fail. In this case, run the anti-malware database update task on the Administration Server.
• On some devices, Kaspersky Endpoint Security for Android does not detect devices connected over USB OTG. It is not possible to run a malware scan on such devices.
• On devices running Android 11 or later, the Kaspersky Endpoint Security for Android app can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.
• On devices running Android 11 or later, the user must grant the "Allow access to manage all files" permission.
• On devices running Android 7 or later, the configuration window for the malware scan run schedule might display incorrectly (management elements are not shown). This issue is caused by a well-known defect in Android 7.
• On devices running Android 7, real-time protection in extended mode does not detect threats in files stored on an external SD card.
• On devices running Android 6, Kaspersky Endpoint Security for Android does not detect the downloading of a malicious file to the device memory. A malicious file may be detected by Anti-Malware when the file is run or during a malware scan of the device. This issue is caused by a well-known defect in Android 6. To ensure device security, it is recommended to configure scheduled malware scans.

Known issues affecting Web Protection and Web Control

• Web Control on Android devices is supported only by Google Chrome, HUAWEI Browser, Samsung Internet, and Yandex Browser.
• The Custom Tabs feature is supported by Google Chrome, HUAWEI Browser, and Samsung Internet.
• Web Control for HUAWEI Browser, Samsung Internet Browser, and Yandex Browser does not block sites on a mobile device if a corporate container is used and Web Protection is enabled only for the corporate container.
• For Web Protection and Web Control to work, you must enable the use of Kaspersky Security Network. Web Control blocks websites based on KSN data on the reputation and category of websites.
• Forbidden websites may remain unblocked by Web Control on devices running Android 6 with Google Chrome version 51 (or any earlier version) installed if the website is opened in the following ways (this issue is caused by a well-known defect in Google Chrome):
  • From search results.
  • From the bookmarks list.
  • From the search history.
  • Using the web address autocomplete function.
  • Opening the website in a new tab in Google Chrome.
• Forbidden websites may remain unblocked in Google Chrome version 50 (or any earlier version) if the website is opened from Google search results while the Merge Tabs and Apps feature is enabled in the browser settings. This issue is caused by a well-known defect in Google Chrome.
• Websites from blocked categories may remain unblocked in Google Chrome if the user opens them from third-party apps, for example, from an IM client app. This issue is related to how the Accessibility service works with the Chrome Custom Tabs feature.
• Forbidden websites may remain unblocked in Samsung Internet if the user opens them in background mode from the context menu or from third-party apps, for example, from an IM client app.
• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of Web Protection and Web Control.
• On some Xiaomi devices, the "Display pop-up window" and "Display pop-up windows while running in the background" permissions should be granted for Web Protection and Web Control to work.
• Allowed websites may be blocked in Samsung Internet in the Allow only listed websites Web Control mode when the page is refreshed. Websites are blocked if a regular expression contains advanced settings (for example, ^https?://example.com/pictures/). It is recommended to use regular expressions without additional settings (for example, ^https?://example.com).
• If Web Control is set to Prohibit all websites, Kaspersky Endpoint Security for Android does not block search in the Google Search widget. Instead, it blocks user access to the search results.
• In a corporate container, if Web Control is set to Prohibit all websites, Kaspersky Endpoint Security for Android endlessly reloads the Google Chrome home page, blocks the browser, and interferes with the device.
• In Yandex Browser and Samsung Internet, malicious and phishing websites may remain unblocked. This is because only the website domain is scanned, and if it is trusted, Web Protection can skip a threat.
• The list of allowed websites created in the Web Control card does not display in Safari on iOS MDM devices. However, Web Control still works and users can access only allowed websites.
• If the Check full URL when using Custom Tabs option is enabled in the Web Control section of the policy settings, switching to the full version of supported browsers only works for phishing and malicious websites.
• On iOS devices operating in basic protection mode, when you change the language on the device or restart the device, Web Protection is disabled. To enable Web Protection, after you change the language or the device restarts, wait about a minute and then open Kaspersky Security for iOS.

Known issues affecting Anti-Theft

• For timely delivery of commands to Android devices, the app uses the Firebase Cloud Messaging (FCM) service. If FCM is not configured, commands will be delivered to the device only during synchronization with Kaspersky Security Center according to the schedule defined in the policy, for example, every 24 hours.
• To lock a device, Kaspersky Endpoint Security for Android must be set as a device administrator.
• To lock devices running Android 7 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some devices, Anti-Theft commands may fail to execute if Battery Saver mode is enabled on the device. This defect has been confirmed on Alcatel 5080X.
• To locate devices running Android 10 or later, the user must grant the "All the time" permission for device location.

Known issues affecting App Control

• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. This does not apply to corporate devices.
• For App Control (app categories) to work, you must enable the use of Kaspersky Security Network. App Control determines the category of an app based on data that is available in KSN. To use KSN, the mobile device must be connected to the internet. For App Control, you can add individual apps to the lists of blocked and allowed apps. In this case, KSN is not required.
• When configuring App Control, it is recommended to clear the Block system apps check box. Blocking system apps may lead to problems in the operation of the device.
• On iOS MDM devices, if you specify allowed apps in the list of apps allowed to be installed, all apps except system apps and those added to the list of allowed apps will be hidden on the device screen.
• On some HUAWEI and Honor personal devices, apps from allowed categories may be blocked and apps from forbidden categories may remain unblocked. This is because the category for some apps from the App Gallery cannot be correctly defined.
• On some Samsung and Oppo devices, app icons may remain hidden on the home screen after clearing the Block system apps check box. This is due to limitations of the Android operating system.

Known issues affecting Compliance Control

• The Send a message to the user response does not work in Compliance Control for iOS MDM devices.
• If a non-existent operating system version is specified in the Operating system version criterion, the device will upgrade to the latest downloaded operating system.

Known issues when managing certificates

• When the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI option is enabled in the Issuance rules, the settings of mail and VPN certificates may remain inactive for a certain time while waiting for the PKI response.
• You cannot automatically renew a mail or VPN certificate uploaded from a file (with the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI option disabled in the PKI settings section of the Issuance rules), since there is no access to the Certificate Authority (CA) of such a certificate. To renew the certificate, you need to upload a new certificate file manually.
• When issuing mail or VPN certificates for Android devices in the Certificate issuance wizard, if the Connect without mobile certificate authentication option is selected as the Connection method and the Domain or internal user credentials option is selected as the Authentication method, an error indicating that the login and password are incorrect occurs when the user attempts to receive the certificate. In this case, choose a different authentication method.
• When installing a custom Administration Server reserve certificate using a file in PEM (X.509) format, the "Failed to save the changes" error may occur. We recommend that you try to upload the certificate file again or use a certificate in PKCS #12 format.

Known issues when configuring the device unlock password strength

• On devices running Android 10 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

  If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered sequences (e.g. 1234), or alphanumeric. The PIN or password must be at least 4 characters long.

  If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences, or alphanumeric (password). The PIN must be at least 8 digits long. The password must be at least 6 characters long.

• On devices running Android 7.1.1, if the unlock password does not meet the corporate security requirements (Compliance Control), the Settings system app may function improperly when an attempt is made to change the unlock password through Kaspersky Endpoint Security for Android. The issue is caused by a well-known defect in Android 7.1.1. In this case, only use the Settings system app to change the unlock password.
• On some devices running Android 6 or later, if device data is encrypted, an error may occur when the screen unlock password is entered. This issue is related to specific features of the Accessibility service with MIUI firmware.
• On some iOS MDM devices, if the Minimum number of special characters value is specified and the Allow simple password check box is selected, the device displays information about setting a password of 6 or more characters even though it is possible to set a password of 4 or more characters.

Known issues affecting App removal protection

• Kaspersky Endpoint Security for Android must be set as a device administrator.
• To protect the app from removal on devices running Android 7 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some Xiaomi and HUAWEI devices, Kaspersky Endpoint Security for Android removal protection does not work. This issue is caused by the specific features of MIUI 7 and 8 firmware on Xiaomi and EMUI firmware on HUAWEI.

Known issues when configuring device restrictions

• On personal devices and devices with a work profile running Android 10 or later, prohibiting the use of Wi-Fi networks is not supported.
• On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or later disable this service in the device settings. If this is the case, you will not be able to restrict use of the camera.
• On iOS MDM devices, users may be able to enable Spotlight internet search results in Siri Suggestions even if the Prohibit Spotlight suggestions check box is selected. This is due to an issue known to Apple.
• On Android devices, when use of the camera is prohibited, some apps may close automatically. This issue is due to how services and features such as Android System Intelligence and Screen Attention use the device camera to keep the screen on while the user is looking at it.

Known issues when sending commands to mobile devices

• On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received within the last 30 minutes. Otherwise, the Locate device command fails.
• The Locate device command does not work on Android devices if Google Location Accuracy is disabled in the settings. Please be aware that not all Android devices come with this location setting.
• If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and the device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network.
• The Reset to factory settings command is unavailable for personal devices and devices with a corporate container running Android 14 or later.

Known issues affecting specific devices

• On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must grant Kaspersky Endpoint Security for Android the autostart permission or manually add it to the list of apps that are started when the operating system starts. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted. In addition, if the device has been locked, you cannot use a command to unlock the device. You can unlock the device only by using a one-time unlock code.
• On certain devices (for example, Meizu and Asus) running Android 6 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device. If the user uses a graphic password to unlock the device, you must convert the graphic password to a numeric password. For more details about converting a graphic password into a numeric password, please refer to the Technical Support website of the mobile device manufacturer. This issue is related to the operation of the Accessibility Features service.
• On some HUAWEI devices running Android 5.Х, after Kaspersky Endpoint Security for Android is set as an Accessibility feature, the device may incorrectly display a message about a lack of sufficient rights. To hide this message, enable the app as a protected app in the device settings.
• On some HUAWEI devices running Android 5.X or 6.X, when Battery Saver mode is enabled for Kaspersky Endpoint Security for Android, the user can manually terminate the app. The user device then becomes unprotected. This issue is due to some features of HUAWEI software. To restore device protection, run Kaspersky Endpoint Security for Android manually. It is recommended to disable Battery Saver mode for Kaspersky Endpoint Security for Android in the device settings.
• On HUAWEI devices with EMUI firmware running Android 7, the user can hide the notification regarding the protection status of Kaspersky Endpoint Security for Android. This issue is due to some features of HUAWEI software.
• On some Xiaomi devices, when setting the password length to more than 5 characters in a policy, the user will be prompted to change the screen unlock password instead of the PIN code. You cannot set a PIN code that has more than 5 characters. This issue is due to some features of Xiaomi software.
• On Xiaomi devices with MIUI firmware running Android 6, the Kaspersky Endpoint Security for Android icon may be hidden in the status bar. This issue is due to some features of Xiaomi software. It is recommended to allow the display of notification icons in the Notifications settings.
• On some Nexus devices running Android 6.0.1, the privileges required for proper operation cannot be granted through the Quick Start Wizard of Kaspersky Endpoint Security for Android. This issue is caused by a well-known defect in Security Patch for Android by Google. To ensure proper operation, the required privileges must be manually granted in the device settings.
• On certain Samsung devices running Android 7 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.
• On certain Samsung devices, it is impossible to block the use of fingerprints for unlocking the screen.
• Web Protection and Web Control cannot be enabled on some Samsung devices, if the device is connected to a 3G/4G network, has Battery Saver mode enabled and restricts background data. It is recommended to disable the function that restricts background processes in Battery Saver settings.
• On certain Samsung devices, if the unlock password does not comply with corporate security requirements, Kaspersky Endpoint Security for Android does not block the use of fingerprints for unlocking the screen.
• On some Honor and HUAWEI devices, you cannot restrict the use of Bluetooth. When Kaspersky Endpoint Security for Android attempts to restrict the use of Bluetooth, the operating system shows a notification with options to reject or allow this restriction. The user can reject this restriction and continue to use Bluetooth.
• On Blackview devices, the user can clear the memory for the Kaspersky Endpoint Security for Android app. As a result, device protection and management are disabled, all defined settings become ineffective, and the Kaspersky Endpoint Security for Android app is removed from the Accessibility features. This is because this vendor's devices provide elevated privileges to the customized Recent screens app. This app can override Kaspersky Endpoint Security for Android settings and cannot be replaced because it is part of the Android operating system.
• On some Google Pixel devices running Android 11 or earlier, the Kaspersky Endpoint Security for Android app crashes immediately after starting. This is caused by an issue in Android.
• On HUAWEI P60 Pro, a corporate container cannot be created.

Known issues affecting the app on Android 13

• On Android 13, the user can use the Foreground Services Task Manager to stop Kaspersky Endpoint Security from running in the background. This is caused by a well-known issue in Android 13.
• On Android 13, the permission to send notifications is requested when the initial app configuration begins. This is due to specifics of the Android 13 operating system.

Known issues affecting policy profiles

• If you switch to a license with basic functionality, settings that are available only with a license with extended functionality do not reset to defaults in policy profiles.

Known issues in role-based access control

• If the License key management right is not granted, when opening an existing policy, an error may occur. This does not affect the operation of the policy.
• If the License key management right is not granted, you can create a policy without choosing the license in the Mobile policy wizard. However, in this case, you cannot configure the policy settings.

[Topic 274688]

Getting started

This section is intended for specialists who install the Kaspersky Secure Mobility Management solution, as well as for specialists who provide technical support to organizations that use Kaspersky Secure Mobility Management.

[Topic 274689]

Solution architecture

Kaspersky Secure Mobility Management includes the following components:

• Kaspersky Endpoint Security for Android mobile app

  The Kaspersky Endpoint Security for Android app protects mobile devices against web threats, viruses, and other apps that pose threats.

• Kaspersky Security for iOS mobile app

  The Kaspersky Security for iOS app protects mobile devices against phishing and web threats and lets you detect jailbreaking on devices.

• Kaspersky Mobile Devices Protection and Management plug-in

  The Kaspersky Mobile Devices Protection and Management plug-in lets you manage devices running Android and iOS in Kaspersky Security Center Web Console.

• iOS MDM Server

  iOS MDM Server lets you connect iOS devices to the Administration Server and manage iOS devices.

• iOS MDM Server settings plug-in

  The iOS MDM Server settings plug-in lets you configure iOS MDM Server settings.

[Topic 283465]

Deployment scenarios

The deployment of Kaspersky Secure Mobility Management in Kaspersky Security Center Web Console consists of the following steps:

1. Deploying Kaspersky Security Center Linux and Kaspersky Security Center Web Console
2. Deploying mobile management plug-ins
3. Configuring Administration Server settings for connecting mobile devices
4. Deploying an iOS device management system
5. Deploying an Android device management system
6. Managing mobile devices in Kaspersky Security Center Web Console

[Topic 283464]

Deploying a mobile device management solution in Kaspersky Security Center Web Console

To connect and manage mobile devices using Kaspersky Security Center Web Console, you must deploy a mobile device management solution. This section describes the recommended actions when getting started with Kaspersky Secure Mobility Management.

[Topic 274852]

Deploying Kaspersky Security Center Linux and Kaspersky Security Center Web Console

Select a Linux device that you intend to use as the administrator's workstation, ensure that the device meets the software and hardware requirements, and then install Kaspersky Security Center and Kaspersky Security Center Web Console on the device.

For instructions on installing Kaspersky Security Center Linux, refer to the Kaspersky Security Center Help.

For instructions on installing Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

[Topic 274715]

Deploying mobile management plug-ins

To use the Kaspersky Secure Mobility Management solution and connect mobile devices, you must add and install the following mobile management plug-ins:

• Kaspersky Mobile Devices Protection and Management
  • on_prem_ksm_policies_<version>.zip

    Archive that contains the files required for the installation of the Kaspersky Mobile Devices Protection and Management plug-in:

    • plugin.zip

      Archive that contains the Kaspersky Mobile Devices Protection and Management plug-in.

    • signature.txt

      File that contains the signature for the Kaspersky Mobile Devices Protection and Management plug-in.

• iOS MDM Server settings
  • on_prem_iosmdm_<version>.zip

    Archive that contains the files required for the installation of the iOS MDM Server settings plug-in:

    • plugin.zip

      Archive that contains the iOS MDM Server settings plug-in.

    • signature.txt

      File that contains the signature for the iOS MDM Server settings plug-in.

To install a management plug-in:

1. In the main window of Kaspersky Security Center Web Console, select Settings > Web plug-ins.
2. In the window that opens, click Add.

   The list of available plug-ins is displayed.

3. In the list of available plug-ins, select the plug-in you want to install by clicking on its name.

   A plug-in description page is displayed.

4. On the plug-in description page, click Install plug-in.
5. When the installation is complete, click OK.

The management plug-in is downloaded with the default configuration and displayed in the list of management plug-ins.

You can add plug-ins and update downloaded plug-ins from a file. You can download management plug-ins and web management plug-ins from the Kaspersky Customer Service webpage.

To load or update a plug-in from a file:

1. In the main window of Kaspersky Security Center Web Console, select Settings > Web plug-ins.
2. In the window that opens:
   • Click Add from file to load a plug-in from a file.
   • Click Update from file to load an update of a plug-in from a file.
3. Specify the file and signature of the file.
4. Load the specified files.

The management plug-in is loaded from the file and displayed in the list of management plug-ins.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

[Topic 274722]

Configuring Administration Server settings for connecting mobile devices

Before connecting mobile devices to Kaspersky Security Center Web Console, you must define the connection settings in the Administration Server properties.

To configure Administration Server settings for connecting mobile devices:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.
2. In the Administration Server properties window that opens, configure the Administration Server port that will be used by mobile devices:
   1. In the General tab, select the Additional ports section.
   2. Enable the Open port for mobile devices toggle button.

      If this option is enabled, the port for mobile devices will be open on the Administration Server.

   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices toggle button is off or an incorrect connection port is specified, mobile devices will not be able to connect to the Administration Server.

3. If necessary, edit the certificate that will be used by mobile devices to connect to the Administration Server.

   By default, Administration Server uses the certificate created after the port for mobile devices is opened. You can reissue or replace the certificate issued through the Administration Server with another certificate.

   To edit the certificate:

   1. In the General tab, select the Certificates section.
   2. Define the required settings.

      For more details on working with certificates in Kaspersky Security Center Linux, refer to the Kaspersky Security Center Help.

4. Click Save to save the changes you have made and exit the Administration Server properties window.

The mobile device connection settings are configured.

[Topic 274849]

Scenario: Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Web Console

This scenario describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Stages

The configuration proceeds in the following steps:

1. Installing Network Agent in the connection gateway role on a host

   First, you need to install Network Agent on the selected host device acting in the gateway connection role.

   For information about generating a Network Agent installation package, refer to the Kaspersky Security Center Help.

   You can install Network Agent in interactive mode by specifying installation parameters step by step. Alternatively, you can use an answer file—a text file that contains a custom set of installation parameters: variables and their respective values. Using this answer file allows you to run an installation in silent mode, that is, without user participation. For information on installing Network Agent in silent mode, refer to the Kaspersky Security Center Help.

2. Configuring the connection gateway on Kaspersky Security Center Administration Server

   Once you have installed Network Agent in the connection gateway role, you must connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server.

   You must create a new group under the Managed Devices group and add the device acting as a connection gateway to the group that you have created. For information on manually adding devices to groups in Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

   After that, assign the device as a distribution point and configure the distribution point to act as a connection gateway in the Connection gateway section of the distribution point properties. Then enable the Open port for mobile devices (SSL authentication of the Administration Server only) and Open port for mobile devices (two-way SSL authentication) options and specify ports and DNS domain names of the distribution point to connect mobile devices.

Results

The connection gateway will be configured. You will be able to add new mobile devices by specifying the connection gateway address.

[Topic 274695]

Adding installation packages to Administration Server repository

For further deployment of mobile management systems, you need to add the following installation packages to the Administration Server repository:

• Network Agent Linux installation package (for later installation of Network Agent on a workstation).
• iOS MDM Server installation package (for later installation of iOS MDM Server to connect and manage iOS devices).
• Kaspersky Endpoint Security for Android installation package (for later installation of Kaspersky Endpoint Security for Android on devices).

For instructions on adding installation packages to the Administration Server repository, refer to the Kaspersky Security Center Help.

[Topic 274850]

Adding a license key to the Administration Server repository

To connect mobile devices to Kaspersky Security Center Web Console and manage them, you must add a license key that supports the Mobile Device Management solution to the Administration Server repository.

The license under which the solution is used determines a scope of basic or advanced settings you can configure. With a license that does not provide the extended Kaspersky Secure Mobility Management functionality, only basic device protection settings are available in the Kaspersky Mobile Devices Protection and Management plug-in. For detailed information on licenses, refer to the About the license section.

To add a license key to the Administration Server repository:

• In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.

  In the Administration Server properties window that opens:

  1. In the General tab, select the License keys section.
  2. In the Current license block of settings, click Select and specify the KEY file you want to add.

     The license you choose must support the Mobile Management solution.

  3. Click Save.

The license key is added to the Administration Server repository.

To view the list of the license keys added to the Administration Server repository:

In the main window of Kaspersky Security Center Web Console, select Operations > Kaspersky licenses.

The displayed list contains the key files and activation codes added to the Administration Server repository.

To view the detailed information about a license key:

1. In the main window of Kaspersky Security Center Web Console, select Operations > Kaspersky licenses.
2. Click the name of the required license key.

   In the license key properties window that opens, on the General tab, you can view the detailed information about the selected license key.

[Topic 274820]

Installing Network Agent Linux

Network Agent Linux is a Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications that are installed on a workstation or server.

To deploy an iOS device management system, you must install Network Agent on a workstation on which iOS MDM Server will later be deployed. After Network Agent is installed, you will be able to configure and install iOS MDM Server on it to subsequently connect and manage iOS devices.

For the instructions on installing Network Agent Linux, refer to the Kaspersky Security Center Help.

[Topic 274848]

Configuring Kaspersky Security Center Linux Web Server settings

Kaspersky Security Center Linux Web Server (Web Server) is a component of Kaspersky Security Center Linux installed together with the Administration Server. Web Server is designed for network transmission of stand-alone installation packages, device management profiles, and files from a shared folder.

Installation packages that have been created are published on Web Server automatically and then removed after the first download. The administrator can send a new link to the user in any convenient way, such as by email.

For detailed information, refer to the Kaspersky Security Center Help.

To connect mobile devices, make sure the Web Server FQDN is specified correctly in the Administration Server properties:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.
2. In the Administration Server properties window that opens, on the General tab, select the Web Server section.
3. In the Web Server FQDN field, check if the specified FQDN (a fully qualified domain name) is publicly resolvable by DNS servers.

[Topic 284061]

Deploying an iOS device management system

Kaspersky Secure Mobility Management lets you manage mobile devices running iOS. This section describes the deployment of an iOS device management system.

[Topic 274858]

About iOS device operating modes

The device operating mode depends on the owner of the mobile device (personal or corporate) and corporate security requirements. You can choose the operating mode that is most suitable for your company and use several modes at the same time.

The following device operating modes are available for iOS devices:

• Basic protection
• Basic control
• Supervised

Basic protection

Basic protection is the device operating mode for personal or corporate iOS devices. This operating mode lets you protect against web threats and detect jailbreaking on devices using the Kaspersky Security for iOS app.

Basic control

Basic control is the device operating mode for personal iOS devices. This operating mode lets you protect and perform basic management of devices.

The user is allowed to use a personal Apple ID, work with any apps, and store personal data on the device. You can configure policy settings to control user's access to corporate resources and manage other security requirements.

To manage iOS devices in the basic control operating mode, you must have an installed and configured iOS MDM Server.

Supervised

Supervised is the device operating mode for corporate iOS devices. This operating mode provides a wider range of settings to define through the policy than devices in other operating modes, for example:

• Send additional commands to manage Bluetooth settings, update operating system, locate device or sound alarm in Lost Mode.
• Manage advanced restrictions:
  • Network restrictions (prohibit modifying Personal Hotspot settings, prohibit creating VPN configurations, force Wi-Fi on and allow connection to specified Wi-Fi networks on, prohibit modifying Bluetooth settings).
  • App restrictions (for example, prohibit installation of apps from Apple Configurator and iTunes).
  • Prohibit access to USB devices in Files and disable access to USB devices when the device is locked.
• Configure advanced App Control settings (for example, create custom lists of allowed and forbidden apps).
• Configure Web Control settings.
• Configure an HTTP proxy server to monitor internet traffic on a device within the corporate network.

To manage iOS devices in the supervised operating mode, you must have an installed and configured iOS MDM Server and devices switched to the supervised status in Apple Configurator. For detailed information on working with Apple Configurator, refer to the Apple Technical Support website.

[Topic 284150]

About device management profiles

A device management profile is a profile that contains the settings for connecting mobile devices running iOS to Kaspersky Security Center. After installation of device management profile and device synchronization with iOS MDM Server, the device becomes a managed device (iOS MDM device). iOS MDM devices are managed through the Apple Push Notification service (APNs).

Using a device management profile, you can do the following:

• Remotely configure the settings of iOS devices using policies.
• Send commands to iOS MDM devices.
• Remotely install Kaspersky apps and third-party apps.

The deployment of a device management profile is carried out via Kaspersky Security Center Web Console using the Mobile device connection wizard. The user installs the device management profile after receiving an email with the details for connecting the mobile device to Kaspersky Security Center. No additional preparations for the profile are required.

Before installing a device management profile, you must deploy an iOS device management system.

[Topic 284062]

Deploying Kaspersky Security for iOS

This section contains a general overview of the Kaspersky Security for iOS app and the activation process.

For detailed information on Kaspersky Security for iOS features and how to install, update, or remove the app, refer to the Using the Kaspersky Security for iOS app section.

[Topic 274855]

About Kaspersky Security for iOS

The Kaspersky Security for iOS app ensures protection of mobile devices against phishing and web threats.

The Kaspersky Security for iOS app offers the following key features:

• Web Protection. This component blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal the user's confidential data (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection uses the Kaspersky Security Network cloud service to scan websites before they are opened. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. You can configure this component in Kaspersky Security Center Web Console by defining the corresponding policy settings.
• Jailbreak detection. When Kaspersky Security for iOS detects a jailbreak, it displays a critical message and informs you about the issue.

[Topic 284115]

Activating Kaspersky Security for iOS

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Security for iOS app is fully functional, the Kaspersky Security Center license purchased by the organization must support the Mobile Device Management functionality.

For detailed information about licensing options, refer to the About the license section.

The Kaspersky Security for iOS app is activated on a mobile device by providing valid license information to the app. License information is delivered to the device together with the policy settings as soon as the device is synchronized with Kaspersky Security Center.

If activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to limited functionality mode. In this mode, most of the app components are not operational. When switched to limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Accordingly, if activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the mobile app on their devices manually.

To activate the mobile app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Click the License button.
4. In the window that opens, use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   If a key file is selected from the Kaspersky Security Center key storage and sent to the device, Kaspersky Security for iOS will be not able to process it, because Kaspersky Security for iOS does not support this activation method. To activate Kaspersky Security for iOS, you must add an activation code to Kaspersky Security Center.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the Replace with selected key if the key on devices is different check box.

5. Click Save to save the changes you have made.

The app is activated after the next device synchronization with the Administration Server.

The user can also contact the administrator for an activation code and enter it manually.

[Topic 274697]

Deploying a management system using the iOS MDM protocol

iOS devices with basic control and supervised operating modes are managed using the iOS MDM protocol. To deploy a mobile management system using the iOS MDM protocol and connect iOS devices to Kaspersky Security Center, follow these steps:

1. Deploy iOS MDM Server
2. Receive an APNs certificate
3. Install the APNs certificate on iOS MDM Server
4. Connect iOS devices to Kaspersky Security Center

[Topic 274696]

Deploying iOS MDM Server

iOS MDM Server is a component of Kaspersky Secure Mobility Management which allows iOS MDM devices to connect to Kaspersky Security Center and facilitates management of these devices through Apple Push Notifications (APNs) by installing dedicated device management profiles on them.

iOS MDM Server receives inbound connections from mobile devices through its TLS port (by default, port 443), which is managed by Kaspersky Security Center using Network Agent. Network Agent is installed locally on a device with an iOS MDM Server deployed.

The number of copies of iOS MDM Server to be installed can be selected either based on available hardware or on the total number of mobile devices covered.

Please keep in mind that the recommended maximum number of mobile devices to be managed through iOS MDM Server is 50,000. In order to reduce the load, the entire pool of devices can be distributed among several servers that have iOS MDM Server installed.

[Topic 274868]

Configuring an iOS MDM Server installation package

Before you install iOS MDM Server, you need to configure the iOS MDM Server installation package properties.

The iOS MDM Server installation package is an archive that contains the files required for the installation of the iOS MDM Server depending on the package manager and architecture: kliosmdm-<architecture>-<version>-<package manager>_<language>.tar.gz

To configure an iOS MDM Server installation package:

1. In the main window of Kaspersky Security Center We Console, select Operations > Repositories > Installation packages.
2. In the window that opens, click the iOS MDM Server installation package you want to configure.

   The installation package properties window opens.

3. In the Settings tab, specify the iOS MDM Server properties.
   1. In the Connection settings group of settings, configure the following properties:

      It is recommended to use the default values.

      • iOS MDM external connection port. In this field, specify an external port for connecting mobile devices to the iOS MDM service.

        External port 5223 is used by mobile devices for communication with the APNs server. Make sure that port 5223 is open in the Firewall for connecting with the address range 17.0.0.0/8.

        Port 443 is used for connecting to iOS MDM Server by default. If port 443 is already in use by another service or application, it can be replaced with, for example, port 9443.

        Port 2197 is used by iOS MDM Server to send notifications to the APNs server. APNs servers run in load-balancing mode. Mobile devices do not always connect to the same IP addresses to receive notifications. The 17.0.0.0/8 address range is reserved for Apple, and it is therefore recommended to specify this entire range as an allowed range in Firewall settings.

      • Network Agent connection port. In this field, specify a port for connecting the iOS MDM service to Network Agent. The default port number is 9799.
      • iOS MDM local connection port. In this field, specify a local port for connecting Network Agent to the iOS MDM service. The default port number is 9899.
   2. In the iOS MDM Server address group of settings, specify the address of the workstation on which iOS MDM Server is to be installed. This address will be used for connecting managed mobile devices to the iOS MDM service. The workstation must be available for connection of iOS MDM devices.

      Choose one of the following options:

      • Use FQDN device name. The fully qualified domain name (FQDN) of the device will be used.
      • Use specified address. Specify the specific address of the device manually.

        Do not add the URL scheme and the port number in the address string. These values will be added automatically.

4. Click Save.

The iOS MDM Server installation package properties are configured. Now you can install iOS MDM Server with the specified settings.

[Topic 274867]

Installing iOS MDM Server using a remote installation task

Kaspersky Security Center Web Console lets you install iOS MDM Server remotely using a remote installation task. This task is created and assigned to up to 1000 devices through a corresponding wizard. The wizard will help install iOS MDM Server in an administration group, on devices with specific IP addresses, or on a selection of managed devices.

Please note that you will not be able to specify the iOS MDM Server settings during the installation. The settings are configured in the iOS MDM Server installation package properties.

Before installing iOS MDM Server on a device, make sure the Kaspersky Mobile Devices Protection and Management and iOS MDM Server settings plug-ins are installed.

To install iOS MDM Server using a remote installation task:

1. Install Network Agent on a workstation on which iOS MDM Server will be deployed.
2. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
3. Click Install.

   The New task wizard starts. Proceed through the wizard using the Next button.

4. In the New task settings window that opens:
   1. In the Task name field, specify a custom name for the task, if necessary (The default name is "Install iOS MDM Server").
   2. In the Devices to which the task will be assigned group of settings, choose Specify device addresses manually or import addresses from a list. You can specify DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
5. At the Task scope step:
   1. Click Add devices.
   2. In the window that opens, in the drop-down list, choose the Select networked devices detected by Administration Server option.
   3. Select devices or a device selection.
   4. Click Add.

   After you add the devices, they are displayed in the table.

6. At the Installation packages step, specify the following settings:
   1. In the Select installation package field, select the configured iOS MDM Server installation package.
   2. In the Select Network Agent field, select the installed Network Agent.
   3. In the Force installation package download group of settings, select the Using Network Agent check box to distribute the files that are required for iOS MDM Server installation via Network Agent.
   4. In the Maximum number of concurrent downloads field, specify the maximum allowed number of devices to which Administration Server can simultaneously transmit the files.
   5. In the Maximum number of installation attempts field, specify the maximum number of times the installer will be allowed to run.
   6. Specify the additional settings:
      • Click the Do not re-install application if it is already installed check box. The application will not be re-installed if it has already been installed on the device.
      • Click the Verify operating system type before downloading check box. Before transmitting the files to devices, Kaspersky Security Center checks if the installation utility settings are applicable to the operating system of the device. If the settings are not applicable, Kaspersky Security Center does not transmit the files and does not attempt to install the application. For example, to install some application to devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.
7. At the next step of the wizard, you will be prompted to select the action that will be performed if installation process prompts to restart the operating system. Select the Do not restart the device option or skip this step, as it does not apply to Linux operating system.
8. At the Select accounts to access devices step, choose the No account required (Network Agent installed) option. If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running. If Network Agent has not been installed on devices, this option is unavailable.
9. At the Finish task creation step, click the Finish button to create the task and close the wizard.

iOS MDM Server is installed using a remote installation task.

[Topic 274870]

Local installation of iOS MDM Server on a device via an installation package

Kaspersky Security Center Web Console lets you install iOS MDM Server on a local device using an installation package, that is, without interactively inputting the installation settings.

Before installing iOS MDM Server on a device, make sure the Kaspersky Mobile Devices Protection and Management and iOS MDM Server settings plug-ins are installed.

To install and configure iOS MDM Server on a local device manually:

1. Install iOS MDM Server:
   1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
   2. Depending on your operating system, run one of the following commands to launch the installation file:
      1. For Debian:

         apt install /<path>/kliosmdm_<version_number>_amd64.deb

      2. For Red Hat Enterprise Linux:

         yum install /<path>/kliosmdm_<version_number>.x86_64.rpm -y

         iOS MDM Server is installed. The installer offers to start the setup procedure by executing the postinstall.pl script.

2. Configure iOS MDM Server using one of the methods:
   1. Configuration with the postinstall settings specified by the interactive step-by-step wizard:
      1. Run the following command:

         /opt/kaspersky/iosmdm/lib/bin/setup/postinstall.pl

   2. Configuration with the key arguments specified as postinstall settings:
      1. Run the following command:

         opt/kaspersky/bin/postinstall.pl -- <params>

         where <params> is one of the settings specified in the iOS MDM Server installation settings table below.

The names and possible values for the settings that can be configured when installing iOS MDM Server are listed in the table. You can specify these settings in any convenient order.

iOS MDM Server installation settings

To install and configure iOS MDM Server in silent mode automatically using an answer file:

An answer file is a text file that contains a custom set of installation settings (variables and their corresponding values).

1. Create an answer file (in TXT format) in the directory where the installation will be performed: /tmp/answers.txt.
2. Specify the required values in the answer file:
   • EULA_ACCEPTED=1

     Acceptance of the terms of the End User License Agreement.

   • KLIOSMDM_AUTOINSTALL=1

     Using a TXT answer file with iOS MDM Server installation settings.

   • EXTERNALSERVERPORT=443

     Port for connecting a device to iOS MDM Server.

   • CONNECTORPORT=9799

     Local port for connecting the iOS MDM service to Network Agent.

   • LOCALSERVERPORT=9899

     Local port for connecting Network Agent to the iOS MDM service.

   • EXTERNAL_SERVER_URL=example.fqdn.com

     External address of the device on which iOS MDM Server is to be installed.

3. Set the value of the KLAUTOANSWERS environment variable by entering the full name of the answer file (including the path), for example: export KLAUTOANSWERS=/tmp/answers.txt.
4. Launch the iOS MDM Server installation.

iOS MDM Server is installed and configured in silent mode automatically using an answer file.

[Topic 287006]

Updating iOS MDM Server using a remote installation task or locally

Kaspersky Security Center Web Console lets you update iOS MDM Server using a remote installation task or locally on a device.

Please note that you will not be able to specify the iOS MDM Server settings during the update. The settings are configured in the iOS MDM Server installation package properties.

To update iOS MDM Server using a remote installation task:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
2. Click Update.

   The New task wizard starts. Proceed through the wizard using the Next button.

3. In the New task settings window that opens:
   1. In the Task name field, specify a custom name for the task, if necessary (The default name is Update iOS MDM Server).
   2. In the Devices to which the task will be assigned group of settings, the device on which iOS MDM Server is installed will be displayed.
4. At the Installation packages step, specify the following settings:
   1. In the Select installation package field, select the configured iOS MDM Server installation package.
   2. In the Force installation package download group of settings, select the Using Network Agent check box to distribute the files that are required to update iOS MDM Server via Network Agent.
   3. In the Maximum number of concurrent downloads field, specify the maximum allowed number of client devices to which Administration Server can simultaneously transmit the files.
   4. In the Maximum number of installation attempts field, specify the maximum number of times the installer will be allowed to run.
   5. Specify the additional settings:
      • Click the Do not re-install application if it is already installed check box. The application will not be re-installed if it has already been installed on this device.
      • Click the Verify operating system type before downloading check box. Before transmitting the files to devices, Kaspersky Security Center checks if the installation utility settings are applicable to the operating system of the device. If the settings are not applicable, Kaspersky Security Center does not transmit the files and does not attempt to install the application. For example, to install some application on devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.
5. At the next step of the wizard, you will be asked to select the action that will be performed if the application installation prompts you to restart the operating system. Select the Do not restart the device option or skip this step, as it does not apply to the Linux operating system.
6. At the Select accounts to access devices step, choose the No account required (Network Agent installed) option. If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running. If Network Agent has not been installed on devices, this option is unavailable.
7. At the Finish task creation step, click the Finish button to create the task and close the wizard.

iOS MDM Server is updated using the remote installation task.

To update iOS MDM Server locally, follow the steps described for Local installation of iOS MDM Server on a device via installation package using the newer version of the installation package.

[Topic 287071]

Deleting iOS MDM Server using a remote uninstallation task

Kaspersky Security Center Web Console lets you delete iOS MDM Server remotely using a remote uninstallation task.

Before deleting iOS MDM Server, make sure the iOS MDM Server installation package has been created and added to the Administration Server repository (Operations > Repositories > Installation packages).

To delete iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
2. Select the iOS MDM Server that you want to uninstall, and then click Delete.

   The New task wizard starts. Follow the wizard steps as described in the Kaspersky Security Center Help.

[Topic 274721]

Viewing the list of installed iOS MDM Servers and configuring their settings

Kaspersky Security Center Web Console lets you view the list of installed iOS MDM Servers and access their settings.

To view the installed iOS MDM Servers:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
2. In the list of installed iOS MDM Servers that opens:
   1. To install iOS MDM Server, click Install.
   2. To update iOS MDM Server, click Update.
   3. To delete iOS MDM Server, click Delete.
   4. To view or configure the iOS MDM Server settings, do one of the following:
      • Select the check box next to the iOS MDM Server whose settings you want view or configure, and then click Modify settings.

        The Application settings tab of the iOS MDM Server settings window opens.

      • Click the name of the iOS MDM Server whose settings you want view or configure.

        In the iOS MDM Server settings window that opens, navigate to the Application settings tab.

To view or configure the iOS MDM Server settings:

1. Navigate to the Application settings tab of the iOS MDM Server settings window using the instructions above.
   1. In the General section, you can view the general iOS MDM Server properties.
      • Name. The iOS MDM Server custom name.
      • Version. The version of the installed iOS MDM Server.
      • Modified. The date and time of the latest iOS MDM Server update or modification.
      • Host name. The name of the device on which iOS MDM Server is installed.
      • Host path. The path to iOS MDM Server on the device on which it is installed.

        You cannot modify the settings in this section.

   2. In the APNs proxy server section, you can specify the following settings for Apple Push Notification Service (APNs):
      • Address. APNs proxy server address.
      • Port. APNs proxy server port.
      • User name. APNs proxy user name.
      • Password. APNs proxy password.

        If you intend to access APNs from the iOS MDM service through a proxy server, the Use proxy server to connect to APNs option must be enabled.

        For detailed information on APNs proxy server, refer to the Configuring access to Apple Push Notification service section.

   3. In the Certificates section, you can manage the certificates required for the operation of iOS MDM Server.
      • Apple Push Notification service (APNs) certificate. The APNs certificate is signed by Apple and lets you use Apple Push Notification. Through Apple Push Notification, an iOS MDM Server can manage iOS devices. For detailed information on the APNs certificate, refer to the Receiving or renewing an APNs certificate section.
      • iOS MDM Server certificate. The iOS MDM Server certificate is used to establish the connection and verify trust between iOS devices and iOS MDM Server.
      • iOS MDM Server reserve certificate. The iOS MDM Server reserve certificate ensures seamless switching of iOS devices after the main iOS MDM Server certificate expires. For detailed information on the iOS MDM Server reserve certificate, refer to the Configuring a reserve iOS MDM Server certificate section.
      • iOS MDM Server root certificate. The iOS MDM Server root certificate is used to issue client certificates to authenticate on iOS MDM Server.
   4. In the Connection settings section, you can view and configure the settings for mobile device connection to iOS MDM Server.
      • In the Synchronization block of settings, you can enable or disable the synchronization of managed devices with iOS MDM Server and specify the Synchronization period (min).
      • In the Local access point block of settings, you can specify the Network Agent connection port (a port for connecting iOS devices to Network Agent) and iOS MDM local connection port (a local port for connecting Network Agent to the iOS MDM service). For detailed information on these values, refer to the Configuring an iOS MDM Server installation package section.
      • In the External access point block of settings, you can specify the iOS MDM external connection port (external port for connecting mobile devices to the iOS MDM service).
      • In the iOS MDM installation profile block of settings, you can configure the installation profile properties. You can specify Profile name (a mandatory field), Company, and Profile description.

        Please note that the settings in this section are applied to newly connected iOS MDM devices or to previously connected iOS MDM devices when their mobile certificates are renewed.

      • In the Configuration profiles section, you can view and manage configuration profiles, which are used to centrally define the settings of managed iOS devices and restrict the features of these devices. For detailed information on managing configuration profiles, refer to the Adding a configuration profile, Installing a configuration profile on a device, and Removing a configuration profile from a device sections.

[Topic 287007]

Configuring an iOS MDM Server certificate

The iOS MDM server certificate is used to establish a connection and verify trust between the iOS MDM device and iOS MDM Server.

The iOS MDM Server certificate is issued by Kaspersky Security Center automatically upon the initial deployment of iOS MDM Server and installed on a device where iOS MDM Server is deployed. If you want to use a certificate issued by your certification authority, you need to specify a custom certificate file that will be used as an iOS MDM Server certificate.

If you specify a custom iOS MDM Server certificate, the Issue button for the iOS MDM Server reserve certificate will become unavailable. You need to specify the reserve certificate manually by clicking Install.

To specify a custom iOS MDM Server certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Certificates tab.
   1. In the iOS MDM Server certificate block of settings, click Install.
   2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

      Make sure the certificate you install complies with the following security requirements:

      • Common Name (CN) is specified;
      • a correct Subject Alternative Name (SAN) of DNS is specified and matches the iOS MDM Server connection address;
      • a correct certificate publisher is specified;
      • a correct certificate expiration date is specified;
      • the certificate chain is complete;
      • Extended Key Usage (EKU) is XKU_SSL_SERVER (1.3.6.1.5.5.7.3.1 serverAuth);
      • the root certificate is the same as the root certificate of the current certificate;
      • the RSA key size in the certificate chain is at least 2048 bits;
      • the RSA key size of the root certificate is at least 4096 bits;
      • the hash algorithm in the certificate chain is from the SHA-2 family.
   3. In the Installing certificate window that opens, enter the certificate password, and then click Install.
   4. Click Save.

Your custom certificate is specified as the iOS MDM Server certificate. The certificate details are displayed in the iOS MDM Server certificate block of settings.

[Topic 274863]

Configuring a reserve iOS MDM Server certificate

The iOS MDM Server functionality lets you issue a reserve certificate. This certificate is intended for use in device management profiles to ensure seamless switching of managed iOS devices after the iOS MDM Server certificate expires.

If your iOS MDM Server uses a default certificate issued by Kaspersky, you can issue a reserve certificate (or specify your own custom certificate as a reserve one) before the iOS MDM Server certificate expires. By default, the reserve certificate is automatically issued 60 days before the iOS MDM Server certificate expires. The reserve iOS MDM Server certificate becomes the main certificate immediately after the iOS MDM Server certificate expires. The public key is distributed to all managed devices through configuration profiles, so you do not have to transmit it manually.

Please note that the reserve iOS MDM Server certificate is not issued automatically if you use an iOS MDM Server custom certificate. If you use a custom certificate, we recommend that you specify a reserve certificate when installing iOS MDM Server or no later than 30 days before the expiration of the existing iOS MDM Server certificate.

If the certificate expires and no reserve has been specified, the connection between iOS MDM Server and iOS MDM devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall device management profiles on each of the managed devices.

To issue a reserve iOS MDM Server certificate or specify a custom reserve certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Certificates tab.
4. In the iOS MDM Server reserve certificate block of settings, do one of the following:
   • If you plan to continue using a self-signed certificate (the one issued by Kaspersky):
     1. Click Issue.

        If you have a custom iOS MDM Server certificate specified, the Issue button for the iOS MDM Server reserve certificate will be unavailable. You need to specify the reserve certificate manually by clicking Install.

     2. In the Apply iOS MDM Server reserve certificate window that opens, select one of the two options for the date when the reserve certificate should be applied:
        • If you want to apply the reserve certificate when the current certificate expires, select the After the current certificate expires option.
        • If you want to apply the reserve certificate before the current certificate expires, select the After specified period (days) option. In the entry field next to this option, specify the duration of the period after which the reserve certificate must replace the current certificate.

        The validity period of the reserve certificate that you specify cannot exceed the validity period of the current iOS MDM Server certificate.

     3. Click OK.

     The self-signed reserve iOS MDM Server certificate is issued and specified as the reserve iOS MDM Server certificate.

     Please note that when you specify the date when the reserve certificate should be applied, the certificate will be issued before you save the changes in the Certificates section. If you want to issue a new reserve certificate, open the iOS MDM Server settings again, remove the previously issued reserve certificate by clicking Delete, and issue a new reserve certificate by following the instructions above.

   • If you plan to use a custom certificate issued by your certification authority:
     1. Click Install.
     2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

        Make sure the certificate you install complies with the following security requirements:

        • a correct Subject Alternative Name (SAN) of DNS is specified and matches the iOS MDM Server connection address;
        • a correct certificate publisher is specified;
        • a correct certificate expiration date is specified;
        • the certificate chain is complete;
        • Extended Key Usage (EKU) is XKU_SSL_SERVER (1.3.6.1.5.5.7.3.1 serverAuth);
        • the root certificate is the same as the root certificate of the current certificate;
        • the RSA key size in the certificate chain is at least 2048 bits;
        • the RSA key size of the root certificate is at least 4096 bits;
        • the hash algorithm in the certificate chain is from the SHA-2 family.
     3. In the Installing certificate window that opens, enter the certificate password, and then click Install.
     4. Click Save.

     Your custom certificate is specified as the reserve iOS MDM Server certificate.

     Please note that when you specify the date when the reserve certificate should be applied, the certificate will be issued before you save the changes in the Certificates section. If you want to issue a new reserve certificate, open the iOS MDM Server settings again, remove the previously issued reserve certificate by clicking Delete, and issue a new reserve certificate by following the instructions above.

You have a specified reserve iOS MDM Server certificate. The reserve certificate details are displayed in the iOS MDM Server reserve certificate block of settings.

[Topic 274861]

Receiving or renewing an APNs certificate

To ensure proper functioning of the iOS MDM service and timely responses of mobile devices to the administrator's commands, you need to specify an Apple Push Notification service certificate (APNs certificate) in the iOS MDM Server settings.

If you already have an APNs certificate, please consider renewing it instead of receiving a new one. When you replace the existing APNs certificate with a newly created one, Administration Server can no longer manage the previously connected iOS MDM devices.

To issue or renew an APNs certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Certificates tab.
4. In the Apple Push Notification service (APNs) certificate block of settings, click Issue or renew.

   The APNs certificate wizard opens. Click Start and then proceed through the wizard using the Back and Next buttons.

   When the Certificate Signing Request (CSR) is created at the first step of the wizard, its private key is stored in the RAM of your device. Accordingly, all the steps of the wizard must be completed without interruption within a single session.

Step 1. Create a Certificate Signing Request (CSR)

To create a CSR:

1. Specify the required information for generating a request file: Common Name (CN), Organization Name (O), Organization Unit Name (OU), City (L), Region (S), Country (C).
2. Click Save.

   After you save the changes, a CSR file will be generated, and the private key of the certificate will be saved in the device memory.

Step 2. Sign the CSR file

At this step, send the CSR file that you received in the previous step of the wizard to Kaspersky for signing:

1. Click Go to Kaspersky CompanyAccount.
2. Send the created CSR file to Kaspersky to be signed.

   Please note that you will be able to sign the CSR file only after you upload a key that lets you use the Mobile Device Management solution.

3. After your request is successfully processed, you will receive a CSR file signed by Kaspersky.
4. Save the received file.

Step 3. Receive the APNs certificate public key

At this step, do one of the following if you want to issue a new certificate or renew an existing one:

To issue a new certificate:

1. Click Go to Apple portal.
2. Log in to the Apple portal with a corporate Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

3. Upload a signed CSR file.

   The file will be used to generate the public key of the APNs certificate.

4. After your CSR is processed by Apple, you will receive the public key of the APNs certificate.

   Save the received file.

To renew a certificate:

1. Click Go to Apple portal.
2. Log in to the Apple portal with a corporate Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

3. Specify the certificate you want to renew.
4. Upload a signed CSR file.

   The file will be used to generate the public key of the APNs certificate.

5. After your CSR is processed by Apple, you will receive the public key of the APNs certificate.

   Save the received file.

Step 4. Specify the APNs certificate public key

At this step, upload the public key file received from Apple in the previous step of the wizard:

1. Click Select.
2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

Step 5. Specify the APNs certificate private key password

At this step, enter the certificate name and private key password:

1. In the Certificate name field, specify a custom name for the certificate.
2. In the Private key password field, specify the private key password for the certificate.

   This password will be used to install the APNs certificate on iOS MDM Server.

3. In the Confirm password, enter the password again.

Step 6. Complete the CSR

At this step, the APNs certificate is generated and ready to be installed on iOS MDM Server.

1. To complete the CSR, click Download APNs certificate to save the created certificate.
2. Click Done to exit the wizard.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PEM format.

Now you can install the generated APNs certificate on iOS MDM Server.

[Topic 274864]

Installing an APNs certificate on iOS MDM Server

After the APNs certificate is received, you can install it on iOS MDM Server.

To install the APNs certificate on iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Certificates tab.
4. In the Apple Push Notification service (APNs) certificate block of settings:
   1. Click Install.
   2. In the File Explorer window that opens, specify a certificate file in PEM format, and then click Open.

      Make sure the certificate you install complies with the following security requirements:

      • Common Name (CN) is specified;
      • a correct APNs topic is specified;
      • a correct certificate publisher is specified;
      • a correct certificate expiration date is specified.
   3. In the Installing certificate window that opens, enter the private key password specified when receiving the APNs certificate, and then click Install.

The APNs certificate will be installed on iOS MDM Server. The certificate details will be displayed in the Apple Push Notification service (APNs) certificate block of settings.

[Topic 274865]

Configuring access to Apple Push Notification service

To ensure proper functioning of the iOS MDM service and timely responses from mobile devices to the administrator's commands, you need to specify an Apple Push Notification Service certificate (APNs certificate) in the iOS MDM Server settings.

When interacting with Apple Push Notification service (APNs), the iOS MDM service connects to the external address api.push.apple.com through port 2197 (outbound). Therefore, the iOS MDM service requires access to port TCP 2197 for the range of addresses 17.0.0.0/8. From the iOS device, this interaction requires access to port TCP 5223 for the range of addresses 17.0.0.0/8.

If you intend to access APNs from the iOS MDM service through a proxy server, you must enable the use of a proxy server for connecting to APNs.

To enable the use of a proxy server to connect to APNs:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the APNs proxy server tab.
4. In the window that opens, enable the Use proxy server to connect to APNs toggle switch.
5. Configure the following settings:
   1. In the Address field, specify the APNs proxy server address.
   2. In the Port field, specify the APNs proxy server port.
   3. In the User name field, specify the APNs proxy user name.
   4. In the Password field, specify the APNs proxy password.
6. Click Save.

Proxy server is now used to connect to APNs.

[Topic 274719]

iOS MDM Server events

Kaspersky Security Center Web Console lets you view the events related to iOS MDM Server. The events have different severity levels: Information, Warning, Critical, Functional failure.

For each event that can be generated by iOS MDM Server, you can specify notification settings and storage settings on the Event configuration tab of the iOS MDM Server settings. If you want to configure notification settings for all events at once, configure general notification settings in the Administration Server properties. For detailed information on notifications, refer to the Kaspersky Security Center Help.

To view iOS MDM Server events:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose events you want to view.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Events tab.

The iOS MDM Server events are displayed.

For detailed information on viewing events in Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

The table below shows the events of iOS MDM Server that have the Information severity level.

iOS MDM Server information events

The table below shows the events of iOS MDM Server that have the Warning severity level.

iOS MDM Server warning events

The table below shows the events of iOS MDM Server that have the Functional failure severity level.

iOS MDM Server functional failure events

[Topic 287089]

Obtaining iOS MDM Server diagnostic data

When creating a request to Kaspersky Technical Support, you may be asked to create and attach a trace file. Trace files are used by Technical Support for diagnostic purposes. They contain all steps of application command execution written in the file, which allows to detect the step on which an error occurs.

We recommend that you obtain the traces of iOS MDM Server together with the traces of Network Agent, as they contain the iOS MDM Server connector details.

There are several tracing levels for iOS MDM Server:

• 0 - CRITICAL
• 1 - ERROR
• 2 - MESSAGE
• 3 - DEBUG

Ask a support engineer which tracing level to set. If the Technical Support engineer has not specified the trace level, we recommend obtaining level 2 traces.

To enable the iOS MDM Server tracing and create trace files:

1. Open the iOS MSM Server settings file /var/opt/kaspersky/iosmdm/settings.ini.
2. Specify the values required to enable tracing. We recommend that you specify the following default values:
   • LogCommEnabled=1

     Enabling or disabling the tracing of the iOS MDM Server and connector communication library.

   • LogSettingsEnabled=1

     Enabling or disabling the tracing of the iOS MDM Server and connector settings library.

   • LogCommVerboseLevel=2

     The tracing level of the iOS MDM Server and connector communication library.

   • LogSettingsVerboseLevel=2

     The tracing level of the iOS MDM Server and connector settings library.

   • LogVerboseLevel=2

     The tracing level of iOS MDM Server.

   • LogFolder=/var/opt/kaspersky/iosmdm

     The directory for writing trace files.

3. Restart the iOS MDM Server and Network Agent services by running the following commands:

   systemctl restart klnagent

   systemctl restart kliosmdm

The iOS MDM Server tracing is enabled. Trace files are created in the directory that you specified as the LogFolder value: klcon_comm.log, klcon_settings.log, klsrv.log, klsrv_comm.log, klsrv_settings.log.

To disable the iOS MDM Server tracing:

1. Open the iOS MSM Server settings file /var/opt/kaspersky/iosmdm/settings.ini.
2. Modify the file by deleting the strings that have been created to enable tracing:
   • LogCommEnabled=1
   • LogSettingsEnabled=1
   • LogCommVerboseLevel=2
   • LogSettingsVerboseLevel=2
   • LogVerboseLevel=2
   • LogFolder=/var/opt/kaspersky/iosmdm
3. Restart the iOS MDM Server and Network Agent services by running the following commands:

   systemctl restart klnagent

   systemctl restart kliosmdm

The iOS MDM Server tracing is disabled.

[Topic 274857]

Deploying an Android device management system

Kaspersky Secure Mobility Management lets you manage mobile devices running Android. This section describes the deployment of an Android device management system.

[Topic 274853]

About Android device operating modes

The device operating mode depends on the owner of mobile device (personal or corporate) and corporate security requirements. You can choose the operating mode that is most suitable for your company and use several modes at the same time.

The following device operating modes are available for Android devices:

• Personal device
• Device with corporate container
• Corporate device

Personal device

Personal device is the device operating mode for personal Android devices. This operating mode lets you protect and perform basic management of devices.

Device with corporate container

Device with corporate container is the device operating mode for personal Android devices with an Android Work Profile, which provides an isolated corporate environment on a device.

This operating mode lets you manage apps and user accounts in a safe environment on a device without restricting the use of personal data by the user. When a Work Profile is created on the user's mobile device, the following corporate apps are automatically installed in the container (if applicable): Google Play Market, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Corporate apps installed in the Work Profile and their notifications are marked with a blue briefcase icon. Apps installed in the work profile appear in the common list of apps.

Corporate device

Corporate device is the device operating mode for company-owned Android devices. This operating mode lets you have full control over the entire device and configure an extended set of security settings and features:

• Restrictions on Android features
• Management of Google Chrome settings
• Silent installation of required apps and removal of blocked apps in App Control
• Kiosk mode
• Management of Exchange ActiveSync
• NDES and SCEP integration

[Topic 274869]

Using Firebase Cloud Messaging

To ensure timely delivery of commands to Android devices, Kaspersky Security Center uses the mechanism of push notifications. Push notifications are exchanged between Android devices and Administration Server through Firebase Cloud Messaging (hereinafter referred to as FCM). In Kaspersky Security Center Web Console, you can specify the Firebase Cloud Messaging settings to connect Android devices to the service.

To retrieve the settings of Firebase Cloud Messaging, you must have a Google account.

To enable the use of FCM:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. Open the 3-dot menu () and select Forced Android device synchronization.
3. In the Firebase project number field, specify the FCM Sender ID.
4. In the Private key field, select the private key file.

At the next synchronization with Administration Server, Android devices will be connected to Firebase Cloud Messaging.

When you switch to a different Firebase project, you need to wait 10 minutes for FCM to resume.

FCM service runs in the following address ranges:

• From the Android device's side, access is required to ports 443 (HTTPS), 5228 (HTTPS), 5229 (HTTPS), and 5230 (HTTPS) of the following addresses:
  • google.com
  • fcm.googleapis.com
  • android.apis.google.com
  • All of the IP addresses listed in Google's ASN of 15169
• From the Administration Server side, access is required to port 443 (HTTPS) of the following addresses:
  • fcm.googleapis.com
  • All of the IP addresses listed in Google's ASN of 15169

If the proxy server settings have been specified in the Administration Server properties in Web Console, they will be used for interaction with FCM.

Configuring FCM: getting the Sender ID and private key file

To configure FCM:

1. Register on the Google portal.
2. Go to the Firebase console.
3. Do one of the following:
   • To create a new project, click Create a project and follow the instructions on the screen.
   • Open an existing project.
4. Click the gear icon and choose Project settings.

   The Project settings window opens.

5. Select the Cloud Messaging tab.
6. Retrieve the relevant Sender ID from the Sender ID field in the Firebase Cloud Messaging API (V1) section.
7. Select the Service accounts tab and click Generate new private key.
8. In the window that opens, click Generate key to generate and download a private key file.

Firebase Cloud Messaging is now configured.

[Topic 274700]

Deploying Kaspersky Endpoint Security for Android

This section contains a general overview of Kaspersky Endpoint Security for Android and the methods of installing, updating, and removing the app.

For detailed information on Kaspersky Endpoint Security for Android, refer to the Using the Kaspersky Endpoint Security for Android app section.

[Topic 274860]

About the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app ensures the protection of mobile devices against web threats, viruses, and other programs that pose threats.

The Kaspersky Endpoint Security for Android includes the following features:

• Anti-Malware. This component detects and neutralizes threats on the device by using the anti-malware databases and the Kaspersky Security Network cloud service. Anti-Malware includes the following components:
  • Protection. It detects threats in open files, scans new apps, and prevents device infection in real time.
  • Scan. It is started on demand for the entire file system, only for installed apps, or only for a selected file or folder.
  • Update. It lets you download new anti-malware databases for the app.
• Anti-Theft. This component protects the information on the device against unauthorized access in case the device is lost or stolen. This component lets you send the following commands to the device:
  • Locate device. Get the coordinates of the device's location.
  • Sound alarm. Make the device sound a loud alarm.
  • Wipe corporate data. Erase corporate data to protect sensitive company information.
• Web Protection and Web Control. Web Protection blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal the user's confidential data (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection uses the Kaspersky Security Network cloud service to scan websites before they open. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Control allows website filtering by categories defined in the Kaspersky Security Network cloud service. This lets the administrator restrict user access to certain categories of web pages (for example, Gambling, lotteries, sweepstakes or Internet communication).
• App Control. This component lets you install recommended and required apps to an Android device as well as remove blocked apps that violate corporate security requirements.
• Compliance Control. This component lets you check managed devices for compliance with corporate security requirements and impose restrictions on certain functions of non-compliant devices.

You can configure the components of the Kaspersky Endpoint Security for Android app in Kaspersky Security Center Web Console by defining the corresponding policy settings.

On personal devices and devices with a corporate container running Android 15, users can create their own private space. Kaspersky Endpoint Security for Android cannot scan apps, photos, and other files stored in a private space. Web Protection, Web Control, and App Control do not work for apps installed in a private space. Installation of Kaspersky Endpoint Security for Android in a private space is not supported.

[Topic 284175]

Installing Kaspersky Endpoint Security for Android

Expand all | Collapse all

There are several methods to deploy the Kaspersky Endpoint Security for Android app. You can use the most suitable installation scenario for your company or combine several installation scenarios.

The installation methods include the following:

• Installation via Kaspersky Security Center using one of the installation sources:
  • Kaspersky website (for corporate device operating mode only)

    Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated from the Kaspersky website or using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

  • Installation package (for all operating modes)

    The Kaspersky Endpoint Security for Android installation package will be downloaded from the Kaspersky Security Center server and updated via Kaspersky Security Center using policy settings. You can choose this method if mobile devices in your company have no access to the internet.

    For this installation source, before connecting mobile devices, create the Kaspersky Endpoint Security for Android installation package.

• Manual installation

[Topic 284142]

Creating the Kaspersky Endpoint Security for Android installation package

The Kaspersky Endpoint Security for Android app can be deployed using the installation package.

You can use this installation method if mobile devices in your company have no access to the internet.

For this installation method, you need to create a Kaspersky Endpoint Security for Android installation package before connecting Android devices to Kaspersky Security Center. The installation package will be downloaded from Kaspersky Security Center and updated via Kaspersky Security Center using policy settings.

The Kaspersky Endpoint Security for Android installation package is an archive that contains the files required for installing the Kaspersky Endpoint Security for Android app:

• installer.ini

  Configuration file that contains Administration Server connection settings.

• KES10_<version>.apk

  Android package file of the Kaspersky Endpoint Security for Android app.

• kesa.kpd

  Application description file.

• eula/

  Folder with End User License Agreements in different languages in TXT format.

• kpd.loc/

  INI files specifying paths to End User License Agreements.

To create the Kaspersky Endpoint Security for Android installation package:

1. In the main window of Kaspersky Security Center Web Console, select Operations > Repositories > Installation packages.
2. In the list of installation packages that opens, click Add. The New package wizard starts. Follow the instructions of the wizard as described in the Kaspersky Security Center Help to create an installation package from a file or create a stand-alone installation package.

To configure the Kaspersky Endpoint Security for Android installation package:

1. In the main window of Kaspersky Security Center Web Console, select Operations > Repositories > Installation packages.
2. In the list of installation packages that opens, click the Kaspersky Endpoint Security for Android installation package you want to configure.
3. In the installation package properties window, select the Settings tab.
   1. In the Connection to the Administration Server group of settings, configure the following values:
      • Server address. Specify the address of the server to which the Android devices will connect.
      • SSL port for devices synchronization. Specify the number of the port opened on the Administration Server for connecting mobile devices. Port 13292 is used by default.
   2. For stand-alone installation packages, in the Subgroup name field of the Subgroup in Unassigned devices group of settings, specify the name of the group to which Android devices will be added after the first synchronization with the Administration Server. KES10 is used by default.
   3. In the Actions during installation on device group of settings, click the Prompt user for email address check box if you want Kaspersky Endpoint Security for Android to ask users to provide their corporate email address when the app is started for the first time.

      User email address is used to form the name of the mobile device when it is added to the administration group.

4. Click Save.

The Kaspersky Endpoint Security for Android installation package is configured.

[Topic 284141]

Manual installation of Kaspersky Endpoint Security for Android

You can manually install Kaspersky Endpoint Security for Android from the Kaspersky website, HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

Installing the app

To install the app from an app store, follow the standard installation procedure for the Android platform.

To install Kaspersky Endpoint Security for Android from the Kaspersky website:

1. Go to the Kaspersky website.
2. Find Kaspersky Security for Mobile on the website.
3. Tap Show Downloads.
4. Select a version of the app and tap Download.
5. Open the downloaded APK file and follow the instructions on the screen.

   You may need to allow your browser to install apps from sources other than Google Play in the Apps → Special app access → Install unknown apps section in device settings. The location of these settings may differ on devices from different vendors.

The app will be installed on the device.

Configuring the app

After installing Kaspersky Endpoint Security for Android, you must manually configure the app. The configuration procedure depends on whether the administrator sent you a server address or a link for downloading the app.

To configure Kaspersky Endpoint Security for Android using a link for downloading the app:

1. Open Kaspersky Endpoint Security for Android.
2. Read the End User License Agreement. If you accept the End User License agreement, select the corresponding check box and tap Continue.
3. Tap Continue and grant the app the required permissions.
4. In the Server field, specify the link that you received from the administrator.
5. Tap Continue.

Kaspersky Endpoint Security for Android is configured.

To configure Kaspersky Endpoint Security for Android using a server address:

1. Open Kaspersky Endpoint Security for Android.
2. Read the End User License Agreement. If you accept the End User License agreement, select the corresponding check box and tap Continue.
3. Tap Continue and grant the app the required permissions.
4. In the Server field, specify the Administration Server address provided by the administrator.
5. Tap Continue.
6. Tap Enable to enable the app as the device administrator.
7. Tap Allow and grant the app the required permissions.

Kaspersky Endpoint Security for Android is configured.

Internet access must be enabled on the mobile device for synchronization with the Administration Server.

[Topic 284099]

Installing Kaspersky Endpoint Security for Android on corporate devices in a closed network

When deploying Kaspersky Endpoint Security for Android in corporate device operating mode via QR code on devices with pre-installed Google Mobile Services (GMS), their Wi-Fi connectivity to certain Google endpoints is checked. If a Wi-Fi network has no access to the internet, the connectivity check fails and the deployment finishes with an error.

To avoid the connectivity check, you can deploy the Kaspersky Endpoint Security for Android app on corporate devices in a closed network by using a Proxy Auto-Configuration (PAC) file.

To use a PAC file to deploy the Kaspersky Endpoint Security for Android app:

1. Create a PAC file (for example, proxy.pac) with the following contents:

   function FindProxyForURL(url, host) {
   return "DIRECT";
   }

2. Publish the created PAC file on a resource that will be available in the closed network (for example, on an IIS Web server).

   Save a link to the PAC file (for example, https://intranet.mycompany.com/files/proxy.pac).

3. Make sure the APK file of the Kaspersky Endpoint Security for Android app being deployed is available within the closed network. To do this, use one of the methods below:
   • Download the app installation package from the Kaspersky Security Center server. If the server is accessible, the installation packages will be available there.
   • Download the APK installation file from the Kaspersky website and upload it to the closed network.

     Choose the general version of the app as the source.

4. Send the app installation link and QR code to the user by following the instructions of Mobile device connection wizard.

   On the Operating systems step of the wizard, in the Installation settings section, you will be asked to specify the network for downloading the Kaspersky Endpoint Security for Android app. At this step, configure the use of the previously created PAC file for network connection by linking it to the Wi-Fi network settings on a device. To do this, use one of the methods below:

   • In the Installation network settings section, choose Prompt the user to select a Wi-Fi network on device. While deploying the app, the user will need to specify the link to the PAC file (step 2) in the network settings when choosing a Wi-Fi network on the device. After the connection is established, the user will be able to continue the device setup and activate the app by following the instructions of the app's Initial Configuration Wizard.
   • In the Installation network settings section, choose Only use the specified Wi-Fi network (Android 9 or later), click the Select network button, and then insert the link to the previously created PAC file (step 2) in the PAC file URL field.

   If the APK installation file has been downloaded from the Kaspersky website (step 3), you need to replace the link in the QR code with the address of the closed network link.

   When deploying the app via an installation package downloaded from Kaspersky Security Center, after the device is reset to factory settings and the QR code is scanned, a Blocked by Play Protect message may appear on the device. The issue is caused by the installation package's signing certificate being different from the one specified in Google Play. The user should continue the installation by choosing Install anyway. If OK is selected, the installation process will be interrupted and the device will be reset to factory settings.

The Kaspersky Endpoint Security for Android app is installed on a device in corporate device operating mode in a closed network.

[Topic 274701]

Permissions for Kaspersky Endpoint Security for Android

For all features of apps, Kaspersky Endpoint Security for Android prompts the user for the required permissions. Kaspersky Endpoint Security for Android prompts for the mandatory permissions while the Setup Wizard is completed, as well as after installation and prior to using individual features of apps. It is impossible to install Kaspersky Endpoint Security for Android without providing the mandatory permissions.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts in the device settings. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

On devices running Android 11 or later or Android 6-10 with Google Play services, you must disable the Remove permissions if app isn't used system setting. Otherwise, after the app is not used for a few months, the system automatically resets the permissions that the user granted to the app.

Permissions requested by Kaspersky Endpoint Security for Android

[Topic 274735]

Starting and stopping Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android launches when the operating system starts up and protects the mobile device during the entire session. The user can stop the app by disabling all Kaspersky Endpoint Security for Android components. You can use policies to configure user permissions to manage app components.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts (Security → Permissions → Autorun). If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

You must also disable Battery Saver mode for Kaspersky Endpoint Security for Android. This is necessary for the app to run in the background, for example, when running a scheduled malware scan or synchronizing the device with Kaspersky Security Center. This issue is due to the specific features of the embedded software of these devices.

[Topic 274705]

Activating Kaspersky Endpoint Security for Android

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Endpoint Security for Android app is fully functional, the Kaspersky Security Center license purchased by the organization must support the Mobile Device Management functionality.

For detailed information about licensing options, refer to the About the license section.

Activating the Kaspersky Endpoint Security for Android app on a mobile device is performed by providing valid license information to the app. License information is delivered to the device together with the policy settings as soon as the device is synchronized with Kaspersky Security Center.

If activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to limited functionality mode. In this mode, most of the app components are not operational. When switched to limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Accordingly, if the app is not activated within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the mobile app on their devices manually.

To activate the mobile app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Click the License button.
4. In the window that opens, use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the Replace with selected key if the key on devices is different check box.

5. Click Save to save the changes you have made.

The app is activated after the next device synchronization with Kaspersky Security Center.

[Topic 274720]

Updating Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be updated in the following ways:

• Using the Kaspersky website. The mobile device user downloads the new version of the app from the Kaspersky website and installs it on the device.
• Using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps. The mobile device user downloads the new version of the app from an app store and installs it on the device following the standard update procedure for the Android platform.

  To update the app using the Samsung Galaxy Store, the device user must have a Samsung account.

• Using Kaspersky Security Center. You can remotely update the version of the app on the device using Kaspersky Security Center.

You can select the app update method that is most suitable for your organization. You can use only one update method.

Updating the app from the Kaspersky website

To update the app from the Kaspersky website:

1. Go to the Kaspersky website.
2. Find Kaspersky Security for Mobile on the website.
3. Tap Show Downloads.
4. Select a version of the app and tap Download.
5. Open the downloaded APK file and follow the instructions on the screen.

Kaspersky Endpoint Security for Android is updated.

After downloading the app, Kaspersky Endpoint Security for Android checks the Terms and Conditions of the End User License Agreement (EULA). If the terms of the EULA have been updated, the app sends a request to the Kaspersky Security Center. If the administrator accepts the EULA in Web Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

Updating the app through Kaspersky Security Center

Kaspersky Endpoint Security for Android can be updated using Kaspersky Security Center after a group policy is applied. In the group policy settings, you can select the standalone installation package of the version of Kaspersky Endpoint Security for Android that meets the corporate security requirements.

You can update through Kaspersky Security Center if Kaspersky Endpoint Security for Android was installed using an installation package in Kaspersky Security Center or using a standalone installation package. If the app was installed from Google Play, you cannot update the app through Kaspersky Security Center.

To update Kaspersky Endpoint Security for Android using a standalone installation package, installation of apps from unknown sources must be allowed on the user's mobile device. For details about installing apps without Google Play, please refer to the Android Help.

To update the version of the app:

1. Add a new Kaspersky Endpoint Security for Android installation package.
2. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
3. In the policy properties window, select Application settings.
4. Select Android and go to the KES for Android settings section.
5. On the App update card, click Settings.

   The App update window opens.

6. Enable the settings using the App update toggle switch.
7. Click Select.

   The Select installation package window opens.

8. In the list of Kaspersky Endpoint Security for Android standalone installation packages, select the package whose version meets the corporate security requirements.

   Kaspersky Endpoint Security for Android cannot be downgraded to an older version of the application.

9. Click Select.
10. Click OK.
11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The mobile device user is prompted to install the new version of the app. After the user confirms installation, the new app version is installed on the mobile device.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

[Topic 274728]

Removing Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be removed in the following ways:

1. App removal by the user

   The user removes Kaspersky Endpoint Security for Android manually using the app interface. In order for users to be able to remove the app, the app removal should be allowed in the Configure access to app settings card of the KES for Android settings section in the policy settings.

2. App removal by the administrator (corporate devices only)

   The administrator removes the app remotely using the Kaspersky Security Center Web Console. The app can be removed from an individual device or from several devices at once.

[Topic 279047]

Permitting users to remove Kaspersky Endpoint Security for Android

To protect the app from removal on devices running Android 7 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

To allow removal of the app in a group policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the KES for Android settings section.
4. On the Configure access to app settings card, click Settings.

   The Configure access to app settings window opens.

5. Select the Allow removing the app from device check box.
6. Click OK.
7. Click Save to save the changes you have made.

As a result, users will be allowed to remove the app from mobile devices after synchronization with the Administration Server. The app removal button becomes available in the Kaspersky Endpoint Security for Android settings.

To remove the app from a device:

1. In the main window of Kaspersky Endpoint Security for Android, select Settings → App settings → Additional → Remove app.

   On corporate devices, Kaspersky Endpoint Security for Android can be removed only by the administrator.

2. Confirm removal of Kaspersky Endpoint Security for Android.

Kaspersky Endpoint Security for Android will be removed from the device.

[Topic 274866]

Removal of Kaspersky Endpoint Security for Android by the user

On corporate devices, Kaspersky Endpoint Security for Android can be removed only by the administrator.

To independently remove Kaspersky Endpoint Security for Android from a mobile device, the user must do the following:

1. In the main window of Kaspersky Endpoint Security for Android, select Settings → App settings → Additional → Remove app.

   If the Remove app button is missing, this means that the administrator enabled protection against removal of Kaspersky Endpoint Security for Android or the device operates in corporate device mode.

2. Confirm the removal of Kaspersky Endpoint Security for Android.

Kaspersky Endpoint Security for Android will be removed from the device.

[Topic 274859]

Remote removal of Kaspersky Endpoint Security for Android on corporate devices

You can remove the Kaspersky Endpoint Security for Android app from corporate devices remotely by sending a Reset to factory settings command.

Executing the Reset to factory settings command wipes all data from the device and rolls back device settings to their factory values. This app removal method is recommended by Android Enterprise to guarantee that data is removed from a corporate device.

To remove the app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select a device that you want to send a command to.

   You can select multiple devices.

3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Reset to factory settings command.
5. Click Send.

   You can view and cancel commands in the Command history.

   The command is sent to the devices you selected. Kaspersky Endpoint Security for Android is removed from these devices.

6. In the list of devices, select the device, and then click Delete.

   The device is removed from the list of managed devices in Kaspersky Security Center Web Console.

   If the device is not removed from Kaspersky Security Center Web Console, there can be problems with further installation of Kaspersky apps on this device.

[Topic 274714]

Managing mobile devices in Kaspersky Security Center Web Console

To perform centralized configuration of mobile devices, you must configure policies. A policy is a set of security settings for managing mobile devices of specified operating systems and device operating modes within an administration group and for managing the mobile apps installed on devices.

This section describes how to create administration groups, configure policies for mobile devices, and connect mobile devices to Kaspersky Security Center in order to subsequently manage them.

[Topic 274736]

Creating administration groups

To apply a policy to a group of devices, you are advised to create a separate group for these devices prior to installing mobile management apps.

An administration group is a logical set of managed devices combined on the basis of a specific trait for the purpose of managing the grouped devices as a single unit within Kaspersky Security Center.

All managed devices within an administration group are configured to do the following:

• Use the same settings, which you can specify in policies.
• Use a common operating mode for all applications through the creation of group tasks with specified settings. Examples of group tasks include creating and installing a common installation package, updating the application databases and modules, scanning the device on demand, and enabling real-time protection.

A managed device can belong to only one administration group.

You can create hierarchies that have any degree of nesting for Administration Servers and groups. A single hierarchy level can include secondary and virtual Administration Servers, groups, and managed devices. You can also move devices from one group to another.

Immediately after Kaspersky Security Center is installed, the hierarchy of administration groups contains only one administration group called Managed devices. When creating a hierarchy of administration groups, you can add devices to the Managed devices group, and add nested groups.

To create an administration group:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) > Hierarchy of groups.
2. In the administration group structure, select the administration group that the new administration group will belong to.
3. Click Add.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click Add.

A new administration group with the specified name appears in the hierarchy of administration groups.

To automatically create a structure of administration groups:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) > Hierarchy of groups.
2. Click Import.

The New administration group structure wizard starts. Follow the instructions of the wizard.

After creating an administration group, we recommend configuring the option to automatically assign devices on which you want to install apps to this group. Then configure the settings that are common to all devices using a specific policy.

[Topic 274694]

Configuring policies

This section describes how to manage policies in Kaspersky Security Center Web Console.

[Topic 274738]

Creating a policy

Kaspersky Security Center Web Console lets you create policies to configure the security settings of a group of Android, iOS, and Aurora mobile devices. The values of security settings configured in policies are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings.

You can create policies using the Mobile policy wizard.

To create a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, click Current path to select the administration group for which you want to create a policy.

   By default, the new policy is applied to the Managed devices group.

3. Click Add to start the Mobile policy wizard.
4. In the Select application window, select the Kaspersky Mobile Devices Protection and Management option, and then click Next.

   The Mobile policy wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Step 1. License

At this step, choose a license.

The license you choose determines the security settings that you can configure in a policy. By default, the license that supports the Kaspersky Secure Mobility Management functionality is pre-selected. You can choose a different license manually.

Step 2. Operating systems and device operating modes

At this step, choose the operating systems the policy will apply to and specify the device operating modes.

• Android
  • Personal device (basic protection and management of a personal Android device).
  • Device with corporate container (isolated corporate environment on an Android device).
  • Corporate device (an extended set of settings for managing a corporate Android device).

    For detailed information, refer to the About Android device operating modes section.

• iOS
  • Basic protection (protection against web threats and jailbreak detection on iOS devices).
  • Basic control (basic management of a personal iOS device).
  • Supervised (an extended set of settings for managing an iOS device).

    For detailed information, refer to the About iOS device operating modes section.

    To connect and manage iOS devices in basic control and supervised operating modes, you must have an iOS MDM Server installed in the selected administration group. For detailed information on installing iOS MDM Server, refer to the Deploying iOS MDM Server section.

• Aurora
  • Protection (protection of Aurora devices against threats).

    To connect Aurora devices, you need to have Kaspersky Endpoint Security for Aurora pre-installed on the devices that will connect.

In the New policy window:

1. In the Name field, type the name of the new policy. If you specify the name of an existing policy, it will have (1) added at the end automatically.
2. In the Policy status block of settings, select the status of the policy:
   • Active. The wizard saves the created policy on the Administration Server. At the next synchronization of mobile devices with the Administration Server, the policy will be used on devices as an active policy.
   • Inactive. The wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to an active state.

     Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.

3. On the General tab of the Settings inheritance block of settings, select the inheritance options:
   • Inherit settings from parent policy

     If you enable this option in a child policy and an administrator locks some settings in the parent policy, then you cannot change these settings in the child policy.

     If you disable this option in a child policy, then you can change all the settings in the child policy, even if some settings are locked in the parent policy.

   • Force inheritance of settings in child policies

     If you enable this option in a parent policy, this enables the Inherit settings from parent policy option for each child policy. In this case, you cannot disable this option for any child policy. All the settings that are locked in the parent policy are forcibly inherited in the child groups and you cannot change these settings in the child groups.

   By default, the Inherit settings from parent policy option is enabled and the Force inheritance of settings in child policies option is disabled.

   Inheritance of policy settings works only if either identical device operating modes are selected for the parent and child policy or device operating modes selected for the child policy provide more security settings. For example, a child policy for Android devices with a corporate container can inherit settings from a parent policy for personal devices but cannot inherit settings from a parent policy for corporate devices.
   If you create a child policy that is incompatible with the parent policy, you must delete it and create a new child policy to manage devices.

4. Click Save.

The new policy for mobile devices is created.

[Topic 283010]

Modifying a policy

Kaspersky Security Center Web Console lets you modify policies.

To modify a policy:

1. Open the policy properties window by doing one of the following:
   • In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of policies that opens, click the name of the policy that you want to modify.
   • In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices. Click the mobile device that falls under the policy that you want to modify, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, navigate to the Application settings tab, and then define the policy settings.

   You can also configure general settings, settings inheritance, event logging and notifications, and policy profiles, and also view the revision history. For more information, please refer to the Kaspersky Security Center Help.

3. Click Save to save the changes you have made to the policy and exit the policy properties window.

The policy is modified. Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 274713]

Copying a policy

Kaspersky Security Center Web Console lets you create a copy of a policy.

To create a copy of a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy you want to copy, and then click Copy.
3. In the tree of administration groups that opens, select the target group where you want the policy to be created.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Copy.
5. Click OK to confirm the operation.

A copy of the policy will be created in the target group under the same name. The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) suffix is added to the name of the newly created or moved policy, for example: (1).

[Topic 283449]

Moving a policy to another administration group

Kaspersky Security Center Web Console lets you move a policy to another administration group.

To move a policy to another administration group:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy that you want to move to another administration group, and then click Move.
3. In the tree of administration groups that opens, select the target group to which you want to move the policy.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.
5. Click OK to confirm the operation.

The result depends on the policy inheritance properties:

• If the policy is not inherited in the source group, it will be moved to the target group.
• If the policy is inherited in the source group, it will not be moved. Instead, a copy of the policy will be created in the target group.

The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) suffix is added to the name of the newly created or moved policy, for example: (1).

[Topic 274716]

Viewing the list of policies

Kaspersky Security Center Web Console lets you view the list of created policies, their statuses, and properties.

To view the list of policies:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. The list of policies opens with brief information about the policies. On this page, you can create, modify, copy, move, and delete policies.

[Topic 274711]

Viewing the policy distribution results

Kaspersky Security Center Web Console lets you view the distribution chart of a policy and the information about all devices that fall under that policy.

To view the results of distributing a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy whose distribution results you want to view, and then click Distribution.

The policy distribution results page opens. This page contains the policy summary, a policy distribution chart, and a table with information about all devices that fall under that policy. You can open the policy properties window by clicking the Configure policy button.

[Topic 274740]

Managing revisions to policies

Kaspersky Security Center Web Console lets you view modifications made to a policy over a certain period, as well as save information about these modifications in a file.

To view a policy revision:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, click the policy whose revision you want to view, and then go to the Revision history section.
3. In the list of policy revisions, click the number of the revision that you want to view.

   If the size of the revision is more than 10 MB, you will not be able to view it using Kaspersky Security Center Web Console. You will be prompted to save the selected revision to a JSON file.
   
   If the size of the revision does not exceed 10 MB, a report in HTML format with the settings of the selected policy revision is displayed. The report is displayed in a pop-up window, so make sure pop-ups are allowed in your browser.

   To save a policy revision to a JSON file, in the list of policy revisions, select the revision that you want to save, and then click Save to file.

The revision is saved to a JSON file.

For detailed information on managing revisions to policies, refer to the Kaspersky Security Center Help.

[Topic 274742]

Restricting permissions to configure policies

Kaspersky Security Center administrators can configure the access permissions of Web Console users for different functions of the Kaspersky Secure Mobility Management solution depending on the job duties of users.

In the Web Console interface, you can configure access rights on the Security and User roles tabs of the Administration Server properties window. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes.

For each functional area, the administrator can assign the following permissions:

• Allow editing. The Web Console user is allowed to change the policy settings in the properties window.
• Block editing. The Web Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface.

[Topic 286998]

Configuring role-based access control

Kaspersky Security Center Web Console provides facilities for role-based access to the features of Kaspersky Secure Mobility Management.

You can configure access rights to application features for Kaspersky Secure Mobility Management in one of the following ways:

• By configuring the rights for each user or group of users individually.
• By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application. You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

For detailed information on configuring user access in Kaspersky Security Center, refer to the Kaspersky Security Center Help.

Some of the predefined user roles are not authorized to work with mobile devices. The predefined user roles which are available for the Kaspersky Secure Mobility Management features are listed in the table below.

Predefined user roles for Kaspersky Secure Mobility Management

For detailed information on predefined user roles, refer to the Kaspersky Security Center Help.

Access rights to Kaspersky Secure Mobility Management features

Mobile Device Management access rights

[Topic 286996]

Configuring policy profiles

Sometimes it may be necessary to create and centrally modify several instances of a single policy for an administration group. These instances might differ by only one or two settings.

To help you avoid creating several instances of a single policy, Kaspersky Security Center Web Console lets you create policy profiles. Policy profiles are necessary if you want devices within a single administration group to run under different policy settings.

A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device. Activation of a profile modifies the settings of the "basic" policy that were initially active on the device. The modified settings take values that have been specified in the profile.

You can modify the specific conditions that must affect activation of the policy profile that you are creating. For mobile devices, you can modify the following conditions:

• Rules for specific device owner

  Profile activation on the device according to its owner.

  • Device owner
  • Device owner is included in an internal security group
• Rules for role assignment

  Profile activation on the device depending on the owner's role.

  • Activate policy profile by specific role of device owner
• Rules for tag usage

  Profile activation on the device depending on the tags assigned to the device.

  • Tag list
  • Apply to devices without the specified tags
• Rules for Active Directory usage

  Policy profile activation on the device based on the device allocation in an Active Directory organizational unit or the membership of that device (or the device owner) in an Active Directory security group. The configuration scope depends on the currently used policy.

  • Device owner's membership in an Active Directory security group
  • Device membership in Active Directory security group
  • Device allocation in Active Directory organizational unit

For detailed information on configuring activation rules, creating, deleting, or copying policy profiles, refer to the Kaspersky Security Center Help.

If you copy a policy profile to an incompatible policy (a policy in which the operating systems and device operating modes of this profile are not configured), such profile will not work properly.

[Topic 274741]

Deleting a policy

Kaspersky Security Center Web Console lets you delete policies.

You can delete only policies that are not inherited in the current administration group. If a policy is inherited, you can only delete it in the higher-level group for which it was created.

To delete a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy that you want to delete, and then click Delete.
3. In the window that opens, click OK to confirm the operation.

The policy is deleted. Before the new policy is applied, mobile devices belonging to the administration group continue to work according to the settings specified in the policy that has been deleted.

[Topic 283012]

Connecting mobile devices to Kaspersky Security Center Web Console

Expand all | Collapse all

To manage mobile devices and the mobile management apps installed on them, you must connect these devices to Kaspersky Security Center.

Before connecting, make sure the license that supports the Mobile Management solution is configured in the License keys section of the Administration Server properties.

To connect a mobile device to Kaspersky Security Center:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of mobile devices that opens, click Add.

   The Mobile device connection wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Welcome

On the welcome screen, you can read a summary of the Mobile device connection wizard steps.

Step 1. Policy

At this step, choose a policy for devices that will connect. Devices operate according to the security settings specified in the policy.

• Use an existing policy

  For this option, specify the administration group of the policy you want to choose. The policy name, operating systems and operating modes of the devices managed by this policy will be displayed.

  If necessary, click Go to policy to view the properties of the policy you have selected.

• Create a new policy

  For this option, click the Create policy button that appears. You will be redirected to the Mobile policy wizard. After a policy with the required properties is created, you can return to the Mobile device connection wizard.

Step 2. Operating systems

At this step, choose the operating systems of the devices that will connect. The policy settings determine the available operating systems: Android, iOS, or Aurora.

• Android

  After you select this operating system, the Kaspersky Endpoint Security for Android Installation settings will be displayed. To modify them, click Edit settings.

  1. Choose the Installation source for Kaspersky Endpoint Security for Android:
     • Kaspersky website

       Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated from the Kaspersky website or using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

       This installation source works for all operating modes.

     • Installation package

       The Kaspersky Endpoint Security for Android installation package will be downloaded from the Kaspersky Security Center server and updated via Kaspersky Security Center using policy settings. You can choose this method if mobile devices in your company have no access to the internet.

       For this installation source, before connecting mobile devices, create the Kaspersky Endpoint Security for Android installation package.

       This installation source works for all operating modes.

       • To choose an installation package, click Select installation package, and then select the installation package from the list that opens.
       • If there are no available installation packages, you will be offered to create one. Click Create installation package, and then follow the steps of the New package wizard as described in the Kaspersky Security Center Help to create an installation package from a file or create a stand-alone installation package. After the installation package is created, you can return to the Mobile device connection wizard.

       Automatic app updates through the store are not available with this installation method. You can update the app manually in the App update section of the policy settings.
       The latest installation package uploaded to Kaspersky Security Center is used to install the app on devices.

       For corporate devices, make sure the Allow using HTTP to download the app on corporate devices check box is selected to ensure Kaspersky Endpoint Security for Android is downloaded. Otherwise, the app will be downloaded via HTTPS only if the Kaspersky Security Center Web Server certificate was issued by a trusted certificate authority.

       For more information on the installation methods, refer to the Installing Kaspersky Endpoint Security for Android section.

  2. Choose Installation network for Kaspersky Endpoint Security for Android (corporate devices only):
     • Prompt the user to select a Wi-Fi network on device

       If you choose this option, the user will be prompted to connect to any available Wi-Fi network for downloading the app.

     • Only use the specified Wi-Fi network (Android 9 or later)

       To choose an installation network, click Select network.

       In the window that opens, specify the following settings:

       • Service set identifier (SSID)

         Specifies the name of a wireless network with an access point (SSID). The wireless network name should not be longer than 32 characters.

       • Hidden network

         Specifies whether the selected network broadcasts its SSID.

       • Network protection

         Specifies a wireless network security type. Possible values:

         • NONE

           If selected, the network is not protected.

         • WPA

           If selected, the network is protected using the WPA security protocol. This option requires entering a password to access the network.

         • WEP

           If selected, the network is protected using the WEP protocol. This option requires entering a password to access the network and applies only to devices running Android 9 or earlier.

       • Password

         Specifies the password for accessing a wireless network protected using a WPA or WEP protocol. The password will be sent to the user in a QR code.

         Do not send a password for a confidential Wi-Fi network that must not be publicly accessible. The password is sent to the user in unencrypted form along with other device configuration data.

       • Use proxy server

         Specifies the use of a proxy server. If this check box is selected, you need to provide the proxy server address and port. You can also specify a list of addresses for which the proxy will be bypassed.

       • Proxy server address

         Specifies the IP address or the symbol name (web address) of the proxy server. The maximum number of characters is 256.

       • Proxy server port

         Specifies the port number of the proxy server. The value should be in the interval between 0 and 65536.

       • PAC file URL

         A URL to a proxy auto-configuration (PAC) file for the Wi-Fi network.

       • Do not use proxy server for the following addresses

         Specifies the addresses for which the proxy server should not be used.

         You can enter the address in example.com format. If you enter example.com, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

       Do not use a password for a confidential Wi-Fi network that must not be publicly accessible. The unencrypted password is sent to the user in a QR code along with other device configuration data.

     • Try to use mobile network (Android 8 or later)

       If you choose this option, the device will try to use mobile data to download the app. If the device does not have a SIM card or the mobile network is not available, the user will be prompted to select any available Wi-Fi network.

  3. Click the Enable all system apps check box (corporate devices only) if you want system apps to remain active on the device. If necessary, they can be disabled later in the App Control section.
• iOS

  To connect and manage iOS devices in basic control and supervised operating modes, you must have an iOS MDM Server installed in the selected administration group. For detailed information on installing iOS MDM Server, refer to the Deploying iOS MDM Server section.

  The Kaspersky Security for iOS app will be installed on personal iOS devices in the basic protection operating mode.

  A device management profile will be installed on the devices operating in basic control and supervised operating modes.

  On devices running iOS 12.1 or later, you must manually confirm the installation of a device management profile on a mobile device. You must also grant the permission for remote management of the device.

• Aurora

  To connect Aurora devices, you need to have Kaspersky Endpoint Security for Aurora pre-installed on the devices that will connect.

Step 3. Accept agreements

At this step, choose who must accept the End User License Agreement (EULA) and Privacy Policy.

• Administrator

  The agreements are accepted by the administrator in the next step of the wizard. In this case, the app skips the acceptance step during the app installation.

• Users

  The agreements are accepted on mobile devices by users.

This step only applies to Android and iOS operating systems. If you are connecting Aurora devices, the agreements are only accepted by users on their mobile devices.

Please note that the administrator will be offered to accept the EULA only after the same version of the EULA is accepted by users on devices for the first time. After the connection and first synchronization of devices with Kaspersky Security Center, the administrator will be able to accept this version of EULA upon subsequent connection of devices.

The list of accepted agreements is available in the End User License Agreements section of the Administration Server properties.

Step 4. End User License Agreement and Privacy Policy

At this step, if Administrator is selected as the recipient of the agreements in the previous step of the wizard, you will be offered to read the Privacy Policy, EULA, and all the documents associated with it. You must accept the terms and conditions of the EULA and Privacy Policy before installation of the mobile device management apps.

Step 5. Users

At this step, choose one or more users of the devices that will connect. These users will receive the details for installing the app to connect their devices to Kaspersky Security Center. If a user is not in the list, you can add a new user account without exiting the wizard.

Due to technical limitations, you cannot select and send the connection details to more than 75 users within a single session of Mobile device connection wizard. We recommend that you divide the devices that will connect into groups of less than 75 devices and connect these groups sequentially within separate wizard sessions.

• To choose an existing user, select check boxes next to the corresponding user names.
• To add a new user, click Add user.
  1. Specify user credentials in the Credentials block of settings.
     • User name
     • Password

       The password must meet the following complexity requirements:

       • It must contain between 8 and 16 characters.
       • It must contain the characters from at least three of these groups: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;).
  2. If necessary, specify the optional details in the Optional information group of settings.
     • Full user name
     • Description
     • Email address
     • Phone number
  3. Click OK to save the changes.

     The new user will be added and displayed in the list of users.

• To modify user details, click Edit user.

  The fields you can modify depend on the user subtype - internal or domain.

Step 6. Send connection details

At this step, choose how to send the QR codes and links for installing the mobile management apps or device management profiles. You can choose one of the following options:

• Send a message to users' email addresses

  Choose this option to send the connection details by email to the selected users. To install the app or a device management profile, the user needs to scan the QR code using the camera of the mobile device or open the link to the installation package.

  These email addresses must be specified in the user account settings in Kaspersky Security Center.
  
  If you want to send the connection details to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Send a copy of the message to an alternate email address check box, and then specify the required email address.

• Show QR codes and links after completing the wizard

  Choose this option to scan the QR code with the camera of the mobile device or follow the link in the wizard.

Step 7. Confirm

At this step, check the mobile device connection details specified in the earlier steps, and then click Finish to confirm the operation.

Finish

On the Finish screen:

• If you chose the Send a message to users' email addresses option, the specified users will receive the emails with QR codes and links for connecting mobile devices to the Administration Server.
• If you chose the Show QR codes and links after completing the wizard option, the connection details will be available on the Finish screen. You can view the displayed details or click Download list to receive a file with summarized information.

Click Close to exit the wizard.

As soon as users install the mobile management apps, their devices are connected to the Administration Server and displayed on the Devices tab of Kaspersky Security Center Web Console.

You can now configure the settings for devices and mobile management apps using policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

[Topic 274856]

Direct connection of Android devices to Kaspersky Security Center

Android devices can connect directly to port 13292 of the Administration Server.

Depending on the method used for authentication, two connection options are possible.

Connecting devices with a user certificate

When connecting a device with a user certificate, the device is associated with the user account to which the corresponding certificate has been assigned through the Administration Server tools.

In this case, two-way SSL authentication (mutual authentication) will be used. Both the Administration Server and the device will be authenticated with certificates.

Connecting devices without a user certificate

When connecting a device without a user certificate, the device is associated with none of the user's accounts on Administration Server. However, when the device receives any certificate, the device will be associated with the user to which the corresponding certificate has been assigned through the Administration Server tools.

When connecting that device to the Administration Server, one-way SSL authentication will be applied, which means that only Administration Server is authenticated with the certificate. After the device retrieves the user certificate, the type of authentication will change to two-way SSL authentication (2-way SSL authentication, mutual authentication).

[Topic 274708]

Moving unassigned mobile devices to administration groups

When the mobile devices are connected to Kaspersky Security Center, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console. To manage newly connected devices, you can create a rule that automatically assigns them to administration groups or you can move them to an administration group manually.

To move an unassigned mobile device to an administration group:

1. In the main window of Kaspersky Security Center web console, select Discovery & deployment > Unassigned devices.
2. Select the device that you want to move to an administration group, and then click Move to group.
3. In the tree of administration groups that opens, select the target group to which you want to move the device.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.

The device is moved to the specified administration group and the corresponding policy is applied to it.

[Topic 286652]

Actions on mobile devices to connect to Administration Server

Depending on the mode in which your device will operate, you may have to perform additional actions to protect your device and connect it to the Administration Server.

Install a mobile certificate

If you received a certificate password, you must use it to install the mobile certificate on your device.

To install the mobile certificate:

1. Remember or write down the password you received from your administrator by email.
2. Do one of the following:
   • On an Android device, enter the certificate password when prompted by Kaspersky Endpoint Security for Android.
   • On an iOS device, enter the certificate password during installation of the device management profile.

The mobile certificate will be installed on your device.

Pre-configure corporate Android devices

To connect a corporate Android device to the Administration Server, you must pre-configure the device depending on the operating system version and availability of a QR code scanner.

[Topic 274704]

Configuring synchronization settings

To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Synchronization is performed using the HTTPS protocol. Mobile device synchronization with the Administration Server may be performed in the following ways:

• By schedule. You can configure the synchronization schedule in the policy settings. Modifications to policy settings, commands and tasks will be performed when the device synchronizes with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with Kaspersky Security Center automatically every 6 hours.

  Due to Doze limitations, when you select a short synchronization period, devices may synchronize with the Administration Server less frequently than expected.

  Using short synchronization periods decreases device battery life.

• Forced. Synchronization is performed using FCM (Firebase Cloud Messaging) push notifications. Forced synchronization is primarily intended for timely delivery of commands to a mobile device. This may be useful when a mobile device is in battery-saver mode, because in this case the app may perform tasks later than specified. If you want to use forced synchronization, make sure that the FCM settings are configured in Kaspersky Security Center.

To configure synchronization settings for Android devices:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the KES for Android settings section.
4. On the Scheduled synchronization card, click Settings.

   The Scheduled synchronization window opens.

5. Enable synchronization using the Scheduled synchronization toggle switch.
6. In the Synchronization period drop-down list, select the period of time between synchronizations of devices with Kaspersky Security Center.
7. To disable synchronization of devices with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.

   The device user can manually perform synchronization in the app settings (Settings → App settings → Synchronization → Synchronize).

8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. You can manually synchronize the mobile device using a special command.

To configure synchronization settings for iOS devices operating in basic protection mode:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the KS for iOS settings section.
4. On the Scheduled synchronization card, click Settings.

   The Scheduled synchronization window opens.

5. Enable synchronization using the Scheduled synchronization toggle switch.
6. In the Synchronization period drop-down list, select the period of time between synchronizations of devices with Kaspersky Security Center. The default value is 6 hours.
7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. You can manually synchronize the mobile device using a special command.

[Topic 274851]

Managing certificates of mobile devices

Kaspersky Security Center Web Console lets you issue, renew, or delete mobile, mail, or VPN certificates of mobile devices.

This section contains information about how to manage mobile device certificates and configure their issuance rules.

[Topic 287322]

Configuring certificate issuance rules

Kaspersky Security Center Web Console lets you configure how the certificates for mobile devices are issued, renewed, and protected.

To configure certificate issuance rules:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, click Issuance rules.
   • In the PKI settings section:
     1. In the Integration with PKI block of settings, enable the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch to issue certificates automatically following integration.

        Click Select device, and then specify a device with Network Agent installed that will connect to Microsoft CA.

        For detailed information on PKI, refer to the Integration with Public Key Infrastructure section.

     2. In the Domain account for transmitting requests to issue certificates block of settings, specify the PKI account name (the name of the user account to be used for PKI integration in the userPrincipalName@DNSDomainName format) and Password (the domain password for the account).
     3. Click Save to apply the changes.
   • In the Mobile certificates section, you can do the following:
     1. In the Validity block of settings, in the Certificate validity period (days) field, specify the certificate lifetime in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.
     2. In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 30.

        Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.

     3. In the Password protection block of settings, select the Prompt for password during certificate installation check box to prompt the user for a password when the certificate is installed on a mobile device. The password is used only once during the installation of the certificate on the mobile device. The password will be automatically generated by Administration Server and sent to the user by email. You can specify the password length in the Password length field.

        Password protection is only available for mobile certificates.

     4. Click Save to apply the changes.
   • In the Mail certificates and VPN certificates sections, if PKI integration is configured:
     1. In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires.

        Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.

     2. In the PKI settings block of settings, specify the Certificate template name in PKI (the certificate template that will be used to issue certificates to domain users).

        The Network Agent for Windows service installed on a device which connects to CA is run under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.

        When connecting a non-domain user's mobile device (running either Android or iOS) to Kaspersky Security Center, the attempt to issue a certificate may fail.

     3. In the Automatic issuance of mail certificate on device connection and Automatic issuance of VPN certificate on device connection blocks of settings, select the Issue for devices managed by Kaspersky Endpoint Security for Android or Issue for iOS MDM devices check boxes to enable automatic issuance of a mail or VPN certificate when devices connect to Kaspersky Security Center.

        If you selected the Issue for iOS MDM devices check box, choose the certificate alias from the drop-down list. The certificate alias is a name that identifies the certificate. You can configure the subsequent use of the selected alias for the certificate issuance in the following policy sections:

        • For mail certificates: in the properties of the Email account for iOS MDM devices and in the properties of the Exchange ActiveSync account for iOS MDM devices.
        • For VPN certificates: in the properties of the VPN network for iOS MDM devices and in the properties of the Wi-Fi network for iOS MDM devices.

        You can also change the alias for individual or multiple mail and VPN certificates by clicking Modify alias in the list of certificates (Assets (Devices) → Mobile → Certificates).

     4. Click Save to apply the changes.

The specified settings will be used by Kaspersky Security Center to issue, renew, and protect the certificates of mobile devices.

[Topic 286650]

Issuing mobile device certificates

You can issue mobile, mail, or VPN certificates for mobile devices.

To issue a certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, click Add.

   The Certificate issuance wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Welcome

On the welcome screen, you can read a summary of the Certificate issuance wizard steps.

Please note that the numbering and set of steps may vary depending on the certificate type, operating system, and the issuance settings defined in the Issuance rules section.

Step 1. Certificate type

At this step, choose the certificate to be issued.

• Mail certificate (to configure corporate email on devices).
• VPN certificate (to configure access to private networks and corporate web resources on devices).
• Mobile certificate (to identify mobile devices on the Administration Server).

Step 2. Operating system

At this step, choose the operating system of the devices for which the certificate will be issued.

• Android
• iOS

Step 3. Connection method

This step is displayed only if you selected Mail certificate or VPN certificate as the certificate type and Android as the operating system of the devices for which the certificate will be issued.

At this step, choose the method for connecting devices to Administration Server.

• Connect using mobile certificate authentication

  Select this option if you want the mobile certificate to be used for user identification upon connecting to Administration Server.

• Connect without mobile certificate authentication

  Select this option if you want to install a certificate on a device using no certificate authentication.

Step 4. Users

At this step, choose one or more users that will receive the details for installing certificates. If a user is not in the list, you can add a new user account without exiting the wizard.

• To choose an existing user, select check boxes next to the corresponding user names.
• To add a new user, click Add user.
  1. Specify user credentials in the Credentials block of settings.
     • User name
     • Password

       The password must meet the following complexity requirements:

       • It must contain between 8 and 16 characters.
       • It must contain the characters from at least three of these groups: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;).
  2. If necessary, specify the optional details in the Optional information group of settings.
     • Full user name
     • Description
     • Email address
     • Phone number
  3. Click OK to save the changes.

     The new user will be added and displayed in the list of users.

• To modify user details, click Edit user.

The fields you can modify depend on the user subtype - internal or domain.

Step 5. Certificate alias and source

At this step, choose the certificate alias and source for importing the certificate.

• Certificate alias

  A certificate alias is a name that identifies the certificate. You can use the selected alias later to configure policy settings: Email account for iOS MDM devices; Exchange ActiveSync account for iOS MDM devices; VPN network for iOS MDM devices; Wi-Fi network for iOS MDM devices.

  This option is available only if you selected Mail certificate or VPN certificate as the certificate type.

• Integrate issuance with Microsoft CA via PKI

  For this option, specify one of the available templates imported from Microsoft CA in the PKI template field.

  This option is available only if the integration with PKI is enabled in the Issuance rules.

• Upload file

  For this option, specify the Certificate format:

  • For the PKCS #12 format, in the Certificate file field, click Select, and then specify a P12 or PFX file.
  • For the X.509 format, in the Private key file field, click Select, and then specify a PRK or PEM file.

    In the Certificate file field, click Select, and then specify a CER, CRT, or CERT file.

    After you specify the files, you can also enter the Certificate password.

Step 6. Authentication method

This step is displayed only if you selected Mobile certificate as the certificate type, or if you selected Mail certificate or VPN certificate for Android devices and specified the Connect without mobile certificate authentication option as the connection method.

At this step, choose the user authentication method for receiving the certificate.

• Domain or internal user credentials. Users will access the certificate using the domain or internal user credentials. On mobile devices, users will have to specify the login in one of the following formats:
  • userPrincipalName@DNSDomainName
  • sAMAccountName
  • sAMADomain\sAMAccountName
• Password. Users will access the certificate using a password sent by email or displayed after completing the wizard.

In the Certificate use on device block of settings, click the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box if you want to allow using one certificate multiple times on the same device.

This option is available only if Android is chosen as the operating system of the devices for which the certificate will be issued.

Step 7. Send certificate details

At this step, choose how to send the certificate installation details. You can choose one of the following options:

• Send a message to users' email addresses

  Choose this option to send the certificate installation details by email to the selected users. These email addresses must be specified in the user account settings in Kaspersky Security Center.
  
  If you want to send the certificate installation details to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Send a copy of the message to an alternate email address check box, and then specify the required email address.

• Show the details after completing the wizard

  Choose this option to display the certificate installation details at the final step of the Certificate issuance wizard.

Step 8. Confirm

At this step, check the certificate issuance details specified in the earlier steps, and then click Confirm and issue certificate to confirm the operation.

Finish

On the Finish screen:

• If you chose the Send a message to users' email addresses option, the specified users will receive the emails with certificate installation details.
• If you chose the Show the details after completing the wizard option, certificate installation details are displayed on the Finish screen. You can view the displayed details or click Download list to receive a file with summarized information.

Click Close to exit the wizard.

After completing the Certificate issuance wizard, certificates are created and added to the list of user certificates. You can delete or renew certificates, as well as view their properties.

[Topic 287330]

Renewing mobile device certificates

If one of the certificates is about to expire, you can renew it using Kaspersky Security Center Web Console.

By following the steps below, you can renew a mobile certificate or a mail or VPN certificate issued via PKI.

To renew a certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate you want to renew, and then click Renew.

The status of the certificate changes to Certificate renewed.

[Topic 287331]

Deleting mobile device certificates

You can delete the certificates of mobile devices using Kaspersky Security Center Web Console.

Please note that if you delete a mobile certificate, the device can no longer synchronize with Administration Server and cannot be managed by means of Kaspersky Security Center.

When you delete a certificate, it is only removed from Kaspersky Security Center Web Console and is no longer renewed, but remains on the device. To delete a certificate from iOS MDM devices, corporate devices, or devices with corporate container, you must execute the Wipe corporate data command. On personal Android devices, users should delete the certificate manually.

When you delete a mobile certificate of the iOS MDM device, the device is not removed from Kaspersky Security Center Web Console, but it loses the ability to synchronize with iOS MDM Server and the "Inactive" status is assigned to it. In this case, you have to delete this device from the list of managed devices in Kaspersky Security Center Web Console, and then reconnect it using Mobile device connection wizard.

To delete a certificate from Kaspersky Security Center Web Console:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate you want to delete, and then click Delete.

The certificate is deleted and removed from the list of certificates.

[Topic 286898]

Integration with Public Key Infrastructure

You can integrate the issuance of certificates with Microsoft Certification Authority (CA) via Public Key Infrastructure (PKI). Integration with PKI is primarily intended for simplifying the issuance of domain user certificates by Administration Server. Following integration, certificates are issued automatically.

You can perform the PKI integration with specified settings and assign PKI to act as the source of certificates for specific types of certificates. The PKI integration settings specified in the Issuance rules let you set the individual default template for all types of certificates.

The specifics of using PKI integration to issue certificates:

• The PKI integration is disabled by default. You can enable it using the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch. For detailed information on enabling PKI and configuring its settings, refer to the Configuring certificate issuance rules section.
• The certificate issuance is carried out using Network Agent Windows, which enables the integration between Administration Server and Microsoft CA. Since there can be multiple devices with Network Agent installed, you can specify the device that will connect to Microsoft CA in the Issuance rules. This device must have an Enrollment Agent (EA) certificate installed in the certificates repository of the account under which the integration with PKI is performed. The certificate is issued by the administrator of the domain's CA.
• The account under which integration with PKI is performed must be a domain user and have the right to Log On As Service.
• Kaspersky Security Center can only work with one PKI (Microsoft CA) integration at a time.

For detailed information on configuring integration with PKI to issue certificates, refer to the Configuring certificate issuance rules section.

[Topic 286651]

Viewing the list of mobile device certificates

Kaspersky Security Center Web Console lets you view the created mobile device certificates and their properties.

To view the list of all certificates and their properties:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the window that opens, you can view the list of all created certificates and their properties displayed in the table.

To view the properties of an individual certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate whose properties you want to view.
3. In the Certificate details window, view the certificate properties:
   • User name
   • Status
   • Type
   • Protocol
   • Source
   • Expiration date
   • Issue date
   • Latest status update
   • Alias
   • Automatic renewal disabled
   • Thumbprint

To view the certificates installed on an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of mobile devices that opens, choose the device whose certificates you want to view.
3. In the device properties window that opens, choose the Certificates section.

   The list of certificates installed on the device and their properties are displayed.

   • Certificate name
   • User certificate
   • Certificate thumbprint

[Topic 274723]

Configuration and management

This section is intended for specialists who administer Kaspersky Secure Mobility Management, as well as for specialists who provide technical support to organizations that use Kaspersky Secure Mobility Management.

[Topic 274743]

Control

This section contains information about how to remotely monitor mobile devices in the Kaspersky Security Center Web Console.

[Topic 274744]

Configuring restrictions

This section provides instructions on how to configure user access to the features of mobile devices.

[Topic 274751]

Configuring restrictions for personal Android devices

These settings apply to personal devices and devices with a corporate container.

To keep an Android device secure, Kaspersky Mobile Devices Protection and Management lets you configure user access to the following features of mobile devices:

• Wi-Fi
• Camera
• Bluetooth

By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.

To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Restrictions section.
4. On the Device feature restrictions card, click Settings.

   The Device feature restrictions window opens.

5. Enable the settings using the Device feature restrictions toggle switch.
6. Configure usage of Wi-Fi, camera, and Bluetooth:
   • To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.

     On personal devices and devices with a corporate container running Android 10 or later, prohibiting the use of Wi-Fi networks is not supported.

   • To disable the camera on the user's mobile device, select the Prohibit use of camera check box.

     When camera usage is prohibited, the app displays a notification upon opening and then closes shortly after. On Asus and OnePlus devices, the notification is shown in full screen. The device user can tap the Close button to exit the app.

     On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or later disable this service in the device settings. If this is the case, you will not be able to restrict use of the camera.

   • To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.

     On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby devices permission. The user can grant this permission during the Initial Configuration Wizard or later.

     On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.

7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

You can also restrict additional operating system features on corporate devices.

[Topic 274752]

Configuring iOS MDM device restrictions

Expand all | Collapse all

To ensure compliance with corporate security requirements, configure restrictions on the operation of iOS MDM devices.

Configuring feature restrictions

To configure iOS MDM device feature restrictions:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Restrictions section.
4. On the Device feature restrictions card, click Settings.

   The Device feature restrictions window opens.

5. Enable the settings using the Device feature restrictions toggle switch.
6. Enable iOS MDM device feature restrictions using toggle switches on corresponding tabs and select the required restrictions.

   List of device feature restrictions

   • Restrictions on the General tab:
     • In the Device settings section:
       • Prohibit voice dial on a locked device

         Use of the voice dialing function on a locked mobile device.

         If the check box is cleared, the user can use voice commands to dial phone numbers on a locked mobile device.

         If the check box is selected, the user cannot use voice commands to dial phone numbers on a locked mobile device.

         This check box is cleared by default.

       • Limit ad tracking

         Use of IFA (Identifier for advertisers) technology for keeping track of websites visited and apps launched on the iOS MDM device. IFA makes it possible to configure ad tracking on the mobile device according to the user's interests.

         If the check box is selected, IFA technology is disabled on the user's mobile device.

         If the check box is cleared, IFA technology is enabled on the mobile device and keeps track of visited websites and started apps in order to show targeted ads.

         This check box is cleared by default.

       • Prohibit Handoff

         Use of the Handoff function on the user's mobile device. Handoff enables you to start working with data on one Apple device and then switch to another Apple device and continue working with that data.

         If the check box is cleared, Handoff is available to the user.

         If the check box is selected, Handoff is not available.

         This check box is cleared by default.

       • Prohibit editing device name

         Ability to modify the name of the mobile device.

         If the check box is cleared, the user can edit the mobile device name.

         If the check box is selected, the device name cannot be edited.

         This check box is cleared by default.

       • Prohibit modifying restrictions

         Ability to configure the settings for restrictions on the mobile device. Restrictions may be utilized by the user to perform parental control functions on the mobile device. The user can restrict device functions (for example, block use of the camera), access to media content (for example, set age restrictions on viewing films), use of apps (for example, block the use of iTunes Store), and configure other restrictions.

         If the check box is cleared, the user can configure the settings for restrictions on the mobile device.

         If the check box is selected, restrictions cannot be configured on the mobile device.

         This check box is cleared by default.

       • Prohibit Spotlight suggestions

         Use of Spotlight internet search results in Siri Suggestions. When using Spotlight suggestions, search queries and their associated user data are sent to Apple.

         If the check box is cleared, the user can allow displaying Spotlight internet search results in Siri Suggestions.

         If the check box is selected, Spotlight internet search results are not available in Siri Suggestions. User data is not sent to Apple.

         The user may be able to enable Spotlight internet search results in Siri Suggestions even if the check box is selected. This is due to an issue known to Apple.

         This check box is cleared by default.

     • In the Data loss protection section:
       • Prohibit screenshots and screen recording

         Ability to take a screenshot or video from the screen of the iOS MDM device.

         If the check box is cleared, the user can take and save screenshots and videos from the screen of the mobile device.

         If the check box is selected, the user cannot take and save screenshots and videos from the screen of the mobile device.

         This check box is cleared by default.

       • Prohibit non-managed apps from using documents from managed apps

         Ability to use non-managed (personal) apps on the iOS MDM device to open documents created using managed (corporate) apps and accounts. Non-managed apps are apps installed, configured, and managed by the mobile device user.

         If the check box is cleared, the user can use non-managed apps to open documents created in managed corporate apps.

         If the check box is selected, the user is not allowed to use non-managed apps to open documents created using managed apps. For example, this setting prevents a confidential email attachment from a managed email account from being opened in the user's personal apps.

         This check box is cleared by default.

       • Prohibit managed apps from using documents from non-managed apps

         Ability to use managed (corporate) apps on the iOS MDM device to open documents created using non-managed (personal) apps and accounts of the user. Non-managed apps are apps installed, configured, and managed by the mobile device user.

         If the check box is cleared, the user can use managed apps to open documents created using non-managed apps.

         If the check box is selected, the user is not allowed to use managed apps to open documents created using non-managed apps. For example, this setting prevents a document from a personal iCloud account from being opened in a corporate app.

         This check box is cleared by default.

       • Disable encryption of backup copies

         Encryption of backup copies of iOS MDM device data in the iTunes app on the user's computer.

         If the check box is cleared, when a backup copy of mobile device data is created in the iTunes app, data is encrypted automatically and protected with a password. In this case, the user cannot encrypt backup copies of device data in the iTunes app.

         If the check box is selected, the user can choose whether to encrypt backup copies of data in the iTunes app.

         This check box is cleared by default.

       • Prohibit reset to factory settings

         Ability to wipe all data from the device and reset the device to its factory settings.

         If the check box is cleared, the user can wipe all data from the device and reset it to factory settings.

         If the check box is selected, full reset to factory settings is not available.

         This check box is cleared by default.

       • Prohibit modifying account settings

         Option that lets the user add new accounts (such as email accounts) and edit account settings on the iOS MDM device.

         If the check box is cleared, the mobile device user can add new accounts and edit the settings of existing accounts.

         If the check box is selected, the mobile device user is not allowed to add new accounts and edit the settings of existing accounts.

         This check box is cleared by default.

     • In the Security and privacy section:
       • Prohibit sending diagnostic and personal data to Apple

         Automatic receiving of diagnostic data and information on iOS MDM device usage and transmission of a report with this data to Apple for analysis.

         If the check box is cleared, after being shown a warning the user may allow transmission of reports with diagnostic data and information on mobile device usage to Apple.

         If the check box is selected, transmission of reports with diagnostic data and information on mobile device usage to Apple is blocked.

         This check box is cleared by default.

       • Prohibit changing password

         Ability to set, change, or delete the mobile device unlock password.

         If the check box is cleared, the user can set, change, or delete the password used for unlocking the mobile device.

         If the check box is selected, management of the device unlock password is not available.

         This check box is cleared by default.

       • Prohibit modifying Touch ID and Face ID settings

         Ability to add and remove Touch ID fingerprints or Face ID data.

         If the check box is cleared, the user can add and remove Touch ID fingerprints or Face ID data.

         If the check box is selected, management of Touch ID fingerprint or Face ID data is not available.

         This check box is cleared by default.

       • Prohibit device unlock using Touch ID and Face ID

         Touch ID and Face ID make it possible to use a fingerprint or facial recognition as a password for unlocking the iOS MDM device. Touch ID and Face ID can also be used for authentication of purchases by means of Apple Pay, iTunes Store, App Store, and Book Store, and to sign in to apps.

         If the check box is cleared, the user can use a fingerprint or facial recognition instead of entering a password to unlock the mobile device.

         If the check box is selected, the user cannot use Touch ID or Face ID for unlocking the mobile device.

         This check box is cleared by default.

       • Prompt for password for each purchase on iTunes Store

         Use of the restriction password for purchasing media content in iTunes Store.

         If the check box is selected, prior to making the first purchase via iTunes Store the user has to specify a restriction password in the purchase restriction settings and subsequently use it for preventing accidental or unauthorized purchases. After the account has been verified when the user is making purchases, the restriction password does not have to be re-entered for 15 minutes.

         If the check box is cleared, the user is not required to enter the restriction password before making purchases in iTunes Store.

         This check box is cleared by default.

       • Prompt for password on first connection via AirPlay

         Use of a password upon connection of the iOS MDM device to devices compatible with AirPlay. The password is used for safe transmission of media content.

         If the check box is selected, before the first connection of the mobile device to devices compatible with AirPlay, the user must specify a password in the AirPlay security settings and subsequently enter it.

         If the check box is cleared, the user can decide whether to use a password when connecting the mobile device to devices compatible with AirPlay.

         This check box is cleared by default.

       • Prohibit installing configuration profiles

         Use of additional configuration profiles on the iOS MDM device.

         If the check box is cleared, the user can install additional configuration profiles on the mobile device.

         If the check box is selected, the user cannot install additional configuration profiles on the mobile device.

         This check box is cleared by default.

       • Prohibit non-Configurator hosts

         Protection of the iOS MDM device against third-party connections. A third-party connection is a connection to other devices or synchronization with Apple services, such as iTunes.

         If the check box is cleared, the user can synchronize the iOS MDM device with other devices and Apple services.

         If the check box is selected, non-Configurator hosts on the user's mobile device are blocked.

         This check box is cleared by default.

       • Prohibit modifying settings for sending diagnostic data

         Automatic receiving of diagnostic data and information on iOS MDM device usage and transmission of a report with this data to Apple for analysis.

         If the check box is cleared, the user can configure the submission of reports containing diagnostic information and mobile device usage data to Apple.

         If the check box is selected, the settings for submission of reports containing diagnostic information are not available.

         This check box is cleared by default.

     • In the iCloud section:
       • Prohibit backup in iCloud

         Automatic backup of data from the iOS MDM device to iCloud. Copies of data already stored in iCloud are not created during the backup process. Copies of media content that was received by synchronizing the device with a computer and not purchased from iTunes Store are not created either.

         If the check box is cleared, the user can save backup copies of mobile device data in iCloud. Backup copies of data are saved in iCloud on a daily basis when the device is enabled, locked, and connected to a power source.

         If the check box is selected, the user cannot save backup copies of mobile device data in iCloud.

         This check box is cleared by default.

       • Prohibit storing documents and data in iCloud

         Automatic backup of documents in iCloud. iCloud documents can be opened and edited on other devices on which the iCloud service is configured.

         If the check box is cleared, the user can save documents in iCloud, open and edit them on other devices in applications that support iCloud (such as TextEdit).

         If the check box is selected, the user is not allowed to save documents in iCloud.

         This check box is cleared by default.

       • Prohibit iCloud keychain

         Automatic synchronization of the account credentials of an iOS MDM device user with the user's other Apple devices. The synchronized data is stored in iCloud Keychain. Data in iCloud Keychain is encrypted. iCloud Keychain makes it possible to save the following data in iCloud:

         • Website accounts
         • Bank card numbers and expiration dates
         • Wireless network passwords

         If the check box is cleared, the user can synchronize data of accounts with the user's other Apple devices.

         If the check box is selected, the user is not allowed to use iCloud Keychain on the mobile device.

         This check box is cleared by default.

       • Prohibit managed apps from storing data in iCloud

         Creation of a backup copy of the data of managed apps in iCloud.

         If the check box is cleared, the user can store the data of managed apps in iCloud.

         If the check box is selected, the user cannot store corporate data in iCloud.

         This check box is cleared by default.

       • Prohibit backup of enterprise books

         Backup of enterprise books using iCloud or iTunes. You can provide access to enterprise books by placing them on the corporate web server.

         If the check box is cleared, backup of enterprise books using iCloud or iTunes is available to the user.

         If the check box is selected, backup of enterprise books is not available.

         This check box is cleared by default.

       • Prohibit synchronizing notes and highlights in enterprise books

         Ability to synchronize notes, bookmarks, and highlighted text in enterprise books using iCloud.

         If the check box is cleared, the user can synchronize notes, bookmarks, and highlights in enterprise books. Changes will be available on all the user's Apple devices using iCloud.

         If the check box is selected, notes, bookmarks and highlighted text will be available only on this mobile device.

         This check box is cleared by default.

       • Prohibit iCloud photo sharing

         Use of iCloud photo sharing on the iOS MDM device to grant other users access to photos and videos on the iCloud server. The other users need to have the iCloud photo sharing feature configured.

         If the check box is cleared, the iCloud photo sharing feature is available to the user. Users of other devices can view the user's photos and videos, leave comments, and add their own photos and videos. The user can also access the data of other users on the iCloud server.

         If the check box is selected, the iCloud photo sharing feature is not available to the user. The user cannot grant other users access to the user's photos and videos on the iCloud server or access the data of other users on the iCloud server.

         This check box is cleared by default.

       • Prohibit iCloud Media Library

         Use of the iCloud Media Library function for automatic uploading of photos and videos from the iOS MDM device to the user's other Apple devices.

         If the check box is cleared, the iCloud Media Library function is available to the user when working with the Photos app.

         If the check box is selected, the iCloud Media Library function is not available to the user. The user's photos and videos saved in the iCloud Media Library are removed from the iCloud server.

         This check box is cleared by default.

     • In the Certificates section:
       • Prohibit users from accepting untrusted TLS certificates

         Use of untrusted TLS certificates for providing an encrypted communication channel between apps on the iOS MDM device (Mail, Contacts, Calendar, Safari) and corporate resources.

         If the check box is cleared, the user may allow the use of an untrusted TLS certificate after being shown a warning.

         If the check box is selected, the use of untrusted TLS certificates is blocked.

         This check box is cleared by default.

       • Prohibit automatic updates of trusted certificates

         Automatic updates of trusted certificates on the iOS MDM device.

         If the check box is cleared, changes made to the trust settings of a certificate are applied automatically.

         If the check box is selected, changes to trust settings of a certificate are not applied automatically. After being shown a warning, the user may choose to apply changes to trust settings of the certificate.

         This check box is cleared by default.

   • Restrictions on the Apps tab:
     • In the General section:
       • Prohibit use of camera

         Use of the camera on the user's mobile device.

         If the check box is cleared, the user is allowed to use the device camera.

         If the check box is selected, use of the device camera is disabled. The user cannot take photos, record videos, or use the FaceTime app. The camera icon on the device home screen is hidden.

         This check box is cleared by default.

       • Prohibit FaceTime

         Use of the FaceTime app on the user's mobile device. This check box is available if the use of the device camera is allowed. This setting is available if the Prohibit use of camera check box is cleared.

         If the check box is cleared, the user can make and receive calls using FaceTime.

         If the check box is selected, the FaceTime app is disabled on the user device. The user cannot make or receive video calls.

         This check box is cleared by default.

       • Prohibit iMessage

         Use of the iMessage service on the user's mobile device.

         If the check box is cleared, the user can send and receive messages using the iMessage service.

         If the check box is selected, the iMessage is not available on the mobile device. The user cannot send or receive messages via iMessage.

         This check box is cleared by default.

       • Prohibit Book Store

         Access to Book Store from the Apple Books app on the user's mobile device.

         If the check box is cleared, the user can visit Book Store from the Apple Books app installed on the device.

         If the check box is selected, the user cannot visit Book Store from the Apple Books app.

         This check box is cleared by default.

       • Prohibit installation of apps from Apple Configurator and iTunes

         The user can independently install apps on an iOS MDM device.

         If the check box is cleared, the user can independently install or update apps on a mobile device from App Store using iTunes or Apple Configurator.

         If the check box is selected, the user cannot install or update apps from App Store using iTunes or Apple Configurator on a mobile device. Installation and updates are available only for corporate apps. The App Store icon is hidden on the home screen of the iOS MDM device.

         This check box is cleared by default.

       • Prohibit installation of apps from the App Store

         Ability to independently install apps on a mobile device from the App Store. The check box is available if the Prohibit installation of apps from Apple Configurator and iTunes check box is cleared.

         If the check box is cleared, the user can independently install or update apps from the App Store.

         If the check box is selected, the user cannot install or update apps from the App Store on the mobile device. The App Store icon is hidden on the home screen of the iOS MDM device.

         This check box is cleared by default.

       • Prohibit automatic app downloads

         Use of automatic app downloads on the user's mobile device. The check box is available if the Prohibit installation of apps from Apple Configurator and iTunes check box is cleared.

         If the check box is cleared, automatic app downloads are available to the user. After this function is enabled, the apps that the user downloaded from the App Store are automatically downloaded to the user's other Apple devices.

         If the check box is selected, automatic app downloads are disabled and unavailable.

         This check box is cleared by default.

       • Prohibit in-app purchases

         Use of the in-app purchase system on the mobile device.

         If the check box is cleared, the user can make purchases in apps installed on the mobile device.

         If the check box is selected, the user cannot make purchases in apps installed on the mobile device.

         This check box is cleared by default.

       • Prohibit trusting new enterprise developers

         Ability to configure trusting of corporate apps on a mobile device. You can develop corporate apps and distribute them among employees for internal use. To work with a corporate app, the mobile device user must make it a trusted app.

         If the check box is cleared, the user can configure trusting of corporate apps.

         If the check box is selected, the user cannot set the trust level for corporate apps when installing an app manually.

         This check box is cleared by default.

       • Prohibit removing apps

         This option allows removing apps from the mobile device.

         If the check box is cleared, the user can remove apps installed via the App Store or iTunes from the device.

         If the check box is selected, the user cannot remove apps installed via the App Store or iTunes from the mobile device.

         This check box is cleared by default.

     • In the AirPrint section:
       • Prohibit AirPrint

         Selecting or clearing this check box specifies whether the device user can use AirPrint.

         The check box is cleared by default.

       • Prohibit storing AirPrint credentials

         Selecting or clearing this check box specifies whether the device user can store a keychain of user name and password for AirPrint.

         The restriction is supported on devices with iOS 11 and later.

         The check box is cleared by default.

       • Prohibit iBeacon discovery of AirPrint printers

         Selecting or clearing this check box specifies whether iBeacon discovery of AirPrint printers is enabled. Disabling iBeacon discovery of AirPrint printers prevents spurious AirPrint Bluetooth beacons from getting information about network traffic.

         The restriction is supported on devices with iOS 11 and later.

         The check box is cleared by default.

       • Force AirPrint to use a trusted TLS certificate

         Selecting or clearing this check box specifies whether a trusted certificate is required for TLS printing communication.

         The restriction is supported on devices with iOS 11 and later.

         The check box is cleared by default.

     • In the AirDrop section:
       • Prohibit AirDrop

         Use of the AirDrop feature for transmitting user data from the iOS MDM device to other Apple devices.

         If the check box is cleared, the user can use AirDrop to transmit data to other Apple devices.

         If the check box is selected, the user cannot transmit data to other Apple devices using AirDrop.

         This check box is cleared by default.

       • Treat AirDrop as a managed app

         Use of AirDrop as a managed app for transferring data from the mobile device to other Apple devices. This restriction requires that you select the Prohibit non-managed apps from using documents from managed apps check box. Non-managed apps are apps installed, configured, and managed by the mobile device user.

         If the check box is cleared, AirDrop is treated as a non-managed app.

         If the check box is selected, AirDrop is treated as a managed app.

         This check box is cleared by default.

     • In the Apple Music section:
       • Prohibit Apple Music

         Listening to music on the user's mobile device using the Apple Music service.

         If the check box is cleared, the user can listen to music on the mobile device in the Music app.

         If the check box is selected, the Apple Music service is not available to the user.

         This check box is cleared by default.

       • Prohibit Radio in Apple Music

         Listening to the radio using the Apple Music service on the user's mobile device.

         If the check box is cleared, the user can listen to the radio in the Music app on the mobile device.

         If the check box is selected, the user cannot listen to the radio.

         This check box is cleared by default.

     • In the Apple Watch section:
       • Disable Apple Watch wrist detection

         Automatic locking of Apple Watch when the user removes the watch from their hand.

         If the check box is cleared, Apple Watch is locked when the user removes a watch from their hand. To unlock it, the user must enter a password on the mobile device.

         If the check box is selected, Apple Watch cannot be locked after a watch is removed.

         This check box is cleared by default.

       • Prohibit pairing with Apple Watch

         Pairing of Apple Watch with a supervised mobile device.

         If the check box is cleared, the user of the supervised mobile device can pair it with Apple Watch.

         If the check box is selected, pairing with Apple Watch is not available.

         This check box is cleared by default.

     • In the Siri section:
       • Prohibit Siri

         Usage of the Siri app on the user's mobile device.

         If the check box is cleared, the user can use Siri voice commands on the mobile device.

         If the check box is selected, the user cannot use Siri voice commands on the mobile device.

         This check box is cleared by default.

       • Prohibit when device is locked

         Use of Siri voice commands when the user's mobile device is locked. The user's mobile device has to be password-protected.

         If the check box is cleared, the user can use Siri voice commands on a locked mobile device.

         If the check box is selected, the user cannot use Siri voice commands on a locked device.

         This check box is cleared by default.

       • Prohibit use of profanity filter

         This option disables the filtering of profanity while using the Siri app on the mobile device.

         If the check box is cleared, profanity is filtered while the user uses the Siri app.

         If the check box is selected, profanity is not filtered while the user uses the Siri app.

         This check box is cleared by default.

       • Prohibit Siri from using internet search

         This option prohibits Siri from using internet search for voice commands on the iOS MDM device.

         If the check box is cleared, Siri can search the internet for answers to the user's questions.

         If the check box is selected, Siri cannot search the internet for information.

         This check box is cleared by default.

     • In the Find My section:
       • Prohibit locating devices in Find My

         Selecting or clearing this check box specifies whether the device user can find devices in the Find My app.

         The restriction is supported on devices with iOS 13 and later.

         The check box is cleared by default.

       • Prohibit locating friends in Find My

         Selecting or clearing this check box specifies whether the device user can find friends in the Find My app.

         The restriction is supported on devices with iOS 13 and later.

         The check box is cleared by default.

     • In the Classroom section:
       • Prohibit screen viewing via Classroom

         Ability for an instructor to view students' iPad screens using the Classroom application.

         If the check box is cleared, the instructor can view students' iPad screens in the Classroom application.

         If the check box is selected, the instructor cannot view students' iPad screens in the Classroom application.

         This check box is cleared by default.

   • Restrictions on the Storage tab:
     • In the General section:
       • Prohibit access to USB devices in Files

         If the check box is cleared, the user can access connected USB devices in the Files app.

         If the check box is selected, access to connected USB devices in the Files app is blocked.

         The setting is available for mobile devices running iOS 13.1 or later.

         This check box is cleared by default.

       • Disable access to USB devices when the device is locked

         Specifies whether USB Restricted Mode is enabled when the device is locked.

         If the check box is selected, then when the device is locked, connections to USB drives are limited by USB Restricted Mode.

         If the check box is cleared, the device is allowed to connect to USB drives when locked.

         The setting is available for mobile devices running iOS 11.4.1 or later.

         This check box is cleared by default.

   • Restrictions on the Network tab:
     • In the General section:
       • Prohibit use of NFC

         If the check box is cleared, the use of NFC is allowed.

         If the check box is selected, the use of NFC is disabled.

         The setting is available for mobile devices running iOS version 14.2 or later.

         This check box is cleared by default.

       • Prohibit creating VPN configurations

         If the check box is cleared, the user can create a VPN configuration on the managed device.

         If the check box is selected, the user can't create a VPN configuration on the managed device.

         The setting is available for mobile devices running iOS version 11 or later.

         This check box is cleared by default.

       • Prohibit modifying eSIM settings

         Selecting or clearing this check box specifies whether the device user can change settings related to the carrier plan.

         The restriction is supported on devices with iOS 11 and later.

         The check box is cleared by default.

     • In the Wi-Fi section:
       • Force Wi-Fi on

         Specifies whether Wi-Fi on the managed device should be always on. The device can connect to any Wi-Fi network.

         If the check box is selected, Wi-Fi on the device is always on, even in flight mode. The user cannot disable Wi-Fi in the device settings.

         If the check box is cleared, the user can disable Wi-Fi in the device settings.

         The setting is available for mobile devices running iOS version 13 or later.

         This check box is cleared by default.

       • Force connection to allowed Wi-Fi networks only

         Specifies whether the device can connect to allowed Wi-Fi networks only. This option is available if you add at least one Wi-Fi network to the list of Wi-Fi networks in the Wi-Fi section.

         If the check box is selected, the device connects to allowed Wi-Fi networks only. The user cannot disable Wi-Fi in the device settings.

         If the check box is cleared, the user can connect to any Wi-Fi network.

         The setting is available for mobile devices running iOS version 14.5 or later.

         This check box is cleared by default.

       • Prohibit modifying Personal Hotspot settings

         If the check box is cleared, the device user can modify Personal Hotspot settings.

         If the check box is selected, the device user cannot modify Personal Hotspot settings.

         The setting is available for mobile devices running iOS 12.2 or later.

         This check box is cleared by default.

     • In the Bluetooth section:
       • Prohibit modifying Bluetooth settings

         If the check box is cleared, the user can modify Bluetooth settings on the mobile device.

         If the check box is selected, Bluetooth settings cannot be modified on the mobile device.

         The setting is available for mobile devices running iOS 11 or later.

         This check box is cleared by default.

     • In the Cellular section:
       • Prohibit automatic sync while roaming

         Prohibit automatic synchronization of user data when the iOS MDM device is roaming.

         If the check box is cleared, the user can enable automatic data synchronization when the device is roaming. Enabling automatic synchronization in roaming can result in unexpected mobile service costs.

         If the check box is selected, the user is not allowed to use automatic data synchronization when the device is roaming.

         This check box is cleared by default.

       • Prohibit modifying cellular settings

         Ability to configure cellular network data transfer by apps installed on a mobile device.

         If the check box is cleared, the user can configure the settings for data transfer over a cellular network.

         If the check box is selected, the settings for cellular network data transfer by apps cannot be modified.

         This check box is cleared by default.

   • Restrictions on the Additional settings tab:
     • In the Display section:
       • Prohibit changing wallpaper

         Ability to select the image that will be displayed on the lock screen or Home screen.

         If the check box is cleared, the user can select the wallpaper for the mobile device.

         If the check box is selected, wallpaper selection is not available.

         This check box is cleared by default.

     • In the Text section:
       • Prohibit spellcheck

         Use of spellcheck when entering text on a mobile device. The spellcheck function underlines incorrectly spelled words and suggests corrections.

         If the check box is cleared, the user can enable and use the spellcheck function.

         If the check box is selected, spellcheck is not available when entering text.

         This check box is cleared by default.

       • Prohibit auto-correction

         Use of the auto-correct function when entering text.

         If the check box is cleared, the user can enable and use the auto-correct function.

         If the check box is selected, auto-correct is not available when entering text.

         This check box is cleared by default.

       • Prohibit dictionary search

         Use of a dictionary to get the definitions of words on the mobile device. Only a software keyboard has a dictionary function.

         If the check box is cleared, the user can highlight any word on the screen of the mobile device and get the definition of that word.

         If the check box is selected, dictionary search is not available.

         This check box is cleared by default.

     • In the Keyboard section:
       • Prohibit predictive text

         Use of the predictive text input function. The predictive text input function shows options for completing words and suggestions based on available dictionaries.

         If the check box is cleared, the user can enable and use the predictive text input function.

         If the check box is selected, the predictive text function is not available. In this case, suggestions are not displayed when entering text.

         This check box is cleared by default.

       • Prohibit keyboard shortcuts

         Use of keyboard shortcuts for quick access to mobile device functions.

         If the check box is cleared, the user can enable the keyboard shortcut function and use it when working with the mobile device.

         If the check box is selected, the keyboard shortcut function is not available.

         This check box is cleared by default.

     • In the Notifications section:
       • Prohibit Wallet on-screen notifications when screen is locked

         Use of Wallet notifications on the lock screen of the iOS MDM device.

         If the check box is cleared, Wallet notifications are displayed on the lock screen of the mobile device.

         If the check box is selected, Wallet notifications are not displayed on the lock screen of the mobile device. To work with Wallet, the user must unlock the device.

         This check box is cleared by default.

       • Hide Control Center when screen is locked

         Ability to go to the Control Center of the iOS MDM device when the device is locked.

         If the check box is cleared, the user can go to the Control Center when the device is locked.

         If the check box is selected, the user cannot go to the Control Center when the device is locked.

         This check box is cleared by default.

       • Hide Notification Center when screen is locked

         Ability to go to the Notification Center of the iOS MDM device when the device is locked.

         If the check box is cleared, the user can go to the Notification Center by swiping the lock screen down.

         If the check box is selected, the user cannot go to the Notification Center when the device is locked.

         This check box is cleared by default.

       • Hide Today View when screen is locked

         Display of information from the Today View on the screen of a locked iOS MDM device. The Today section of the Notification View shows the following information:

         • Calendar events
         • Reminders
         • Stock prices
         • Weather

         If the check box is cleared, the user can view notifications from the Today View on a locked mobile device.

         If the check box is selected, the Today View is not displayed on the locked mobile device.

         This check box is cleared by default.

       • Prohibit modifying notification settings

         Ability to configure the display of notifications on the mobile device.

         If the check box is cleared, the user can configure the settings for displaying notifications on the mobile device.

         If the check box is selected, the display of notifications cannot be configured.

         This check box is cleared by default.

   • Restrictions on the OS update tab:
     • In the General section:
       • Delay software updates (days)

         Allows delaying operating system updates on the device.

         If the check box is selected, the user cannot access updates for the specified period. The default delay is 30 days. You can specify another period in the Number of days from 1 to 90 field.

         If the check box is cleared, the user can update the software as soon as updates are available.

         The setting is available for mobile devices running iOS version 11.3 or later.

         This check box is cleared by default.

7. Click OK.
8. Click Save to save the changes you have made.

As a result, feature restrictions will be configured on the user's mobile device after the policy is applied.

Configuring app restrictions

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Restrictions section.
4. On the App restrictions card, click Settings.

   The App restrictions window opens.

5. Enable the settings using the App restrictions toggle switch.
6. Configure iOS MDM device app restrictions.

   List of app restrictions

   Restrictions in the Safari section:

   • Allow use of Safari

     Use of the Safari browser on the iOS MDM device.

     If the check box is selected, the user is allowed to use the Safari browser.

     If the check box is cleared, the user is not allowed to use the Safari browser. The Safari icon is hidden on the home screen of the iOS MDM device.

     This check box is selected by default.

   • Allow AutoFill

     Saving and autofilling of data entered by the user in web forms in the Safari browser.

     If this check box is selected, user data entered in web forms is saved. Later it is automatically inserted in web forms.

     If this check box is cleared, user data is not inserted in web forms.

     This check box is selected by default.

   • Warn the user when visiting a dangerous website

     Option that enables a user warning prior to a visit to a website that Kaspersky Mobile Devices Protection and Management has found to be dangerous.

     If the check box is selected, Kaspersky Mobile Devices Protection and Management warns a user attempting to visit a dangerous website.

     If the check box is cleared, Kaspersky Mobile Devices Protection and Management does not warn a user attempting to visit a dangerous website.

     This check box is cleared by default.

   • Allow JavaScript

     Use of JavaScript by the Safari browser.

     If the check box is selected, the Safari browser uses JavaScript when opening web pages.

     If the check box is cleared, the Safari browser does not use JavaScript when opening web pages.

     This check box is selected by default.

   • Block pop-up windows

     Blocking of pop-up windows in the Safari browser.

     If this check box is selected, Kaspersky Mobile Devices Protection and Management blocks pop-up windows in the Safari browser.

     If this check box is cleared, Kaspersky Mobile Devices Protection and Management does not block pop-up windows in the Safari browser.

     This check box is cleared by default.

   • Cookie settings

     Select the condition for accepting cookies:

     • Allow cookies and website tracking. The Safari browser accepts cookies and allows tracking user activity.
     • Allow cookies and block website tracking. The Safari browser accepts cookies and blocks tracking user activity.
     • Block cookies and website tracking. The Safari browser blocks cookies and tracking user activity.

     The default value is Allow cookies and website tracking.

   Restrictions in the Game Center section:

   • Allow use of Game Center

     Access to the Game Center gaming service from the Game Center app on an iOS MDM device.

     If the check box is selected, the user can visit the Game Center gaming service from the Game Center app on the mobile device.

     If the check box is cleared, the user cannot visit the Game Center gaming service from the Game Center app on the mobile device. The Game Center icon is hidden on the home screen of the iOS MDM device.

     This check box is selected by default.

   • Allow adding friends in Game Center

     An option that allows adding users in the Game Center gaming service on the iOS MDM device.

     If the check box is selected, the user can add other users in the Game Center gaming service on the mobile device.

     If the check box is cleared, the user is not allowed to add other users in the Game Center gaming service on the mobile device.

     This check box is selected by default.

   • Allow multiplayer games in Game Center

     Use of the Game Center gaming service in multiplayer mode on the iOS MDM device.

     If the check box is selected, the user can participate in multiplayer games in the Game Center gaming service on the mobile device.

     If the check box is cleared, the user is not allowed to participate in multiplayer games in the Game Center gaming service on the mobile device.

     If the check box is cleared, users can still play games together via SharePlay or a third-party service.

     This check box is selected by default.

   Restrictions in the Additional settings section:

   • Allow use of iTunes Store

     Access to the iTunes Store media service from the iTunes app on an iOS MDM device.

     If the check box is selected, the user can view, buy, and download media content from the iTunes Store using the iTunes app on the mobile device.

     If the check box is cleared, the user cannot view, buy, and download media content from the iTunes Store using the iTunes app on the mobile device. The iTunes icon is hidden on the home screen of the iOS MDM device.

     This check box is selected by default.

   • Allow use of News

     Viewing of news on the user's mobile device using the News app.

     If the check box is selected, the user can view news using the News app.

     If the check box is cleared, the News app is not available to the user.

     This check box is selected by default.

   • Allow use of Podcasts

     Listening to podcasts on the user's mobile device using the Podcasts app.

     If the check box is selected, the user can search, play, and download podcasts using the Podcasts app.

     If the check box is cleared, podcasts cannot be downloaded to the mobile device.

     This check box is selected by default.

7. Click OK.
8. Click Save to save the changes you have made.

As a result, app restrictions will be configured on the user's mobile device after the policy is applied.

Configuring content restrictions

Categories used for content restrictions are determined by Apple. In some cases, when content restrictions are configured, actual results may differ from expected results.

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Restrictions section.
4. On the Content restrictions card, click Settings.

   The Content restrictions window opens.

5. Enable the settings using the Content restrictions toggle switch.
6. Configure iOS MDM device content restrictions.

   List of content restrictions

   Region

   Selection of the country whose rating system is automatically applied to media content on the iOS MDM device.

   The default value is United States.

   Settings in the Age rating section:

   • Videos

     Selection of the restriction rating for access to movies on the iOS MDM device.

     The list of ratings depends on the region selected.

     If the Allow all option is selected, the user can view any movies on the mobile device.

     The Allow all option is selected by default.

   • TV shows

     Selection of the restriction rating for access to TV shows on the iOS MDM device.

     The list of ratings depends on the region selected.

     If the Allow all option is selected, the user can view any TV shows on the mobile device.

     The Allow all option is selected by default.

   • Apps

     Selection of the restriction rating for access to third-party apps on the iOS MDM device.

     The list of ratings depends on the rating system selected.

     If the Allow all option is selected, the user can use any third-party apps on the mobile device.

     The Allow all option is selected by default.

     App restrictions may be enforced even if the Allow all option is selected. This is due to an issue known to Apple.

   • Allow downloading erotica in Apple Books

     Access to adult content in Book Store on the user's mobile device.

     If the check box is selected, the user can download adult content from the Apple Books app to the iOS MDM device.

     If the check box is cleared, the user cannot download adult content from the Apple Books app to the iOS MDM device.

     This check box is selected by default.

   • Allow explicit content

     Access to explicit media content from the iTunes Store on the iOS MDM device. Restrictions are applied by iTunes Store providers.

     If the check box is selected, explicit media content purchased via iTunes Store is available to the mobile device user.

     If the check box is cleared, explicit media content purchased via iTunes Store is hidden from the mobile device user.

     This check box is selected by default.

7. Click OK.
8. Click Save to save the changes you have made.

As a result, content restrictions will be configured on the user's mobile device after the policy is applied.

[Topic 274745]

Configuring user access to websites

This section contains instructions on how to configure access to websites on Android and iOS devices.

[Topic 274753]

Configuring access to websites on Android devices

You can use Web Control to configure Android device users' access to websites. Web Control supports website filtering by categories defined in the Kaspersky Security Network cloud service. Filtering allows you to restrict user access to certain websites or categories of websites (for example, "Gambling, lotteries, sweepstakes" or "Internet communication"). Web Control is enabled by default.

Web Control on Android devices is supported only in Google Chrome, HUAWEI Browser, Samsung Internet, and Yandex Browser.

On corporate devices, if Kaspersky Endpoint Security for Android is not enabled as an Accessibility feature, Web Control is supported only in Google Chrome and checks only the domain of a website. To allow other browsers (Samsung Internet, Yandex Browser, and HUAWEI Browser) to support Web Control, enable Kaspersky Endpoint Security as an Accessibility feature. This will also let you use the Custom Tabs feature.

If Kaspersky Endpoint Security for Android is not enabled as an Accessibility feature and a proxy is enabled in the Google Chrome settings card, Web Control will not work.

To configure the settings for device users' access to websites:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Security controls section.
4. On the Web Control card, click Settings.

   The Web Control window opens.

5. Select one of the following options:
   • If you want the app to restrict user access to websites depending on their content, do the following:
     1. In the Operating mode drop-down list, in the drop-down list select Prohibit websites in selected categories.
     2. In the Categories section, create a list of prohibited categories by selecting the check boxes next to the categories of websites to which the app will block access.
   • If you want the app to allow or block user access only to specified websites, do the following:
     1. In the Operating mode drop-down list, select Allow only listed websites or Allow all websites except listed ones.
     2. Click Add.
     3. In the window that opens, create a list of websites to which the app will allow or block access, depending on the value selected in the drop-down list. You can add websites by link (full URL, including the protocol, for example, https://example.com).

        To make sure that the app allows or blocks access to the specified website in all supported versions of Google Chrome, HUAWEI Browser, Samsung Internet, and Yandex Browser include the same URL twice — once with the HTTP protocol (for example, http://example.com) and once with the HTTPS protocol (for example, https://example.com).

        For example:

        • https://example.com — The main page of the website is either allowed or blocked. This URL can only be accessed through the HTTP protocol.
        • http://example.com — The main page of the website is either allowed or blocked, but only when accessed through the HTTP protocol. Other protocols like HTTPS are not affected.
        • https://example.com/page/index.html — Only the index.html page of the website will be allowed or blocked. The rest of the website is not affected by this entry.

        The app also supports regular expressions. When entering the address of an allowed or forbidden website, use the following templates:

        • https://example\.com/.* — This template blocks or allows all child pages of the website, accessed via the HTTPS protocol (for example, https://example.com/about).
        • https?://example\.com/.* — This template blocks or allows all child pages of the website, accessed via both the HTTP and HTTPS protocols.
        • https?://.*\.example\.com — This template blocks or allows all subdomain pages of the website (for example, https://pictures.example.com).
        • https?://example\.com/[abc]/.* — This template blocks or allows all child pages of the website where the URL path begins with 'a', 'b', or 'c' as the first directory (for example, https://example.com/b/about).
        • https?://\w{3,5}.example\.com/.* — This template blocks or allows all child pages of the website where the subdomain consists of a word with 3 to 5 characters (for example, http://abde.example.com/about).

        Use the https? expression to select both the HTTP and HTTPS protocols. For more details on regular expressions, please refer to the Oracle Technical Support website.

     4. Click Add.
   • If you want the app to block user access to all websites, in the Operating mode section, in the drop-down list, select Prohibit all websites.
6. If you want the app to check the full URL when opening a website in Custom Tabs, select the Check full URL when using Custom Tabs check box.

   Custom Tabs is an in-app browser that allows the user to view web pages without having to leave the app and switch to a full web browser version. This option provides better URL recognition and checks URLs against the configured Web Control rules. If the check box is selected, Kaspersky Endpoint Security for Android opens the website in a full version of the browser and checks the whole web address of the website. If the check box is cleared, Kaspersky Endpoint Security for Android checks only the domain of the website in Custom Tabs.

   The Custom Tabs feature is supported in Google Chrome, HUAWEI Browser, and Samsung Internet.

7. If you want to lift content-based restrictions on user access to websites, disable the settings using the Web Control toggle switch and click Disable.
8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Managing the website list

You can manage the list of websites with the following buttons:

• Add — Click to add a website to the list by entering a URL or regular expression.
• Upload — Click to add multiple websites to the list by specifying a TXT file that contains the required URLs or regular expressions. The file must be encoded in UTF-8. URLs or regular expressions in the file must be separated by semicolons or line breaks.
• Edit — Click to change the address of a website.
• Delete — Click to remove one or more websites from the list.

[Topic 274754]

Configuring access to websites on iOS MDM devices

These settings apply to supervised devices.

Configure Web Control settings to control access to websites for iOS MDM device users. Web Control manages users' access to websites based on lists of allowed and forbidden websites. Web Control also lets you add website bookmarks on the bookmark panel in Safari.

By default, access to websites is not restricted.

If a URL is redirected to a different website, Web Control checks only the redirect target.

To configure settings for device users' access to websites:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Security controls section.
4. On the Web Control card, click Settings.

   The Web Control window opens.

5. Enable the settings using the Web Control toggle switch.
6. In the Operating mode drop-down list do one of the following:
   • If you want to create a list of allowed websites, select Allow only listed websites.
   • If you want to create a list of forbidden websites, select Allow all websites except listed ones.
7. Do one of the following:
   • If you want to add websites manually:
     1. Click Add:
     2. Add websites to which the app will allow or block access, depending on the value selected in the drop-down list.

        The website address should begin with http:// or https://. Kaspersky Mobile Devices Protection and Management allows or blocks access to all websites in the domain. For example, if you add http://www.example.com to the list of allowed websites, access is allowed http://pictures.example.com and http://example.com/movies.

        If you want to add an allowed website to bookmarks in Safari on mobile devices, select the Add to bookmarks on device check box below the website address.

     3. Click Add.
   • If you want to upload a TXT file with a list of websites, click Upload.

     The TXT file must be saved with the UTF-8 encoding and LF or CR+RF line breaks.

8. Click OK.
9. Click Save to save the changes you have made.

As a result, once the policy is applied, Web Control will be configured on the mobile devices.

[Topic 274746]

Compliance Control

This section contains instructions on how to monitor the compliance of devices with corporate requirements and configure compliance control rules.

[Topic 274755]

Compliance Control of Android devices

You can control Android devices for compliance with corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance Control is based on a list of rules. A compliance rule includes the following components:

• Device check criterion (for example, absence of blocked apps on the device).
• Time period allocated for the user to fix the non-compliance (for example, 24 hours).
• Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, lock the device).

  If the device is in battery saver mode, Kaspersky Endpoint Security for Android may perform this task later than specified.

To create a rule for checking devices for compliance with a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Security controls section.
4. On the Compliance Control card, click Settings.

   The Compliance Control window opens.

5. Enable the settings using the Compliance Control toggle switch.
6. In the When non-compliance is detected section:
   • Select the Notify user check box to inform the user that the device does not comply with the policy.

     If the check box is cleared, the user is not notified of the non-compliance issue, and the response is performed on the device as soon as the time allocated for fixing the non-compliance expires.

   • Select the Notify the administrator through the "Events" section check box to inform the administrator that the device does not comply with the policy.
7. Click Add.

   The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.

Step 1. Criterion for non-compliance

Click Add criterion to specify the non-compliance criterion to trigger the rule.

The following criteria are available:

• Real-time protection is disabled

  Kaspersky Endpoint Security for Android is not installed or running on the device.

• Anti-malware databases on device are out of date

  Anti-malware databases were last updated 3 or more days ago.

• Forbidden apps are installed

  The list of apps on the device contains apps that are set as forbidden in the App Control settings of the policy.

• Apps from forbidden categories are installed

  The list of apps on the device contains apps from the categories that are set as forbidden in the App Control settings of the policy.

• Not all required apps are installed

  The list of apps on the device does not contain an app that is set as required in the App Control settings of the policy.

• Operating system version is outdated

  The Android version on the device is outside the allowed range.

  For this criterion, specify the minimum and maximum allowed versions of Android in the Minimum version and Maximum version fields. If the maximum allowed version is set to Any, future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.

• Device has not been synchronized for a long time

  The last synchronization of the device with the Administration Server is checked.

  For this criterion, specify the maximum period after the last synchronization in the Period without synchronization field.

• Device has been rooted

  The device is hacked (root access is gained on the device).

• Unlock password is not compliant with security settings specified in policy

  The unlock password on the device is not compliant with the settings defined in the Screen unlock settings card.

• Installed version of Kaspersky Endpoint Security for Android is outdated

  Kaspersky Endpoint Security for Android installed on the device is obsolete.

  This criterion applies only to an app installed using a Kaspersky Endpoint Security for Android installation package and if the minimum allowed version of Kaspersky Endpoint Security for Android is specified in the App update settings of the policy.

• SIM card usage is not compliant with security requirements

  The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.

  For this criterion, select the specific condition that must be monitored:

  • The SIM card must not be replaced or removed
  • The SIM card must not be replaced or removed; additional SIM cards must not be inserted
• Device location

  The device is outside the specified geofence areas.

  Specifying the geofence area will result in increased device power consumption.

  For this criterion, select the specific condition that must be monitored:

  • The device is within a specified geofence (the geofence areas are combined using the OR logical operator).
  • The device is outside specified geofences (the geofence areas are combined using the AND logical operator).

  To add a geofence area:

  1. Click Add geofences.

     The Add geofences window opens.

  2. Specify the Geofence name.
  3. Specify the geofence perimeter by entering a latitude and a longitude for each point.

     For each geofence area, you can manually enter from 3 to 100 coordinate pairs (latitude, longitude) as decimal numbers.
     
     A geofence perimeter must not contain intersecting lines.

     If needed, you can specify more than 3 points by clicking the Add point button.

     To delete a point, click the X button.

     You can view the specified geofence area in the Yandex.Maps program by clicking View on map.

  4. Click OK to add the specified geofences.
• Kaspersky Endpoint Security for Android has no access to precise or background location

  Kaspersky Endpoint Security for Android is not allowed to access the precise location of the device or use the device location in the background.

Step 2. Responses for non-compliance with security requirements

Add the responses to be performed on the device if the specified non-compliance criterion is detected.

Choose one of the following options:

• Add instant response. The response is applied instantly after the non-compliance criterion is detected.
• Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.

  The following responses are available:

  • Block all apps except system apps

    All apps on the device, except system apps, are blocked from starting.

    As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.

  • Lock device

    The mobile device is locked. To obtain access to data, you must unlock the device by entering the one-time passcode or using the Unlock device command.

  • Wipe corporate data

    The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

    • On a personal device, Knox profile and mail certificate are wiped.
    • On a corporate device, Knox profile and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
    • Additionally, on a device with corporate container, the container (its content, configurations, and restrictions) and the certificates installed in it (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
  • Reset to factory settings

    All data is wiped from the device and settings are rolled back to their factory values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.

    On devices running Android 14 or later, this response is only applicable if the device is operating in corporate device mode.

  • Lock corporate container

    Corporate container on the device is locked. To obtain access to corporate container, you must unlock it.

    The response is only applicable to devices running Android 6 or later.

    After the corporate container on a device is locked, the history of the container passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the corporate container password settings.

  • Wipe data of all apps

    On a corporate device, data of all apps on the device is wiped.

    On a device with corporate container, data of all apps in the container is wiped.

    As a result, apps are rolled back to their default state.

    The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.

  • Wipe data of a specified app

    For this response, you need to specify the package name for the app whose data is to be wiped. How to get the package name of an app

    To get the name of an app package:

    1. Open Google Play.
    2. Find the app and open its page.

    The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

    To get the name of an app package that has been added to Kaspersky Security Center:

    1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
    2. Click Android apps.

       In the list of apps that opens, app identifiers are displayed in the Package name column.

    As a result, the app is rolled back to its default state.

    The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.

  • Prohibit safe boot

    The user is not allowed to boot the device in safe mode.

    The response is only applicable to corporate devices running Android 6 or later.

  • Prohibit use of camera

    The user is not allowed to use any cameras on the device.

  • Prohibit use of Bluetooth

    The user is not allowed to turn on and configure Bluetooth settings.

    The response is only applicable to personal devices running Android 12 or earlier, corporate devices, or devices with corporate container.

  • Prohibit use of Wi-Fi

    The user is not allowed to use and configure Wi-Fi settings.

    The response is only applicable to personal devices running Android 9 or earlier or corporate devices.

  • Prohibit USB debugging features

    The user is not allowed to use USB debugging features and developer mode on the device.

    The response is only applicable to corporate devices or devices with corporate container.

  • Prohibit airplane mode

    The user is not allowed to enable airplane mode on the device.

    The response is only applicable to corporate devices running Android 9 or later.

Click Add rule to finish the Add rule wizard. The new rule and its details appear in the list of the Compliance Control rules. To temporarily disable a rule, use the toggle switch next to the selected rule.

To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and select one of the following actions:

• Wipe corporate data
• Reset to factory settings

  On devices running Android 14 or later, this action is only applicable if the device is operating in corporate device mode.

These settings require integration with Microsoft Active Directory.

If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.

Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

[Topic 274756]

Compliance Control of iOS MDM devices

Expand all | Collapse all

Compliance Control lets you monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:

• Status (whether the rule is enabled or disabled).
• Non-compliance criteria (for example, absence of the specified apps or the operating system version).
• Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, wipe corporate data or send an email message to the user).

To create a rule for checking devices for compliance with a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Security controls section.
4. On the Compliance Control card, click Settings.

   The Compliance Control window opens.

5. Enable the settings using the Compliance Control toggle switch.
6. Click Add.

   The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.

Step 1. Criterion for non-compliance

Click Add criterion to specify the non-compliance criterion to trigger the rule.

The following criteria are available:

• List of installed apps

  The list of apps on the device contains forbidden apps or does not contain required apps.

  For this criterion, select a condition (Contains or Does not contain) and specify the Bundle ID of the app. How to get the bundle ID of an app

  To get the bundle ID of a built-in iPhone or iPad app,

  Follow the instructions in the Apple documentation.

  To get the bundle ID of any iPhone or iPad app:

  1. Open the App Store.
  2. Find the required app and open its page.

     The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

  3. Copy this identifier (without the letters "id").
  4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

     This downloads a text file.

  5. Open the downloaded file and find the "bundleId" fragment in it.

  The text that directly follows this fragment is the bundle ID of the required app.

  To get the bundle ID of an app that has been added to Kaspersky Security Center:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
  2. Click iOS apps.

     In the list of apps that opens, app identifiers are displayed in the Bundle ID column.

• Operating system version

  The version of the operating system on the device is outside the allowed range.

  For this criterion, select a condition (Equal to, Not equal to, Earlier than, Earlier than or equal to, Later than, or Later than or equal to) and specify the iOS version.

  Note that the Equal to and Not equal to operators check for a full match of the operating system version with the specified value. For instance, if you specify iOS 15 in the rule, but the device is running iOS 15.2, the Equal to criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Earlier than and Later than operators.

• Supervision status

  The supervision status of the device is not the one required.

  For this criterion, select the device operating mode (Supervised or Basic control).

• Device type

  The device type is not the one required.

  For this criterion, select a device type (iPhone or iPad).

• Device model

  The device model is not the one required.

  For this criterion, select a condition (Equal to or Not equal to) and specify models that will be checked or excluded from the check, respectively.

  To specify a model, in the Model identifier field, select the required model from the list or enter a value manually. The list contains mobile device codes and their matching product names. For example, if you want to add all iPhone 14 models, type "iPhone 14". In this case, you can select any of the available models: "iPhone 14", "iPhone 14 Plus", "iPhone 14 Pro", "iPhone 14 Pro Max".

  In some cases, the same product name may correspond to several mobile device codes (for example, the "iPhone 7" product name corresponds to two mobile device codes, "iPhone 9.1" and "iPhone 9.3"). Be sure that you select all of the mobile device codes that correspond to the required models.

  If you enter a value that is not on the list, nothing will be found. However, you can click Add: "<value>" under the field to add the entered value to the criterion.

  If you specify the criteria that contradict each other (for example, Device type is set to iPhone but the list of values of Device model, with the Equal to operator selected, contains an iPad model), an error message is displayed. You cannot save a rule with such criteria.

• Roaming

  The device roaming status is not the one required.

  For this criterion, select a condition (Device is roaming or Device is not roaming).

• Password on device

  A password is not set or not compliant with the settings specified in the Screen unlock settings card.

  For this criterion, select a condition (Not set, Set but not compliant, or Set and compliant).

• Free storage on device

  The amount of free space on the device is less than the specified threshold.

  For this criterion, specify the threshold amount of free space (Less than or equal to), and then select the measurement unit (MB or GB).

• Device is not encrypted

  The device is not encrypted.

  Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this setting in the device properties: go to Assets (Devices) → Mobile → Devices, and then select the required device).

• Actions with SIM card

  The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.

  For this criterion, select a condition (The SIM card must not be replaced or removed or The SIM card must not be replaced or removed; additional SIM cards must not be inserted).

  On eSIM compatible devices, the non-compliance detection cannot be removed by inserting the previously removed eSIM. This is because the device operating system recognizes each added eSIM as a new one. In this case, delete the compliance control rule from the policy.

• Device has not been synchronized for a long time

  The last synchronization of the device with iOS MDM Server is checked.

  For this criterion, specify the maximum time after the last sync in the Period without synchronization field, and then select the measurement unit (Hours or Days).

  We do not recommend that you specify a value less than the value of the Synchronization period (min) setting specified in the iOS MDM Server settings.

Step 2.Responses for non-compliance with security requirements

Add the responses to be performed on the device if the specified non-compliance criterion is detected.

Choose one of the following options:

• Add instant response. The response is applied instantly after the non-compliance criterion is detected.
• Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.

  Responses are performed during the compliance rule check, which happens every 40 minutes, and persist until the next synchronization with the iOS MDM Server. To prevent repeating responses from a single non-compliance instance, set the Synchronization period (min) value to 30 minutes in the iOS MDM Server settings.

  If you specify responses that contradict each other, an error message is displayed. You cannot save such a rule.

  When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.

  The following responses are available:

  • Send a message to the user

    The user is informed about the non-compliance by email.

    For this response, specify user email addresses in the Email and Alternate email address fields. If necessary, you can also edit the email subject and default text.

    Make sure the Email notifications are configured in the Administration Server properties. For detailed information on configuring notifications delivery, refer to the Kaspersky Security Center Help.

  • Wipe corporate data

    All installed configuration profiles, provisioning profiles, the device management profile, and apps for which the Remove when device management profile is deleted check box has been selected are removed from the device. This response is performed by sending the Wipe corporate data command.

  • Modify profile

    For this response, specify one of the actions:

    • Install profile. The configuration profile is installed on device. This action is performed by sending the Install configuration profile command. For this response, you also need to specify the ID of the profile to be installed.

      Before the profile is installed, it must be added to the list of configuration profiles in the Configuration profiles section of the iOS MDM Server settings.

    • Delete specified profile. The configuration profile is deleted from the device. This response is performed by sending the Delete configuration profile command. For this action, you also need to specify the ID of the profile to be deleted.
    • Delete all profiles. All previously installed configuration profiles are deleted from the device.

      When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted configuration profiles one by one, by sending the respective command to the device.

  • Update operating system

    For this response, specify the OS version and one of the actions:

    • Download and install. The device operating system is downloaded and installed.

      If a non-existent operating system version is specified in the Operating system version criterion, the device will upgrade to the latest downloaded operating system.

    • Download only. The device operating system is downloaded.
    • Install only. The previously downloaded operating system is installed.

    This response is only applicable to supervised devices.

  • Modify Bluetooth settings

    For this response, specify whether you want to enable or disable Bluetooth on the device.

    This response is only applicable to supervised devices.

  • Reset to factory settings

    All data is deleted from the device and the settings are rolled back to their default values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall the device management profile on it.

  • Modify apps

    For this response, specify one of the actions:

    • Delete specified app. The specified app is removed from the device.

      You can delete only a managed app. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.

      When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.

      For this action, specify the Bundle ID of the app to be deleted. How to get the bundle ID of an app

      To get the bundle ID of a built-in iPhone or iPad app,

      Follow the instructions in the Apple documentation.

      To get the bundle ID of any iPhone or iPad app:

      1. Open the App Store.
      2. Find the required app and open its page.

         The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

      3. Copy this identifier (without the letters "id").
      4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

         This downloads a text file.

      5. Open the downloaded file and find the "bundleId" fragment in it.

      The text that directly follows this fragment is the bundle ID of the required app.

      To get the bundle ID of an app that has been added to Kaspersky Security Center:

      1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
      2. Click iOS apps.

         In the list of apps that opens, app identifiers are displayed in the Bundle ID column.

    • Delete all apps. All managed apps are deleted from the device.

      You can delete only managed apps. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.

      When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted apps one by one, by sending the respective command to the device.

      For this action, specify the Bundle ID of the apps to be deleted. How to get the bundle ID of an app

      To get the bundle ID of a built-in iPhone or iPad app,

      Follow the instructions in the Apple documentation.

      To get the bundle ID of any iPhone or iPad app:

      1. Open the App Store.
      2. Find the required app and open its page.

         The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

      3. Copy this identifier (without the letters "id").
      4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

         This downloads a text file.

      5. Open the downloaded file and find the "bundleId" fragment in it.

      The text that directly follows this fragment is the bundle ID of the required app.

      To get the bundle ID of an app that has been added to Kaspersky Security Center:

      1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
      2. Click iOS apps.

         In the list of apps that opens, app identifiers are displayed in the Bundle ID column.

  • Delete profile of specified type

    For this response, specify the Profile type to be deleted from the device (for example, Web Clips or Calendar subscriptions).

    As soon as the non-compliance criteria selected for the rule are no longer detected on the device, the deleted profiles are automatically restored.

  • Modify roaming settings

    For this response, specify whether you want to enable or disable data roaming on the device.