Kaspersky Secure Mobility Management help

Kaspersky Secure Mobility Management

Print Support Send link Get as PDF

Configuration and management

Configuration and management

This section is intended for specialists who administer Kaspersky Secure Mobility Management, as well as for specialists who provide technical support to organizations that use Kaspersky Secure Mobility Management.

In this section

Control

Protection

Management of mobile devices

Management of mobile device settings

Working with commands for mobile devices

Page top

Control

This section contains information about how to remotely monitor mobile devices in the Kaspersky Security Center Web Console.

In this section

Configuring restrictions

Configuring user access to websites

Compliance Control

App Control

Mobile device protection levels

Software inventory on Android devices

Page top

Configuring restrictions

This section provides instructions on how to configure user access to the features of mobile devices.

In this section

Configuring restrictions for personal Android devices

Configuring iOS MDM device restrictions

Page top

Configuring restrictions for personal Android devices

These settings apply to personal devices and devices with a corporate container.

To keep an Android device secure, Kaspersky Mobile Devices Protection and Management lets you configure user access to the following features of mobile devices:

Wi-Fi
Camera
Bluetooth

By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.

To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Restrictions section.
On the Device feature restrictions card, click Settings.
The Device feature restrictions window opens.
Enable the settings using the Device feature restrictions toggle switch.
Configure usage of Wi-Fi, camera, and Bluetooth:
- To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.
  On personal devices and devices with a corporate container running Android 10 or later, prohibiting the use of Wi-Fi networks is not supported.
- To disable the camera on the user's mobile device, select the Prohibit use of camera check box.
  When camera usage is prohibited, the app displays a notification upon opening and then closes shortly after. On Asus and OnePlus devices, the notification is shown in full screen. The device user can tap the Close button to exit the app.
  
  On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or later disable this service in the device settings. If this is the case, you will not be able to restrict use of the camera.
- To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.
  On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby devices permission. The user can grant this permission during the Initial Configuration Wizard or later.
  
  On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

You can also restrict additional operating system features on corporate devices.

Page top

Configuring iOS MDM device restrictions

Expand all | Collapse all

To ensure compliance with corporate security requirements, configure restrictions on the operation of iOS MDM devices.

Configuring feature restrictions

To configure iOS MDM device feature restrictions:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Restrictions section.
On the Device feature restrictions card, click Settings.
The Device feature restrictions window opens.
Enable the settings using the Device feature restrictions toggle switch.
Enable iOS MDM device feature restrictions using toggle switches on corresponding tabs and select the required restrictions.
List of device feature restrictions
- Restrictions on the General tab:
  - In the Device settings section:
    - Prohibit voice dial on a locked device
      Use of the voice dialing function on a locked mobile device.
      
      If the check box is cleared, the user can use voice commands to dial phone numbers on a locked mobile device.
      
      If the check box is selected, the user cannot use voice commands to dial phone numbers on a locked mobile device.
      
      This check box is cleared by default.
    - Limit ad tracking
      Use of IFA (Identifier for advertisers) technology for keeping track of websites visited and apps launched on the iOS MDM device. IFA makes it possible to configure ad tracking on the mobile device according to the user's interests.
      
      If the check box is selected, IFA technology is disabled on the user's mobile device.
      
      If the check box is cleared, IFA technology is enabled on the mobile device and keeps track of visited websites and started apps in order to show targeted ads.
      
      This check box is cleared by default.
    - Prohibit Handoff
      Use of the Handoff function on the user's mobile device. Handoff enables you to start working with data on one Apple device and then switch to another Apple device and continue working with that data.
      
      If the check box is cleared, Handoff is available to the user.
      
      If the check box is selected, Handoff is not available.
      
      This check box is cleared by default.
    - Prohibit editing device name
      Ability to modify the name of the mobile device.
      
      If the check box is cleared, the user can edit the mobile device name.
      
      If the check box is selected, the device name cannot be edited.
      
      This check box is cleared by default.
    - Prohibit modifying restrictions
      Ability to configure the settings for restrictions on the mobile device. Restrictions may be utilized by the user to perform parental control functions on the mobile device. The user can restrict device functions (for example, block use of the camera), access to media content (for example, set age restrictions on viewing films), use of apps (for example, block the use of iTunes Store), and configure other restrictions.
      
      If the check box is cleared, the user can configure the settings for restrictions on the mobile device.
      
      If the check box is selected, restrictions cannot be configured on the mobile device.
      
      This check box is cleared by default.
    - Prohibit Spotlight suggestions
      Use of Spotlight internet search results in Siri Suggestions. When using Spotlight suggestions, search queries and their associated user data are sent to Apple.
      
      If the check box is cleared, the user can allow displaying Spotlight internet search results in Siri Suggestions.
      
      If the check box is selected, Spotlight internet search results are not available in Siri Suggestions. User data is not sent to Apple.
      
      The user may be able to enable Spotlight internet search results in Siri Suggestions even if the check box is selected. This is due to an issue known to Apple.
      
      This check box is cleared by default.
  - In the Data loss protection section:
    - Prohibit screenshots and screen recording
      Ability to take a screenshot or video from the screen of the iOS MDM device.
      
      If the check box is cleared, the user can take and save screenshots and videos from the screen of the mobile device.
      
      If the check box is selected, the user cannot take and save screenshots and videos from the screen of the mobile device.
      
      This check box is cleared by default.
    - Prohibit non-managed apps from using documents from managed apps
      Ability to use non-managed (personal) apps on the iOS MDM device to open documents created using managed (corporate) apps and accounts. Non-managed apps are apps installed, configured, and managed by the mobile device user.
      
      If the check box is cleared, the user can use non-managed apps to open documents created in managed corporate apps.
      
      If the check box is selected, the user is not allowed to use non-managed apps to open documents created using managed apps. For example, this setting prevents a confidential email attachment from a managed email account from being opened in the user's personal apps.
      
      This check box is cleared by default.
    - Prohibit managed apps from using documents from non-managed apps
      Ability to use managed (corporate) apps on the iOS MDM device to open documents created using non-managed (personal) apps and accounts of the user. Non-managed apps are apps installed, configured, and managed by the mobile device user.
      
      If the check box is cleared, the user can use managed apps to open documents created using non-managed apps.
      
      If the check box is selected, the user is not allowed to use managed apps to open documents created using non-managed apps. For example, this setting prevents a document from a personal iCloud account from being opened in a corporate app.
      
      This check box is cleared by default.
    - Disable encryption of backup copies
      Encryption of backup copies of iOS MDM device data in the iTunes app on the user's computer.
      
      If the check box is cleared, when a backup copy of mobile device data is created in the iTunes app, data is encrypted automatically and protected with a password. In this case, the user cannot encrypt backup copies of device data in the iTunes app.
      
      If the check box is selected, the user can choose whether to encrypt backup copies of data in the iTunes app.
      
      This check box is cleared by default.
    - Prohibit reset to factory settings
      Ability to wipe all data from the device and reset the device to its factory settings.
      
      If the check box is cleared, the user can wipe all data from the device and reset it to factory settings.
      
      If the check box is selected, full reset to factory settings is not available.
      
      This check box is cleared by default.
    - Prohibit modifying account settings
      Option that lets the user add new accounts (such as email accounts) and edit account settings on the iOS MDM device.
      
      If the check box is cleared, the mobile device user can add new accounts and edit the settings of existing accounts.
      
      If the check box is selected, the mobile device user is not allowed to add new accounts and edit the settings of existing accounts.
      
      This check box is cleared by default.
  - In the Security and privacy section:
    - Prohibit sending diagnostic and personal data to Apple
      Automatic receiving of diagnostic data and information on iOS MDM device usage and transmission of a report with this data to Apple for analysis.
      
      If the check box is cleared, after being shown a warning the user may allow transmission of reports with diagnostic data and information on mobile device usage to Apple.
      
      If the check box is selected, transmission of reports with diagnostic data and information on mobile device usage to Apple is blocked.
      
      This check box is cleared by default.
    - Prohibit changing password
      Ability to set, change, or delete the mobile device unlock password.
      
      If the check box is cleared, the user can set, change, or delete the password used for unlocking the mobile device.
      
      If the check box is selected, management of the device unlock password is not available.
      
      This check box is cleared by default.
    - Prohibit modifying Touch ID and Face ID settings
      Ability to add and remove Touch ID fingerprints or Face ID data.
      
      If the check box is cleared, the user can add and remove Touch ID fingerprints or Face ID data.
      
      If the check box is selected, management of Touch ID fingerprint or Face ID data is not available.
      
      This check box is cleared by default.
    - Prohibit device unlock using Touch ID and Face ID
      Touch ID and Face ID make it possible to use a fingerprint or facial recognition as a password for unlocking the iOS MDM device. Touch ID and Face ID can also be used for authentication of purchases by means of Apple Pay, iTunes Store, App Store, and Book Store, and to sign in to apps.
      
      If the check box is cleared, the user can use a fingerprint or facial recognition instead of entering a password to unlock the mobile device.
      
      If the check box is selected, the user cannot use Touch ID or Face ID for unlocking the mobile device.
      
      This check box is cleared by default.
    - Prompt for password for each purchase on iTunes Store
      Use of the restriction password for purchasing media content in iTunes Store.
      
      If the check box is selected, prior to making the first purchase via iTunes Store the user has to specify a restriction password in the purchase restriction settings and subsequently use it for preventing accidental or unauthorized purchases. After the account has been verified when the user is making purchases, the restriction password does not have to be re-entered for 15 minutes.
      
      If the check box is cleared, the user is not required to enter the restriction password before making purchases in iTunes Store.
      
      This check box is cleared by default.
    - Prompt for password on first connection via AirPlay
      Use of a password upon connection of the iOS MDM device to devices compatible with AirPlay. The password is used for safe transmission of media content.
      
      If the check box is selected, before the first connection of the mobile device to devices compatible with AirPlay, the user must specify a password in the AirPlay security settings and subsequently enter it.
      
      If the check box is cleared, the user can decide whether to use a password when connecting the mobile device to devices compatible with AirPlay.
      
      This check box is cleared by default.
    - Prohibit installing configuration profiles
      Use of additional configuration profiles on the iOS MDM device.
      
      If the check box is cleared, the user can install additional configuration profiles on the mobile device.
      
      If the check box is selected, the user cannot install additional configuration profiles on the mobile device.
      
      This check box is cleared by default.
    - Prohibit non-Configurator hosts
      Protection of the iOS MDM device against third-party connections. A third-party connection is a connection to other devices or synchronization with Apple services, such as iTunes.
      
      If the check box is cleared, the user can synchronize the iOS MDM device with other devices and Apple services.
      
      If the check box is selected, non-Configurator hosts on the user's mobile device are blocked.
      
      This check box is cleared by default.
    - Prohibit modifying settings for sending diagnostic data
      Automatic receiving of diagnostic data and information on iOS MDM device usage and transmission of a report with this data to Apple for analysis.
      
      If the check box is cleared, the user can configure the submission of reports containing diagnostic information and mobile device usage data to Apple.
      
      If the check box is selected, the settings for submission of reports containing diagnostic information are not available.
      
      This check box is cleared by default.
  - In the iCloud section:
    - Prohibit backup in iCloud
      Automatic backup of data from the iOS MDM device to iCloud. Copies of data already stored in iCloud are not created during the backup process. Copies of media content that was received by synchronizing the device with a computer and not purchased from iTunes Store are not created either.
      
      If the check box is cleared, the user can save backup copies of mobile device data in iCloud. Backup copies of data are saved in iCloud on a daily basis when the device is enabled, locked, and connected to a power source.
      
      If the check box is selected, the user cannot save backup copies of mobile device data in iCloud.
      
      This check box is cleared by default.
    - Prohibit storing documents and data in iCloud
      Automatic backup of documents in iCloud. iCloud documents can be opened and edited on other devices on which the iCloud service is configured.
      
      If the check box is cleared, the user can save documents in iCloud, open and edit them on other devices in applications that support iCloud (such as TextEdit).
      
      If the check box is selected, the user is not allowed to save documents in iCloud.
      
      This check box is cleared by default.
    - Prohibit iCloud keychain
      Automatic synchronization of the account credentials of an iOS MDM device user with the user's other Apple devices. The synchronized data is stored in iCloud Keychain. Data in iCloud Keychain is encrypted. iCloud Keychain makes it possible to save the following data in iCloud:
      
      Website accounts
      Bank card numbers and expiration dates
      Wireless network passwords
      If the check box is cleared, the user can synchronize data of accounts with the user's other Apple devices.
      
      If the check box is selected, the user is not allowed to use iCloud Keychain on the mobile device.
      
      This check box is cleared by default.
    - Prohibit managed apps from storing data in iCloud
      Creation of a backup copy of the data of managed apps in iCloud.
      
      If the check box is cleared, the user can store the data of managed apps in iCloud.
      
      If the check box is selected, the user cannot store corporate data in iCloud.
      
      This check box is cleared by default.
    - Prohibit backup of enterprise books
      Backup of enterprise books using iCloud or iTunes. You can provide access to enterprise books by placing them on the corporate web server.
      
      If the check box is cleared, backup of enterprise books using iCloud or iTunes is available to the user.
      
      If the check box is selected, backup of enterprise books is not available.
      
      This check box is cleared by default.
    - Prohibit synchronizing notes and highlights in enterprise books
      Ability to synchronize notes, bookmarks, and highlighted text in enterprise books using iCloud.
      
      If the check box is cleared, the user can synchronize notes, bookmarks, and highlights in enterprise books. Changes will be available on all the user's Apple devices using iCloud.
      
      If the check box is selected, notes, bookmarks and highlighted text will be available only on this mobile device.
      
      This check box is cleared by default.
    - Prohibit iCloud photo sharing
      Use of iCloud photo sharing on the iOS MDM device to grant other users access to photos and videos on the iCloud server. The other users need to have the iCloud photo sharing feature configured.
      
      If the check box is cleared, the iCloud photo sharing feature is available to the user. Users of other devices can view the user's photos and videos, leave comments, and add their own photos and videos. The user can also access the data of other users on the iCloud server.
      
      If the check box is selected, the iCloud photo sharing feature is not available to the user. The user cannot grant other users access to the user's photos and videos on the iCloud server or access the data of other users on the iCloud server.
      
      This check box is cleared by default.
    - Prohibit iCloud Media Library
      Use of the iCloud Media Library function for automatic uploading of photos and videos from the iOS MDM device to the user's other Apple devices.
      
      If the check box is cleared, the iCloud Media Library function is available to the user when working with the Photos app.
      
      If the check box is selected, the iCloud Media Library function is not available to the user. The user's photos and videos saved in the iCloud Media Library are removed from the iCloud server.
      
      This check box is cleared by default.
  - In the Certificates section:
    - Prohibit users from accepting untrusted TLS certificates
      Use of untrusted TLS certificates for providing an encrypted communication channel between apps on the iOS MDM device (Mail, Contacts, Calendar, Safari) and corporate resources.
      
      If the check box is cleared, the user may allow the use of an untrusted TLS certificate after being shown a warning.
      
      If the check box is selected, the use of untrusted TLS certificates is blocked.
      
      This check box is cleared by default.
    - Prohibit automatic updates of trusted certificates
      Automatic updates of trusted certificates on the iOS MDM device.
      
      If the check box is cleared, changes made to the trust settings of a certificate are applied automatically.
      
      If the check box is selected, changes to trust settings of a certificate are not applied automatically. After being shown a warning, the user may choose to apply changes to trust settings of the certificate.
      
      This check box is cleared by default.
- Restrictions on the Apps tab:
  - In the General section:
    - Prohibit use of camera
      Use of the camera on the user's mobile device.
      
      If the check box is cleared, the user is allowed to use the device camera.
      
      If the check box is selected, use of the device camera is disabled. The user cannot take photos, record videos, or use the FaceTime app. The camera icon on the device home screen is hidden.
      
      This check box is cleared by default.
    - Prohibit FaceTime
      Use of the FaceTime app on the user's mobile device. This check box is available if the use of the device camera is allowed. This setting is available if the Prohibit use of camera check box is cleared.
      
      If the check box is cleared, the user can make and receive calls using FaceTime.
      
      If the check box is selected, the FaceTime app is disabled on the user device. The user cannot make or receive video calls.
      
      This check box is cleared by default.
    - Prohibit iMessage
      Use of the iMessage service on the user's mobile device.
      
      If the check box is cleared, the user can send and receive messages using the iMessage service.
      
      If the check box is selected, the iMessage is not available on the mobile device. The user cannot send or receive messages via iMessage.
      
      This check box is cleared by default.
    - Prohibit Book Store
      Access to Book Store from the Apple Books app on the user's mobile device.
      
      If the check box is cleared, the user can visit Book Store from the Apple Books app installed on the device.
      
      If the check box is selected, the user cannot visit Book Store from the Apple Books app.
      
      This check box is cleared by default.
    - Prohibit installation of apps from Apple Configurator and iTunes
      The user can independently install apps on an iOS MDM device.
      
      If the check box is cleared, the user can independently install or update apps on a mobile device from App Store using iTunes or Apple Configurator.
      
      If the check box is selected, the user cannot install or update apps from App Store using iTunes or Apple Configurator on a mobile device. Installation and updates are available only for corporate apps. The App Store icon is hidden on the home screen of the iOS MDM device.
      
      This check box is cleared by default.
    - Prohibit installation of apps from the App Store
      Ability to independently install apps on a mobile device from the App Store. The check box is available if the Prohibit installation of apps from Apple Configurator and iTunes check box is cleared.
      
      If the check box is cleared, the user can independently install or update apps from the App Store.
      
      If the check box is selected, the user cannot install or update apps from the App Store on the mobile device. The App Store icon is hidden on the home screen of the iOS MDM device.
      
      This check box is cleared by default.
    - Prohibit automatic app downloads
      Use of automatic app downloads on the user's mobile device. The check box is available if the Prohibit installation of apps from Apple Configurator and iTunes check box is cleared.
      
      If the check box is cleared, automatic app downloads are available to the user. After this function is enabled, the apps that the user downloaded from the App Store are automatically downloaded to the user's other Apple devices.
      
      If the check box is selected, automatic app downloads are disabled and unavailable.
      
      This check box is cleared by default.
    - Prohibit in-app purchases
      Use of the in-app purchase system on the mobile device.
      
      If the check box is cleared, the user can make purchases in apps installed on the mobile device.
      
      If the check box is selected, the user cannot make purchases in apps installed on the mobile device.
      
      This check box is cleared by default.
    - Prohibit trusting new enterprise developers
      Ability to configure trusting of corporate apps on a mobile device. You can develop corporate apps and distribute them among employees for internal use. To work with a corporate app, the mobile device user must make it a trusted app.
      
      If the check box is cleared, the user can configure trusting of corporate apps.
      
      If the check box is selected, the user cannot set the trust level for corporate apps when installing an app manually.
      
      This check box is cleared by default.
    - Prohibit removing apps
      This option allows removing apps from the mobile device.
      
      If the check box is cleared, the user can remove apps installed via the App Store or iTunes from the device.
      
      If the check box is selected, the user cannot remove apps installed via the App Store or iTunes from the mobile device.
      
      This check box is cleared by default.
  - In the AirPrint section:
    - Prohibit AirPrint
      Selecting or clearing this check box specifies whether the device user can use AirPrint.
      
      The check box is cleared by default.
    - Prohibit storing AirPrint credentials
      Selecting or clearing this check box specifies whether the device user can store a keychain of user name and password for AirPrint.
      
      The restriction is supported on devices with iOS 11 and later.
      
      The check box is cleared by default.
    - Prohibit iBeacon discovery of AirPrint printers
      Selecting or clearing this check box specifies whether iBeacon discovery of AirPrint printers is enabled. Disabling iBeacon discovery of AirPrint printers prevents spurious AirPrint Bluetooth beacons from getting information about network traffic.
      
      The restriction is supported on devices with iOS 11 and later.
      
      The check box is cleared by default.
    - Force AirPrint to use a trusted TLS certificate
      Selecting or clearing this check box specifies whether a trusted certificate is required for TLS printing communication.
      
      The restriction is supported on devices with iOS 11 and later.
      
      The check box is cleared by default.
  - In the AirDrop section:
    - Prohibit AirDrop
      Use of the AirDrop feature for transmitting user data from the iOS MDM device to other Apple devices.
      
      If the check box is cleared, the user can use AirDrop to transmit data to other Apple devices.
      
      If the check box is selected, the user cannot transmit data to other Apple devices using AirDrop.
      
      This check box is cleared by default.
    - Treat AirDrop as a managed app
      Use of AirDrop as a managed app for transferring data from the mobile device to other Apple devices. This restriction requires that you select the Prohibit non-managed apps from using documents from managed apps check box. Non-managed apps are apps installed, configured, and managed by the mobile device user.
      
      If the check box is cleared, AirDrop is treated as a non-managed app.
      
      If the check box is selected, AirDrop is treated as a managed app.
      
      This check box is cleared by default.
  - In the Apple Music section:
    - Prohibit Apple Music
      Listening to music on the user's mobile device using the Apple Music service.
      
      If the check box is cleared, the user can listen to music on the mobile device in the Music app.
      
      If the check box is selected, the Apple Music service is not available to the user.
      
      This check box is cleared by default.
    - Prohibit Radio in Apple Music
      Listening to the radio using the Apple Music service on the user's mobile device.
      
      If the check box is cleared, the user can listen to the radio in the Music app on the mobile device.
      
      If the check box is selected, the user cannot listen to the radio.
      
      This check box is cleared by default.
  - In the Apple Watch section:
    - Disable Apple Watch wrist detection
      Automatic locking of Apple Watch when the user removes the watch from their hand.
      
      If the check box is cleared, Apple Watch is locked when the user removes a watch from their hand. To unlock it, the user must enter a password on the mobile device.
      
      If the check box is selected, Apple Watch cannot be locked after a watch is removed.
      
      This check box is cleared by default.
    - Prohibit pairing with Apple Watch
      Pairing of Apple Watch with a supervised mobile device.
      
      If the check box is cleared, the user of the supervised mobile device can pair it with Apple Watch.
      
      If the check box is selected, pairing with Apple Watch is not available.
      
      This check box is cleared by default.
  - In the Siri section:
    - Prohibit Siri
      Usage of the Siri app on the user's mobile device.
      
      If the check box is cleared, the user can use Siri voice commands on the mobile device.
      
      If the check box is selected, the user cannot use Siri voice commands on the mobile device.
      
      This check box is cleared by default.
    - Prohibit when device is locked
      Use of Siri voice commands when the user's mobile device is locked. The user's mobile device has to be password-protected.
      
      If the check box is cleared, the user can use Siri voice commands on a locked mobile device.
      
      If the check box is selected, the user cannot use Siri voice commands on a locked device.
      
      This check box is cleared by default.
    - Prohibit use of profanity filter
      This option disables the filtering of profanity while using the Siri app on the mobile device.
      
      If the check box is cleared, profanity is filtered while the user uses the Siri app.
      
      If the check box is selected, profanity is not filtered while the user uses the Siri app.
      
      This check box is cleared by default.
    - Prohibit Siri from using internet search
      This option prohibits Siri from using internet search for voice commands on the iOS MDM device.
      
      If the check box is cleared, Siri can search the internet for answers to the user's questions.
      
      If the check box is selected, Siri cannot search the internet for information.
      
      This check box is cleared by default.
  - In the Find My section:
    - Prohibit locating devices in Find My
      Selecting or clearing this check box specifies whether the device user can find devices in the Find My app.
      
      The restriction is supported on devices with iOS 13 and later.
      
      The check box is cleared by default.
    - Prohibit locating friends in Find My
      Selecting or clearing this check box specifies whether the device user can find friends in the Find My app.
      
      The restriction is supported on devices with iOS 13 and later.
      
      The check box is cleared by default.
  - In the Classroom section:
    - Prohibit screen viewing via Classroom
      Ability for an instructor to view students' iPad screens using the Classroom application.
      
      If the check box is cleared, the instructor can view students' iPad screens in the Classroom application.
      
      If the check box is selected, the instructor cannot view students' iPad screens in the Classroom application.
      
      This check box is cleared by default.
- Restrictions on the Storage tab:
  - In the General section:
    - Prohibit access to USB devices in Files
      If the check box is cleared, the user can access connected USB devices in the Files app.
      
      If the check box is selected, access to connected USB devices in the Files app is blocked.
      
      The setting is available for mobile devices running iOS 13.1 or later.
      
      This check box is cleared by default.
    - Disable access to USB devices when the device is locked
      Specifies whether USB Restricted Mode is enabled when the device is locked.
      
      If the check box is selected, then when the device is locked, connections to USB drives are limited by USB Restricted Mode.
      
      If the check box is cleared, the device is allowed to connect to USB drives when locked.
      
      The setting is available for mobile devices running iOS 11.4.1 or later.
      
      This check box is cleared by default.
- Restrictions on the Network tab:
  - In the General section:
    - Prohibit use of NFC
      If the check box is cleared, the use of NFC is allowed.
      
      If the check box is selected, the use of NFC is disabled.
      
      The setting is available for mobile devices running iOS version 14.2 or later.
      
      This check box is cleared by default.
    - Prohibit creating VPN configurations
      If the check box is cleared, the user can create a VPN configuration on the managed device.
      
      If the check box is selected, the user can't create a VPN configuration on the managed device.
      
      The setting is available for mobile devices running iOS version 11 or later.
      
      This check box is cleared by default.
    - Prohibit modifying eSIM settings
      Selecting or clearing this check box specifies whether the device user can change settings related to the carrier plan.
      
      The restriction is supported on devices with iOS 11 and later.
      
      The check box is cleared by default.
  - In the Wi-Fi section:
    - Force Wi-Fi on
      Specifies whether Wi-Fi on the managed device should be always on. The device can connect to any Wi-Fi network.
      
      If the check box is selected, Wi-Fi on the device is always on, even in flight mode. The user cannot disable Wi-Fi in the device settings.
      
      If the check box is cleared, the user can disable Wi-Fi in the device settings.
      
      The setting is available for mobile devices running iOS version 13 or later.
      
      This check box is cleared by default.
    - Force connection to allowed Wi-Fi networks only
      Specifies whether the device can connect to allowed Wi-Fi networks only. This option is available if you add at least one Wi-Fi network to the list of Wi-Fi networks in the Wi-Fi section.
      
      If the check box is selected, the device connects to allowed Wi-Fi networks only. The user cannot disable Wi-Fi in the device settings.
      
      If the check box is cleared, the user can connect to any Wi-Fi network.
      
      The setting is available for mobile devices running iOS version 14.5 or later.
      
      This check box is cleared by default.
    - Prohibit modifying Personal Hotspot settings
      If the check box is cleared, the device user can modify Personal Hotspot settings.
      
      If the check box is selected, the device user cannot modify Personal Hotspot settings.
      
      The setting is available for mobile devices running iOS 12.2 or later.
      
      This check box is cleared by default.
  - In the Bluetooth section:
    - Prohibit modifying Bluetooth settings
      If the check box is cleared, the user can modify Bluetooth settings on the mobile device.
      
      If the check box is selected, Bluetooth settings cannot be modified on the mobile device.
      
      The setting is available for mobile devices running iOS 11 or later.
      
      This check box is cleared by default.
  - In the Cellular section:
    - Prohibit automatic sync while roaming
      Prohibit automatic synchronization of user data when the iOS MDM device is roaming.
      
      If the check box is cleared, the user can enable automatic data synchronization when the device is roaming. Enabling automatic synchronization in roaming can result in unexpected mobile service costs.
      
      If the check box is selected, the user is not allowed to use automatic data synchronization when the device is roaming.
      
      This check box is cleared by default.
    - Prohibit modifying cellular settings
      Ability to configure cellular network data transfer by apps installed on a mobile device.
      
      If the check box is cleared, the user can configure the settings for data transfer over a cellular network.
      
      If the check box is selected, the settings for cellular network data transfer by apps cannot be modified.
      
      This check box is cleared by default.
- Restrictions on the Additional settings tab:
  - In the Display section:
    - Prohibit changing wallpaper
      Ability to select the image that will be displayed on the lock screen or Home screen.
      
      If the check box is cleared, the user can select the wallpaper for the mobile device.
      
      If the check box is selected, wallpaper selection is not available.
      
      This check box is cleared by default.
  - In the Text section:
    - Prohibit spellcheck
      Use of spellcheck when entering text on a mobile device. The spellcheck function underlines incorrectly spelled words and suggests corrections.
      
      If the check box is cleared, the user can enable and use the spellcheck function.
      
      If the check box is selected, spellcheck is not available when entering text.
      
      This check box is cleared by default.
    - Prohibit auto-correction
      Use of the auto-correct function when entering text.
      
      If the check box is cleared, the user can enable and use the auto-correct function.
      
      If the check box is selected, auto-correct is not available when entering text.
      
      This check box is cleared by default.
    - Prohibit dictionary search
      Use of a dictionary to get the definitions of words on the mobile device. Only a software keyboard has a dictionary function.
      
      If the check box is cleared, the user can highlight any word on the screen of the mobile device and get the definition of that word.
      
      If the check box is selected, dictionary search is not available.
      
      This check box is cleared by default.
  - In the Keyboard section:
    - Prohibit predictive text
      Use of the predictive text input function. The predictive text input function shows options for completing words and suggestions based on available dictionaries.
      
      If the check box is cleared, the user can enable and use the predictive text input function.
      
      If the check box is selected, the predictive text function is not available. In this case, suggestions are not displayed when entering text.
      
      This check box is cleared by default.
    - Prohibit keyboard shortcuts
      Use of keyboard shortcuts for quick access to mobile device functions.
      
      If the check box is cleared, the user can enable the keyboard shortcut function and use it when working with the mobile device.
      
      If the check box is selected, the keyboard shortcut function is not available.
      
      This check box is cleared by default.
  - In the Notifications section:
    - Prohibit Wallet on-screen notifications when screen is locked
      Use of Wallet notifications on the lock screen of the iOS MDM device.
      
      If the check box is cleared, Wallet notifications are displayed on the lock screen of the mobile device.
      
      If the check box is selected, Wallet notifications are not displayed on the lock screen of the mobile device. To work with Wallet, the user must unlock the device.
      
      This check box is cleared by default.
    - Hide Control Center when screen is locked
      Ability to go to the Control Center of the iOS MDM device when the device is locked.
      
      If the check box is cleared, the user can go to the Control Center when the device is locked.
      
      If the check box is selected, the user cannot go to the Control Center when the device is locked.
      
      This check box is cleared by default.
    - Hide Notification Center when screen is locked
      Ability to go to the Notification Center of the iOS MDM device when the device is locked.
      
      If the check box is cleared, the user can go to the Notification Center by swiping the lock screen down.
      
      If the check box is selected, the user cannot go to the Notification Center when the device is locked.
      
      This check box is cleared by default.
    - Hide Today View when screen is locked
      Display of information from the Today View on the screen of a locked iOS MDM device. The Today section of the Notification View shows the following information:
      
      Calendar events
      Reminders
      Stock prices
      Weather
      If the check box is cleared, the user can view notifications from the Today View on a locked mobile device.
      
      If the check box is selected, the Today View is not displayed on the locked mobile device.
      
      This check box is cleared by default.
    - Prohibit modifying notification settings
      Ability to configure the display of notifications on the mobile device.
      
      If the check box is cleared, the user can configure the settings for displaying notifications on the mobile device.
      
      If the check box is selected, the display of notifications cannot be configured.
      
      This check box is cleared by default.
- Restrictions on the OS update tab:
  - In the General section:
    - Delay software updates (days)
      Allows delaying operating system updates on the device.
      
      If the check box is selected, the user cannot access updates for the specified period. The default delay is 30 days. You can specify another period in the Number of days from 1 to 90 field.
      
      If the check box is cleared, the user can update the software as soon as updates are available.
      
      The setting is available for mobile devices running iOS version 11.3 or later.
      
      This check box is cleared by default.
Click OK.
Click Save to save the changes you have made.

As a result, feature restrictions will be configured on the user's mobile device after the policy is applied.

Configuring app restrictions

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Restrictions section.
On the App restrictions card, click Settings.
The App restrictions window opens.
Enable the settings using the App restrictions toggle switch.
Configure iOS MDM device app restrictions.
List of app restrictions
Restrictions in the Safari section:
- Allow use of Safari
  Use of the Safari browser on the iOS MDM device.
  
  If the check box is selected, the user is allowed to use the Safari browser.
  
  If the check box is cleared, the user is not allowed to use the Safari browser. The Safari icon is hidden on the home screen of the iOS MDM device.
  
  This check box is selected by default.
- Allow AutoFill
  Saving and autofilling of data entered by the user in web forms in the Safari browser.
  
  If this check box is selected, user data entered in web forms is saved. Later it is automatically inserted in web forms.
  
  If this check box is cleared, user data is not inserted in web forms.
  
  This check box is selected by default.
- Warn the user when visiting a dangerous website
  Option that enables a user warning prior to a visit to a website that Kaspersky Mobile Devices Protection and Management has found to be dangerous.
  
  If the check box is selected, Kaspersky Mobile Devices Protection and Management warns a user attempting to visit a dangerous website.
  
  If the check box is cleared, Kaspersky Mobile Devices Protection and Management does not warn a user attempting to visit a dangerous website.
  
  This check box is cleared by default.
- Allow JavaScript
  Use of JavaScript by the Safari browser.
  
  If the check box is selected, the Safari browser uses JavaScript when opening web pages.
  
  If the check box is cleared, the Safari browser does not use JavaScript when opening web pages.
  
  This check box is selected by default.
- Block pop-up windows
  Blocking of pop-up windows in the Safari browser.
  
  If this check box is selected, Kaspersky Mobile Devices Protection and Management blocks pop-up windows in the Safari browser.
  
  If this check box is cleared, Kaspersky Mobile Devices Protection and Management does not block pop-up windows in the Safari browser.
  
  This check box is cleared by default.
- Cookie settings
  Select the condition for accepting cookies:
  - Allow cookies and website tracking. The Safari browser accepts cookies and allows tracking user activity.
  - Allow cookies and block website tracking. The Safari browser accepts cookies and blocks tracking user activity.
  - Block cookies and website tracking. The Safari browser blocks cookies and tracking user activity.
  The default value is Allow cookies and website tracking.
Restrictions in the Game Center section:
- Allow use of Game Center
  Access to the Game Center gaming service from the Game Center app on an iOS MDM device.
  
  If the check box is selected, the user can visit the Game Center gaming service from the Game Center app on the mobile device.
  
  If the check box is cleared, the user cannot visit the Game Center gaming service from the Game Center app on the mobile device. The Game Center icon is hidden on the home screen of the iOS MDM device.
  
  This check box is selected by default.
- Allow adding friends in Game Center
  An option that allows adding users in the Game Center gaming service on the iOS MDM device.
  
  If the check box is selected, the user can add other users in the Game Center gaming service on the mobile device.
  
  If the check box is cleared, the user is not allowed to add other users in the Game Center gaming service on the mobile device.
  
  This check box is selected by default.
- Allow multiplayer games in Game Center
  Use of the Game Center gaming service in multiplayer mode on the iOS MDM device.
  
  If the check box is selected, the user can participate in multiplayer games in the Game Center gaming service on the mobile device.
  
  If the check box is cleared, the user is not allowed to participate in multiplayer games in the Game Center gaming service on the mobile device.
  
  If the check box is cleared, users can still play games together via SharePlay or a third-party service.
  
  This check box is selected by default.
Restrictions in the Additional settings section:
- Allow use of iTunes Store
  Access to the iTunes Store media service from the iTunes app on an iOS MDM device.
  
  If the check box is selected, the user can view, buy, and download media content from the iTunes Store using the iTunes app on the mobile device.
  
  If the check box is cleared, the user cannot view, buy, and download media content from the iTunes Store using the iTunes app on the mobile device. The iTunes icon is hidden on the home screen of the iOS MDM device.
  
  This check box is selected by default.
- Allow use of News
  Viewing of news on the user's mobile device using the News app.
  
  If the check box is selected, the user can view news using the News app.
  
  If the check box is cleared, the News app is not available to the user.
  
  This check box is selected by default.
- Allow use of Podcasts
  Listening to podcasts on the user's mobile device using the Podcasts app.
  
  If the check box is selected, the user can search, play, and download podcasts using the Podcasts app.
  
  If the check box is cleared, podcasts cannot be downloaded to the mobile device.
  
  This check box is selected by default.
Click OK.
Click Save to save the changes you have made.

As a result, app restrictions will be configured on the user's mobile device after the policy is applied.

Configuring content restrictions

Categories used for content restrictions are determined by Apple. In some cases, when content restrictions are configured, actual results may differ from expected results.

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Restrictions section.
On the Content restrictions card, click Settings.
The Content restrictions window opens.
Enable the settings using the Content restrictions toggle switch.
Configure iOS MDM device content restrictions.
List of content restrictions
Region

Selection of the country whose rating system is automatically applied to media content on the iOS MDM device.

The default value is United States.

Settings in the Age rating section:
- Videos
  Selection of the restriction rating for access to movies on the iOS MDM device.
  
  The list of ratings depends on the region selected.
  
  If the Allow all option is selected, the user can view any movies on the mobile device.
  
  The Allow all option is selected by default.
- TV shows
  Selection of the restriction rating for access to TV shows on the iOS MDM device.
  
  The list of ratings depends on the region selected.
  
  If the Allow all option is selected, the user can view any TV shows on the mobile device.
  
  The Allow all option is selected by default.
- Apps
  Selection of the restriction rating for access to third-party apps on the iOS MDM device.
  
  The list of ratings depends on the rating system selected.
  
  If the Allow all option is selected, the user can use any third-party apps on the mobile device.
  
  The Allow all option is selected by default.
  
  App restrictions may be enforced even if the Allow all option is selected. This is due to an issue known to Apple.
- Allow downloading erotica in Apple Books
  Access to adult content in Book Store on the user's mobile device.
  
  If the check box is selected, the user can download adult content from the Apple Books app to the iOS MDM device.
  
  If the check box is cleared, the user cannot download adult content from the Apple Books app to the iOS MDM device.
  
  This check box is selected by default.
- Allow explicit content
  Access to explicit media content from the iTunes Store on the iOS MDM device. Restrictions are applied by iTunes Store providers.
  
  If the check box is selected, explicit media content purchased via iTunes Store is available to the mobile device user.
  
  If the check box is cleared, explicit media content purchased via iTunes Store is hidden from the mobile device user.
  
  This check box is selected by default.
Click OK.
Click Save to save the changes you have made.

As a result, content restrictions will be configured on the user's mobile device after the policy is applied.

Page top

Configuring user access to websites

This section contains instructions on how to configure access to websites on Android and iOS devices.

In this section

Configuring access to websites on Android devices

Configuring access to websites on iOS MDM devices

Page top

Configuring access to websites on Android devices

You can use Web Control to configure Android device users' access to websites. Web Control supports website filtering by categories defined in the Kaspersky Security Network cloud service. Filtering allows you to restrict user access to certain websites or categories of websites (for example, "Gambling, lotteries, sweepstakes" or "Internet communication"). Web Control is enabled by default.

Web Control on Android devices is supported only in Google Chrome, HUAWEI Browser, Samsung Internet, and Yandex Browser.

On corporate devices, if Kaspersky Endpoint Security for Android is not enabled as an Accessibility feature, Web Control is supported only in Google Chrome and checks only the domain of a website. To allow other browsers (Samsung Internet, Yandex Browser, and HUAWEI Browser) to support Web Control, enable Kaspersky Endpoint Security as an Accessibility feature. This will also let you use the Custom Tabs feature.

If Kaspersky Endpoint Security for Android is not enabled as an Accessibility feature and a proxy is enabled in the Google Chrome settings card, Web Control will not work.

To configure the settings for device users' access to websites:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Security controls section.
On the Web Control card, click Settings.
The Web Control window opens.
Select one of the following options:
- If you want the app to restrict user access to websites depending on their content, do the following:
  1. In the Operating mode drop-down list, in the drop-down list select Prohibit websites in selected categories.
  2. In the Categories section, create a list of prohibited categories by selecting the check boxes next to the categories of websites to which the app will block access.
- If you want the app to allow or block user access only to specified websites, do the following:
  1. In the Operating mode drop-down list, select Allow only listed websites or Allow all websites except listed ones.
  2. Click Add.
  3. In the window that opens, create a list of websites to which the app will allow or block access, depending on the value selected in the drop-down list. You can add websites by link (full URL, including the protocol, for example, https://example.com).
    To make sure that the app allows or blocks access to the specified website in all supported versions of Google Chrome, HUAWEI Browser, Samsung Internet, and Yandex Browser include the same URL twice — once with the HTTP protocol (for example, http://example.com) and once with the HTTPS protocol (for example, https://example.com).
    
    For example:
    - https://example.com — The main page of the website is either allowed or blocked. This URL can only be accessed through the HTTP protocol.
    - http://example.com — The main page of the website is either allowed or blocked, but only when accessed through the HTTP protocol. Other protocols like HTTPS are not affected.
    - https://example.com/page/index.html — Only the index.html page of the website will be allowed or blocked. The rest of the website is not affected by this entry.
    The app also supports regular expressions. When entering the address of an allowed or forbidden website, use the following templates:
    - https://example\.com/.* — This template blocks or allows all child pages of the website, accessed via the HTTPS protocol (for example, https://example.com/about).
    - https?://example\.com/.* — This template blocks or allows all child pages of the website, accessed via both the HTTP and HTTPS protocols.
    - https?://.*\.example\.com — This template blocks or allows all subdomain pages of the website (for example, https://pictures.example.com).
    - https?://example\.com/[abc]/.* — This template blocks or allows all child pages of the website where the URL path begins with 'a', 'b', or 'c' as the first directory (for example, https://example.com/b/about).
    - https?://\w{3,5}.example\.com/.* — This template blocks or allows all child pages of the website where the subdomain consists of a word with 3 to 5 characters (for example, http://abde.example.com/about).
    Use the https? expression to select both the HTTP and HTTPS protocols. For more details on regular expressions, please refer to the Oracle Technical Support website.
  4. Click Add.
- If you want the app to block user access to all websites, in the Operating mode section, in the drop-down list, select Prohibit all websites.
If you want the app to check the full URL when opening a website in Custom Tabs, select the Check full URL when using Custom Tabs check box.
Custom Tabs is an in-app browser that allows the user to view web pages without having to leave the app and switch to a full web browser version. This option provides better URL recognition and checks URLs against the configured Web Control rules. If the check box is selected, Kaspersky Endpoint Security for Android opens the website in a full version of the browser and checks the whole web address of the website. If the check box is cleared, Kaspersky Endpoint Security for Android checks only the domain of the website in Custom Tabs.

The Custom Tabs feature is supported in Google Chrome, HUAWEI Browser, and Samsung Internet.
If you want to lift content-based restrictions on user access to websites, disable the settings using the Web Control toggle switch and click Disable.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Managing the website list

You can manage the list of websites with the following buttons:

Add — Click to add a website to the list by entering a URL or regular expression.
Upload — Click to add multiple websites to the list by specifying a TXT file that contains the required URLs or regular expressions. The file must be encoded in UTF-8. URLs or regular expressions in the file must be separated by semicolons or line breaks.
Edit — Click to change the address of a website.
Delete — Click to remove one or more websites from the list.

Page top

Configuring access to websites on iOS MDM devices

These settings apply to supervised devices.

Configure Web Control settings to control access to websites for iOS MDM device users. Web Control manages users' access to websites based on lists of allowed and forbidden websites. Web Control also lets you add website bookmarks on the bookmark panel in Safari.

By default, access to websites is not restricted.

If a URL is redirected to a different website, Web Control checks only the redirect target.

To configure settings for device users' access to websites:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Security controls section.
On the Web Control card, click Settings.
The Web Control window opens.
Enable the settings using the Web Control toggle switch.
In the Operating mode drop-down list do one of the following:
- If you want to create a list of allowed websites, select Allow only listed websites.
- If you want to create a list of forbidden websites, select Allow all websites except listed ones.
Do one of the following:
- If you want to add websites manually:
  1. Click Add:
  2. Add websites to which the app will allow or block access, depending on the value selected in the drop-down list.
    The website address should begin with http:// or https://. Kaspersky Mobile Devices Protection and Management allows or blocks access to all websites in the domain. For example, if you add http://www.example.com to the list of allowed websites, access is allowed http://pictures.example.com and http://example.com/movies.
    
    If you want to add an allowed website to bookmarks in Safari on mobile devices, select the Add to bookmarks on device check box below the website address.
  3. Click Add.
- If you want to upload a TXT file with a list of websites, click Upload.
  The TXT file must be saved with the UTF-8 encoding and LF or CR+RF line breaks.
Click OK.
Click Save to save the changes you have made.

As a result, once the policy is applied, Web Control will be configured on the mobile devices.

Page top

Compliance Control

This section contains instructions on how to monitor the compliance of devices with corporate requirements and configure compliance control rules.

In this section

Compliance Control of Android devices

Compliance Control of iOS MDM devices

Page top

Compliance Control of Android devices

You can control Android devices for compliance with corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance Control is based on a list of rules. A compliance rule includes the following components:

Device check criterion (for example, absence of blocked apps on the device).
Time period allocated for the user to fix the non-compliance (for example, 24 hours).
Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, lock the device).
If the device is in battery saver mode, Kaspersky Endpoint Security for Android may perform this task later than specified.

To create a rule for checking devices for compliance with a policy:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Security controls section.
On the Compliance Control card, click Settings.
The Compliance Control window opens.
Enable the settings using the Compliance Control toggle switch.
In the When non-compliance is detected section:
- Select the Notify user check box to inform the user that the device does not comply with the policy.
  If the check box is cleared, the user is not notified of the non-compliance issue, and the response is performed on the device as soon as the time allocated for fixing the non-compliance expires.
- Select the Notify the administrator through the "Events" section check box to inform the administrator that the device does not comply with the policy.
Click Add.
The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.

Step 1. Criterion for non-compliance

Click Add criterion to specify the non-compliance criterion to trigger the rule.

The following criteria are available:

Real-time protection is disabled
Kaspersky Endpoint Security for Android is not installed or running on the device.
Anti-malware databases on device are out of date
Anti-malware databases were last updated 3 or more days ago.
Forbidden apps are installed
The list of apps on the device contains apps that are set as forbidden in the App Control settings of the policy.
Apps from forbidden categories are installed
The list of apps on the device contains apps from the categories that are set as forbidden in the App Control settings of the policy.
Not all required apps are installed
The list of apps on the device does not contain an app that is set as required in the App Control settings of the policy.
Operating system version is outdated
The Android version on the device is outside the allowed range.

For this criterion, specify the minimum and maximum allowed versions of Android in the Minimum version and Maximum version fields. If the maximum allowed version is set to Any, future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.
Device has not been synchronized for a long time
The last synchronization of the device with the Administration Server is checked.

For this criterion, specify the maximum period after the last synchronization in the Period without synchronization field.
Device has been rooted
The device is hacked (root access is gained on the device).
Unlock password is not compliant with security settings specified in policy
The unlock password on the device is not compliant with the settings defined in the Screen unlock settings card.
Installed version of Kaspersky Endpoint Security for Android is outdated
Kaspersky Endpoint Security for Android installed on the device is obsolete.

This criterion applies only to an app installed using a Kaspersky Endpoint Security for Android installation package and if the minimum allowed version of Kaspersky Endpoint Security for Android is specified in the App update settings of the policy.
SIM card usage is not compliant with security requirements
The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.

For this criterion, select the specific condition that must be monitored:
- The SIM card must not be replaced or removed
- The SIM card must not be replaced or removed; additional SIM cards must not be inserted
Device location
The device is outside the specified geofence areas.

Specifying the geofence area will result in increased device power consumption.

For this criterion, select the specific condition that must be monitored:
- The device is within a specified geofence (the geofence areas are combined using the OR logical operator).
- The device is outside specified geofences (the geofence areas are combined using the AND logical operator).
To add a geofence area:
1. Click Add geofences.
  The Add geofences window opens.
2. Specify the Geofence name.
3. Specify the geofence perimeter by entering a latitude and a longitude for each point.
  For each geofence area, you can manually enter from 3 to 100 coordinate pairs (latitude, longitude) as decimal numbers.
  
  A geofence perimeter must not contain intersecting lines.
  
  If needed, you can specify more than 3 points by clicking the Add point button.
  
  To delete a point, click the X button.
  
  You can view the specified geofence area in the Yandex.Maps program by clicking View on map.
4. Click OK to add the specified geofences.
Kaspersky Endpoint Security for Android has no access to precise or background location
Kaspersky Endpoint Security for Android is not allowed to access the precise location of the device or use the device location in the background.

Step 2. Responses for non-compliance with security requirements

Add the responses to be performed on the device if the specified non-compliance criterion is detected.

Choose one of the following options:

Add instant response. The response is applied instantly after the non-compliance criterion is detected.
Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.
The following responses are available:
- Block all apps except system apps
  All apps on the device, except system apps, are blocked from starting.
  
  As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.
- Lock device
  The mobile device is locked. To obtain access to data, you must unlock the device by entering the one-time passcode or using the Unlock device command.
- Wipe corporate data
  The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:
  - On a personal device, Knox profile and mail certificate are wiped.
  - On a corporate device, Knox profile and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
  - Additionally, on a device with corporate container, the container (its content, configurations, and restrictions) and the certificates installed in it (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
- Reset to factory settings
  All data is wiped from the device and settings are rolled back to their factory values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.
  
  On devices running Android 14 or later, this response is only applicable if the device is operating in corporate device mode.
- Lock corporate container
  Corporate container on the device is locked. To obtain access to corporate container, you must unlock it.
  
  The response is only applicable to devices running Android 6 or later.
  
  After the corporate container on a device is locked, the history of the container passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the corporate container password settings.
- Wipe data of all apps
  On a corporate device, data of all apps on the device is wiped.
  
  On a device with corporate container, data of all apps in the container is wiped.
  
  As a result, apps are rolled back to their default state.
  
  The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.
- Wipe data of a specified app
  For this response, you need to specify the package name for the app whose data is to be wiped. How to get the package name of an app
  To get the name of an app package:
  1. Open Google Play.
  2. Find the app and open its page.
  The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).
  
  To get the name of an app package that has been added to Kaspersky Security Center:
  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
  2. Click Android apps.
    In the list of apps that opens, app identifiers are displayed in the Package name column.
  As a result, the app is rolled back to its default state.
  
  The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.
- Prohibit safe boot
  The user is not allowed to boot the device in safe mode.
  
  The response is only applicable to corporate devices running Android 6 or later.
- Prohibit use of camera
  The user is not allowed to use any cameras on the device.
- Prohibit use of Bluetooth
  The user is not allowed to turn on and configure Bluetooth settings.
  
  The response is only applicable to personal devices running Android 12 or earlier, corporate devices, or devices with corporate container.
- Prohibit use of Wi-Fi
  The user is not allowed to use and configure Wi-Fi settings.
  
  The response is only applicable to personal devices running Android 9 or earlier or corporate devices.
- Prohibit USB debugging features
  The user is not allowed to use USB debugging features and developer mode on the device.
  
  The response is only applicable to corporate devices or devices with corporate container.
- Prohibit airplane mode
  The user is not allowed to enable airplane mode on the device.
  
  The response is only applicable to corporate devices running Android 9 or later.

Click Add rule to finish the Add rule wizard. The new rule and its details appear in the list of the Compliance Control rules. To temporarily disable a rule, use the toggle switch next to the selected rule.

To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and select one of the following actions:

Wipe corporate data
Reset to factory settings
On devices running Android 14 or later, this action is only applicable if the device is operating in corporate device mode.

These settings require integration with Microsoft Active Directory.

If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.

Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Compliance Control of iOS MDM devices

Expand all | Collapse all

Compliance Control lets you monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:

Status (whether the rule is enabled or disabled).
Non-compliance criteria (for example, absence of the specified apps or the operating system version).
Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, wipe corporate data or send an email message to the user).

To create a rule for checking devices for compliance with a policy:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Security controls section.
On the Compliance Control card, click Settings.
The Compliance Control window opens.
Enable the settings using the Compliance Control toggle switch.
Click Add.
The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.

Step 1. Criterion for non-compliance

Click Add criterion to specify the non-compliance criterion to trigger the rule.

The following criteria are available:

List of installed apps
The list of apps on the device contains forbidden apps or does not contain required apps.

For this criterion, select a condition (Contains or Does not contain) and specify the Bundle ID of the app. How to get the bundle ID of an app
To get the bundle ID of a built-in iPhone or iPad app,

Follow the instructions in the Apple documentation.

To get the bundle ID of any iPhone or iPad app:
1. Open the App Store.
2. Find the required app and open its page.
  The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).
3. Copy this identifier (without the letters "id").
4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.
  This downloads a text file.
5. Open the downloaded file and find the "bundleId" fragment in it.
The text that directly follows this fragment is the bundle ID of the required app.

To get the bundle ID of an app that has been added to Kaspersky Security Center:
1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
2. Click iOS apps.
  In the list of apps that opens, app identifiers are displayed in the Bundle ID column.
Operating system version
The version of the operating system on the device is outside the allowed range.

For this criterion, select a condition (Equal to, Not equal to, Earlier than, Earlier than or equal to, Later than, or Later than or equal to) and specify the iOS version.

Note that the Equal to and Not equal to operators check for a full match of the operating system version with the specified value. For instance, if you specify iOS 15 in the rule, but the device is running iOS 15.2, the Equal to criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Earlier than and Later than operators.
Supervision status
The supervision status of the device is not the one required.

For this criterion, select the device operating mode (Supervised or Basic control).
Device type
The device type is not the one required.

For this criterion, select a device type (iPhone or iPad).
Device model
The device model is not the one required.

For this criterion, select a condition (Equal to or Not equal to) and specify models that will be checked or excluded from the check, respectively.

To specify a model, in the Model identifier field, select the required model from the list or enter a value manually. The list contains mobile device codes and their matching product names. For example, if you want to add all iPhone 14 models, type "iPhone 14". In this case, you can select any of the available models: "iPhone 14", "iPhone 14 Plus", "iPhone 14 Pro", "iPhone 14 Pro Max".

In some cases, the same product name may correspond to several mobile device codes (for example, the "iPhone 7" product name corresponds to two mobile device codes, "iPhone 9.1" and "iPhone 9.3"). Be sure that you select all of the mobile device codes that correspond to the required models.

If you enter a value that is not on the list, nothing will be found. However, you can click Add: "<value>" under the field to add the entered value to the criterion.

If you specify the criteria that contradict each other (for example, Device type is set to iPhone but the list of values of Device model, with the Equal to operator selected, contains an iPad model), an error message is displayed. You cannot save a rule with such criteria.
Roaming
The device roaming status is not the one required.

For this criterion, select a condition (Device is roaming or Device is not roaming).
Password on device
A password is not set or not compliant with the settings specified in the Screen unlock settings card.

For this criterion, select a condition (Not set, Set but not compliant, or Set and compliant).
Free storage on device
The amount of free space on the device is less than the specified threshold.

For this criterion, specify the threshold amount of free space (Less than or equal to), and then select the measurement unit (MB or GB).
Device is not encrypted
The device is not encrypted.

Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this setting in the device properties: go to Assets (Devices) → Mobile → Devices, and then select the required device).
Actions with SIM card
The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.

For this criterion, select a condition (The SIM card must not be replaced or removed or The SIM card must not be replaced or removed; additional SIM cards must not be inserted).

On eSIM compatible devices, the non-compliance detection cannot be removed by inserting the previously removed eSIM. This is because the device operating system recognizes each added eSIM as a new one. In this case, delete the compliance control rule from the policy.
Device has not been synchronized for a long time
The last synchronization of the device with iOS MDM Server is checked.

For this criterion, specify the maximum time after the last sync in the Period without synchronization field, and then select the measurement unit (Hours or Days).

We do not recommend that you specify a value less than the value of the Synchronization period (min) setting specified in the iOS MDM Server settings.

Step 2.Responses for non-compliance with security requirements

Add the responses to be performed on the device if the specified non-compliance criterion is detected.

Choose one of the following options:

Add instant response. The response is applied instantly after the non-compliance criterion is detected.
Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.
Responses are performed during the compliance rule check, which happens every 40 minutes, and persist until the next synchronization with the iOS MDM Server. To prevent repeating responses from a single non-compliance instance, set the Synchronization period (min) value to 30 minutes in the iOS MDM Server settings.

If you specify responses that contradict each other, an error message is displayed. You cannot save such a rule.

When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.

The following responses are available:
- Send a message to the user
  The user is informed about the non-compliance by email.
  
  For this response, specify user email addresses in the Email and Alternate email address fields. If necessary, you can also edit the email subject and default text.
  
  Make sure the Email notifications are configured in the Administration Server properties. For detailed information on configuring notifications delivery, refer to the Kaspersky Security Center Help.
- Wipe corporate data
  All installed configuration profiles, provisioning profiles, the device management profile, and apps for which the Remove when device management profile is deleted check box has been selected are removed from the device. This response is performed by sending the Wipe corporate data command.
- Modify profile
  For this response, specify one of the actions:
  - Install profile. The configuration profile is installed on device. This action is performed by sending the Install configuration profile command. For this response, you also need to specify the ID of the profile to be installed.
    Before the profile is installed, it must be added to the list of configuration profiles in the Configuration profiles section of the iOS MDM Server settings.
  - Delete specified profile. The configuration profile is deleted from the device. This response is performed by sending the Delete configuration profile command. For this action, you also need to specify the ID of the profile to be deleted.
  - Delete all profiles. All previously installed configuration profiles are deleted from the device.
    When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted configuration profiles one by one, by sending the respective command to the device.
- Update operating system
  For this response, specify the OS version and one of the actions:
  - Download and install. The device operating system is downloaded and installed.
    If a non-existent operating system version is specified in the Operating system version criterion, the device will upgrade to the latest downloaded operating system.
  - Download only. The device operating system is downloaded.
  - Install only. The previously downloaded operating system is installed.
  This response is only applicable to supervised devices.
- Modify Bluetooth settings
  For this response, specify whether you want to enable or disable Bluetooth on the device.
  
  This response is only applicable to supervised devices.
- Reset to factory settings
  All data is deleted from the device and the settings are rolled back to their default values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall the device management profile on it.
- Modify apps
  For this response, specify one of the actions:
  - Delete specified app. The specified app is removed from the device.
    You can delete only a managed app. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.
    
    When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.
    
    For this action, specify the Bundle ID of the app to be deleted. How to get the bundle ID of an app
    To get the bundle ID of a built-in iPhone or iPad app,
    
    Follow the instructions in the Apple documentation.
    
    To get the bundle ID of any iPhone or iPad app:
    1. Open the App Store.
    2. Find the required app and open its page.
      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).
    3. Copy this identifier (without the letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.
      This downloads a text file.
    5. Open the downloaded file and find the "bundleId" fragment in it.
    The text that directly follows this fragment is the bundle ID of the required app.
    
    To get the bundle ID of an app that has been added to Kaspersky Security Center:
    1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
    2. Click iOS apps.
      In the list of apps that opens, app identifiers are displayed in the Bundle ID column.
  - Delete all apps. All managed apps are deleted from the device.
    You can delete only managed apps. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.
    
    When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted apps one by one, by sending the respective command to the device.
    
    For this action, specify the Bundle ID of the apps to be deleted. How to get the bundle ID of an app
    To get the bundle ID of a built-in iPhone or iPad app,
    
    Follow the instructions in the Apple documentation.
    
    To get the bundle ID of any iPhone or iPad app:
    1. Open the App Store.
    2. Find the required app and open its page.
      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).
    3. Copy this identifier (without the letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.
      This downloads a text file.
    5. Open the downloaded file and find the "bundleId" fragment in it.
    The text that directly follows this fragment is the bundle ID of the required app.
    
    To get the bundle ID of an app that has been added to Kaspersky Security Center:
    1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
    2. Click iOS apps.
      In the list of apps that opens, app identifiers are displayed in the Bundle ID column.
- Delete profile of specified type
  For this response, specify the Profile type to be deleted from the device (for example, Web Clips or Calendar subscriptions).
  
  As soon as the non-compliance criteria selected for the rule are no longer detected on the device, the deleted profiles are automatically restored.
- Modify roaming settings
  For this response, specify whether you want to enable or disable data roaming on the device.

Click Add rule to finish the Add rule wizard. The new rule and its details appear in the list of Compliance Control rules. To temporarily disable a rule, use the toggle switch next to the selected rule.

Wipe corporate data
Reset to factory settings
These settings require integration with Microsoft Active Directory.

If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.

Click Save to save the changes you have made.

Page top

App Control

This section contains instructions on how to configure user access to apps on a mobile device.

In this section

App Control on Android devices

App Control on iOS MDM devices

Page top

App Control on Android devices

Expand all | Collapse all

The App Control component lets you manage apps on Android devices and configure use of these apps to keep the devices secure.

You can restrict user activity on a device on which forbidden apps are installed or required apps are not installed (for example, by locking the device). You can impose restrictions using the Compliance Control component. To do so, in the rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or later disable this service in the device settings. If the user does this, App Control will not run.

On corporate devices, you have extended control over the device. App Control operates without notifying the device user:

Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Remove forbidden apps automatically check box in the policy settings.

To configure app startup settings on the mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Security controls section.
On the App Control card, click Settings.
The App Control window opens.
Enable the settings using the App Control toggle switch.
Configure the settings on the following tabs:
- If you want to configure general rules of app management, go to the App use tab.
  1. In the Operating mode drop-down list, select the App Control mode:
    - To allow the user to start all apps except those specified as blocked in the list of categories and apps, select Use all apps except forbidden ones. Kaspersky Endpoint Security for Android will hide icons of forbidden apps. This option is selected by default.
    - To allow the user to start only apps specified in the list of categories and apps as allowed, recommended, or required apps, select Use only allowed apps. Kaspersky Endpoint Security for Android will hide icons of all apps except those specified in the list of allowed, recommended, or required apps and system apps.
  2. If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select the Do not block forbidden apps, only add a record to the event log check box.
  3. If you want Kaspersky Endpoint Security for Android to block startup of system apps (such as Calendar, Camera, and Settings) on the user's mobile device, select the Block system apps check box. This check box is displayed in the Use only allowed apps mode.
    We recommend that you do not block system apps because doing so could cause the device to malfunction.
    
    Before removing Kaspersky Endpoint Security for Android from the device, clear this check box or disable App Control.
  4. If you want Kaspersky Endpoint Security for Android to remove forbidden apps from the device in the background without notifying the user, select the Remove forbidden apps automatically check box. This check box is displayed in policies for managing corporate devices.
  5. Click Add to add apps and categories for which you want to set rules.
    The Add app or category window opens.
  6. In the Object field, select either App or App category and do the following:
    - If you selected App, select an installation package or specify the package name and the app name in the corresponding fields.
    - If you selected App category, select a category and enter a description in the corresponding fields.
    - Click Add.
    The app or category is added to the list.
  7. If you want to configure exceptions from listed forbidden or allowed apps, click Exceptions, specify package names in the window that opens, and click OK.
  8. If you want to receive reports on installed apps, in the Report on installed apps section, select the Send data on installed apps check box. Then you can select the following check boxes:
    - Send data on built-in apps to send data on system apps.
    - Send data on service apps to send data on service apps that have no user interface and cannot be started manually.
    If a system app or service app is configured in the App Control settings, app data is sent regardless of the state of the check boxes.
    
    Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed on a device or removed from it.
- If you want to set actions to be performed for selected apps, go to the App management tab.
  1. In the Actions for apps table, click Add.
  2. In the window that opens, do the following:
    1. In the Action field select one of the following actions:
      Install. The user will be prompted to install the app.
      Remove. The app will be deleted from the user's device.
      Recommend installation. The user will receive a recommendation to install the app.
    2. Fill in the following fields:
      Package name
      App name
      Link
      Links to app packages must start with http:// or https://.
      
      Version
      This field is a string parameter specified in the format of Oracle regular expressions. For more details on regular expressions, please refer to the Oracle Technical Support website.
      
      The Link and Version fields are not displayed if you select Remove in the Action field.
    3. Click Add.
  The configured action is added to the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

App Control on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices.

Kaspersky Security Center lets you manage apps on iOS MDM devices to keep these devices secure. You can create a list of apps allowed to be installed on devices and a list of apps prohibited from being displayed and launched on devices.

To configure the list of apps allowed or prohibited to be installed on devices:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Security controls section.
On the App Control card, click Settings.
The App Control window opens.
Enable the settings using the App Control toggle switch.
In the Operating mode field, select one of the following options:
- Use all apps except forbidden ones
  All apps will be displayed and available to run on the device except the ones from the list.
- Use only allowed apps
  This option is selected by default. If you select this option, the user will be able to open only the following apps on the device:
  - Apps in the list
  - System apps
  All other apps will be hidden.
Click Add to add apps to the list.
In the window that opens, specify the app's bundle ID in the corresponding field. Specify the com.apple.webapp value to allow or restrict all Web Clips. How to get the bundle ID of an app
To get the bundle ID of a built-in iPhone or iPad app,

Follow the instructions in the Apple documentation.

To get the bundle ID of any iPhone or iPad app:
1. Open the App Store.
2. Find the required app and open its page.
  The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).
3. Copy this identifier (without the letters "id").
4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.
  This downloads a text file.
5. Open the downloaded file and find the "bundleId" fragment in it.
The text that directly follows this fragment is the bundle ID of the required app.

To get the bundle ID of an app that has been added to Kaspersky Security Center:
1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
2. Click iOS apps.
  In the list of apps that opens, app identifiers are displayed in the Bundle ID column.
If necessary, you can specify several bundle IDs by clicking the Add bundle ID button.
Click Save.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the specified settings for apps are configured on devices.

Page top

Mobile device protection levels

Mobile device protection levels defined by Kaspersky Security Center

Web Console lets you quickly assess the current protection level of managed mobile devices in the Assets (Devices) → Mobile → Devices section.

A device can have one of the following protection levels: OK, Warning, or Critical.

The protection levels are assigned and sent to Kaspersky Security Center, in accordance with the following requirements:

One reason for assigning a protection level is detected on the device — the device gets the status displayed in the list of managed devices.
Multiple reasons for assigning protection levels are detected on the device — Kaspersky Mobile Devices Protection and Management assigns the most critical status.

No reasons for assigning a protection level are detected on the device — Kaspersky Mobile Devices Protection and Management does not send a status to Kaspersky Security Center, and the status is set as OK.

Protection levels and their meanings

Protection level	Meaning
OK	An administrator's intervention is not required.
Warning	Events have been logged that are related to potential or actual threats to the security of managed devices.
Critical	Serious problems have been encountered. An administrator's intervention is required to solve them.

The administrator's goal is to ensure that the OK protection level exists on all devices.

Mobile device protection levels defined by Kaspersky Mobile Devices Protection and Management

Kaspersky Mobile Devices Protection and Management defines the protection level of mobile devices based on policy settings and then sends the protection levels to Kaspersky Security Center during synchronization. The administrator can change the protection level in the policy, depending on the severity level of the condition (see the Default values, reasons, and conditions for assigning a protection level on Android devices table). In this case, the value set by the administrator overrides the default value defined by Kaspersky Mobile Devices Protection and Management.

Default values, reasons, and conditions for assigning a protection level on Android devices

Condition	Reason for protection level	Default value
Real-time protection is not running	One of the following reasons: The Access to manage all files permission has not been granted. Kaspersky Security Network is switched off.	Critical
Web Protection and Web Control are not running	One of the following reasons: The Accessibility permission has not been granted. Web Protection was switched off by the user in Kaspersky Endpoint Security settings. The Ignore battery optimization permission has not been granted. The Web Protection Statement has not been accepted.	Warning
App Control is not running	The Accessibility permission has not been granted.	Warning
Device lock is not available	One of the following reasons: The Device administrator permission has not been granted. The Accessibility permission has not been granted. The app is not enabled to overlay other windows.	Warning
Device location is not available	One of the following reasons: The Location permission has not been granted. The device location cannot be determined (when permission is granted).	Warning
Versions of the Kaspersky Security Network Statement do not match	The version of the Kaspersky Security Network Statement that the user accepted in the policy and the version of the Kaspersky Security Network Statement on the device do not match.	Warning
Versions of the Marketing Statement do not match	The version of the Statement regarding data processing for marketing purposes that the user accepted in the policy and the version of the Statement regarding data processing for marketing purposes on the device do not match.	OK

Page top

Software inventory on Android devices

You can take an inventory of apps on Android devices connected to the Administration Server. Kaspersky Endpoint Security for Android receives information about all apps installed on mobile devices. Information obtained while taking inventory is displayed in the device properties in the Events section. In this section, you can view detailed information on each installed app.

To enable software inventory:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Security controls section.
On the App Control card, click Settings.
The App Control window opens.
In the Report on installed apps section, select the Send data on installed apps check box.
If you want to receive data about system apps, select the Send data on built-in apps check box.
If you want to receive data about service apps, which do not have an interface and cannot be opened by the user, select the Send data on service apps check box.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed or removed from the device.

Page top

Protection

This section contains information about how to remotely manage protection of mobile devices in the Kaspersky Security Center Web Console.

In this section

Configuring anti-malware protection on Android devices

Protecting Android devices on the internet

Protection of data on a stolen or lost device

Configuring the device unlock password strength

Configuring a virtual private network (VPN)

Configuring Firewall on Android devices (only Samsung)

Protecting Kaspersky Endpoint Security for Android against removal

Detecting hacked devices

Configuring a global HTTP proxy on iOS MDM devices

Adding security certificates to iOS MDM devices

Adding a SCEP profile to iOS MDM devices

Restricting SD card usage (only Samsung)

Page top

Configuring anti-malware protection on Android devices

Expand all | Collapse all

For timely detection of threats, viruses, and other malicious applications, you can configure the settings for real-time protection and automatic malware scans.

Kaspersky Endpoint Security for Android detects the following types of objects:

Viruses, worms, Trojans, and malicious tools
Adware
Legitimate apps that intruders can use to compromise users' devices or data

Anti-Malware has several limitations:

Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
On devices running Android 11 or later, Kaspersky Endpoint Security for Android can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.

Configuring real-time protection

To configure real-time protection settings for mobile devices:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Protection section.
On the Real-time protection card, click Settings.
The Real-time protection window opens.
Enable the settings using the Real-time protection toggle switch.
If the toggle switch is turned on, device protection is enabled, but can be manually disabled by the user.

If the toggle switch is turned off, device protection is disabled and the user can't enable it.
In the App scan drop-down list, select the app scan mode:
- Do not scan apps
- Scan only new apps
- Scan all apps and monitor actions with files
In the Action on threat detection drop-down list, select one of the following options:
- Delete
  Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.
- Skip
  If detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file is deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.
- Delete and save a backup copy of file in quarantine
To enable additional scanning of new apps before they are started for the first time on the user's device with the help of the Kaspersky Security Network cloud service, select the Additional protection by Kaspersky Security Network check box.
To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and legitimate apps that intruders can use to compromise the user's device and data check box.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring automatic malware scans

To configure autorun of malware scans on the mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Protection section.
On the Scan card, click Settings.
The Scan window opens.
Enable the settings using the Scan toggle switch.
In the Action on threat detection list, select one of the following options:
- Delete
  Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.
- Skip
  If detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file is deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.
- Delete and save a backup copy of file in quarantine
- Ask user
  Kaspersky Endpoint Security for Android displays a notification prompting the user to choose the action to take on the detected object: Skip or Delete.
  
  Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure the display of notifications on mobile devices running Android 10 or later. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. In this case, Kaspersky Endpoint Security for Android displays an Android system window prompting the user to choose the action to take on the detected object: Skip or Delete. To apply an action to multiple objects, you need to open Kaspersky Endpoint Security.
If during a scan Kaspersky Endpoint Security for Android detects malicious apps on users' devices, the actions differ depending on the device management mode.

On corporate devices, installed malicious apps detected by Kaspersky Endpoint Security for Android are deleted from the device automatically if the Delete option is selected. If Kaspersky Endpoint Security for Android detects malicious system apps, they are prohibited from being displayed and launched on users' devices.

In a corporate container, installed malicious apps detected by Kaspersky Endpoint Security for Android are not deleted but prohibited from being displayed and launched on users' devices without notifying device users.

If the Ask user option is selected, Kaspersky Endpoint Security for Android prompts users to select an action for each detected app, both on corporate devices and devices with a corporate container.

Installed malicious apps cannot be quarantined. Accordingly, if the Delete and save a backup copy of file in quarantine option is selected, a detected malicious app is deleted.

On personal devices, detected malicious apps cannot be deleted automatically. In this case, Kaspersky Endpoint Security for Android prompts the user to delete or skip the detected app.
In the Scheduled scan field, you can configure the settings for automatic launching a full scan of the device file system.
If you selected a weekly or daily scan, specify the day of the week (for weekly scans) and start time in the Day and Time fields.
If the device is in battery saver mode, the app may perform this task later than specified.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. Kaspersky Endpoint Security for Android scans all files, including the contents of archives.

To keep mobile device protection up to date, configure the anti-malware database update settings.

By default, anti-malware database updates are disabled when the device is roaming. Scheduled updates of anti-malware databases are not performed.

Configuring database updates

To configure settings for anti-malware database updates:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Protection section.
On the Database update card, click Settings.
The Database update window opens.
Enable the settings using the Database update toggle switch.
In the Scheduled database update field, you can configure the settings for automatic anti-malware database updates on the user's device.
If you selected a weekly or daily database update, specify the day of the week (for weekly database updates) and start time in the Day and Time fields.
If the device is in battery saver mode, the app may perform this task later than specified.
In the Database update source section, specify the update source from which Kaspersky Endpoint Security for Android receives and installs anti-malware database updates:
- Kaspersky servers
  Using a Kaspersky update server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To update databases using Kaspersky servers, Kaspersky Endpoint Security for Android transmits data to Kaspersky (for example, the update task run ID). The list of data that is transmitted during database updates is provided in the End User License Agreement.
- Administration Server
  Using the repository of Kaspersky Security Center Administration Server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices.
- Other source
  Using a third-party server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To start an update, you must enter the address of an HTTP server in the field below (for example, http://domain.com/).
If you want Kaspersky Endpoint Security for Android to download database updates according to the update schedule when the device is roaming, select the Allow database update while roaming check box in the Database update while roaming section.
Even if the check box is cleared, the user can manually start an anti-malware database update when the device is roaming.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Protecting Android devices on the internet

You can use Web Protection to protect personal data of mobile device users on the internet. Web Protection blocks malicious websites that distribute malicious code, and phishing websites designed to steal your confidential data and gain access to your financial accounts. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. Web Protection is enabled by default.

In Yandex Browser and Samsung Internet, malicious and phishing websites may remain unblocked. This is because only the website domain is scanned, and if it is trusted, Web Protection can skip a threat.

Web Protection on Android devices is supported only in Google Chrome, HUAWEI Browser, Samsung Internet, and Yandex Browser.

On corporate devices, if Kaspersky Endpoint Security for Android is not enabled as an Accessibility feature, Web Protection is supported only in Google Chrome and checks only the domain of a website. To allow other browsers (Samsung Internet, Yandex Browser, and HUAWEI Browser) to support Web Protection, enable Kaspersky Endpoint Security as an Accessibility feature.

To enable Web Protection:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Protection section.
On the Web Protection card, enable the settings using the Web Protection toggle switch.
Click Enable.
If you disable Web Protection, Web Control will also be disabled.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Protection of data on a stolen or lost device

This section describes how you can configure the unauthorized access protection settings on the device in case it gets lost or stolen.

In this section

Sending commands to a lost or stolen mobile device

Unlocking a mobile device

Page top

Sending commands to a lost or stolen mobile device

To protect data on a mobile device that is lost or stolen, you can send special commands.

You can send commands to the following types of managed mobile devices:

Android devices managed via the Kaspersky Endpoint Security for Android app
iOS MDM devices

Each device type supports a specific set of commands (see the tables below).

Commands for Android devices

Commands for protecting data on a lost or stolen Android device

Command	Result

Lock device	The mobile device is locked. To obtain access to data, you must unlock the device using the Unlock device command or a one-time passcode.
Unlock device	The mobile device is unlocked. After unlocking a device running Android 5 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7 or later, the screen unlock password is not changed.
Reset to factory settings	All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands. This command is unavailable for personal devices and devices with a corporate container running Android 14 or later.
Wipe corporate data	Corporate data is wiped from the device. The list of wiped data depends on the mode the device is operating in: On a personal device, the Knox container and mail certificate are wiped. On a corporate device, the Knox container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped. Additionally, if a corporate container was created, the corporate container (its contents, configurations, and restrictions) and the certificates installed in the corporate container (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
Locate device	The mobile device's location coordinates are obtained. To view the device location on a map, go to the Assets (Devices) → Mobile → Devices section. Then choose a device and select Command history → Locate device → Device coordinates → Open Maps. On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received within the past 30 minutes. Otherwise, the command fails. This command does not work on Android devices if Google Location Accuracy is disabled in the settings. Please be aware that not all Android devices come with this location setting.
Take photos	The mobile device is locked. Photos are taken using the front camera of the device when somebody attempts to unlock the device. On devices with a pop-up front camera, the photo will be black if the camera is stowed. When attempting to unlock the device, the user automatically consents to having their photo taken on the device. If the permission to use the camera has been revoked, the mobile device displays a notification and prompts to provide the permission. On a mobile device running Android 12 or later, if the permission to use the camera has been revoked via Quick Settings, the notification is not displayed but the taken photo is black.
Sound alarm	The mobile device sounds an alarm. The alarm is sounded for 5 minutes (or for 1 minute if the device battery is low).
Wipe app data	The data of a specified app is wiped from the mobile device. For this action, you need to specify the package name for the app whose data is to be deleted. As a result, the app is rolled back to its default state. The data of system and administrative apps is not wiped.
Wipe data of all apps	The data of all apps is wiped from the mobile device. On a corporate device, the data of all apps on the device is wiped. On a device with a corporate container, the data of all apps in the corporate container is wiped. As a result, apps are rolled back to their default state. The data of system and administrative apps is not wiped.
Get location history	The mobile device's location history for the last 14 days is displayed. To view the device location on a map, go to the Assets (Devices) → Mobile → Devices section. Then choose a device and select Command history → Get location history → View on map. Due to technical limitations on Android devices, the device location may be retrieved less often than specified in the Location tracking settings.

Commands for iOS MDM devices

Commands for protecting data on a lost or stolen iOS MDM device

Command	Result
Lock device	The mobile device is locked. To access data, you must unlock the device.
Reset unlock password	The mobile device's screen unlock password is reset, and the user is prompted to set a new password in accordance with policy requirements.
Reset to factory settings	All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.
Wipe corporate data	All installed configuration profiles, provisioning profiles, the iOS MDM profile, and apps for which the Remove when device management profile is deleted check box has been selected are removed from the device.
Enable Lost Mode (supervised only)	Lost Mode is enabled on the supervised mobile device, and the device is locked. The device screen shows a message and phone number that you can edit. If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network.
Locate device (Lost Mode only)	The location of the mobile device is obtained. To view the device location on a map, go to the Assets (Devices) → Mobile → Devices section. Then choose a device and select Command history → Locate device → Device coordinates → Open Maps.
Sound alarm (Lost Mode only)	A sound is played on the lost mobile device.
Disable Lost Mode (supervised only)	Lost Mode is disabled on the mobile device, and the device is unlocked.

Permissions for executing commands

Special rights and permissions are required for executing Kaspersky Endpoint Security for Android commands. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or later disable these permissions in the device settings. If this is the case, it will be impossible to execute commands.

On devices running Android 10 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11 or later, the user must also grant the "While using the app" permission to access the camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the required level of permissions. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. We recommend contacting the user directly if the Camera permission is requested again.

For the complete list of available commands, please refer to the Commands for mobile devices section. To learn more about sending commands from Administration Console, please refer to the Sending commands section.

Page top

Unlocking a mobile device

You can unlock a mobile device using the following methods:

Send the mobile device unlock command
Enter the one-time passcode on the mobile device (only for Android devices)

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts. If the app is not added to the list, you can unlock the device only by using a one-time passcode. You cannot use commands to unlock the device.

To learn more about sending commands from the list of mobile devices in Web Console, please refer to the Sending commands section.

A one-time device passcode is a secret code for unlocking the mobile device. The passcode is generated by Kaspersky Security Center and is unique for each mobile device. You can change the length of the one-time passcode (4, 8, 12, or 16 digits) in the Anti-Theft settings of the policy.

To unlock a mobile device using a one-time passcode:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
Click the mobile device for which you want to get a one-time passcode.
Select Applications → Kaspersky Mobile Devices Protection and Management.
The Kaspersky Mobile Devices Protection and Management properties window opens.
Select the Application settings tab.
The unique passcode for the selected device is shown in the One-time code field of the One-time device passcode section.
Use any available method (such as email) to communicate the one-time passcode to the user of the locked device.
The user then must enter the received one-time passcode on the screen of the device that is locked by Kaspersky Endpoint Security for Android.

The user's mobile device is unlocked.

After unlocking a device running Android 5 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7 or later, the screen unlock password is not changed.

To change the length of the one-time device passcode:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Protection section.
On the Anti-Theft card, click Settings.
The Anti-Theft window opens.
Select the length of the one-time device passcode in the corresponding drop-down list. By default, the passcode is 4 digits long.
If you want to contact the person who finds the mobile device, in the Text displayed on locked device field, enter the text of the message that will be shown on the lock screen.
Click OK.
Click Save to save the changes you have made.

The length of the one-time passcode is set to the selected value.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Configuring the device unlock password strength

To protect access to a user's mobile device, you should set a device unlock password.

This section contains information about how to configure password protection on Android and iOS devices.

In this section

Configuring a strong unlock password for an Android device

Configuring a strong unlock password for an iOS MDM device

Page top

Configuring a strong unlock password for an Android device

Expand all | Collapse all

To keep an Android device secure, you need to configure the use of a password that the user is prompted to enter when unlocking the device.

You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, by locking the device). You can impose restrictions using the Compliance Control component. To do this, in the scan rule settings, you must select the Unlock password doesn't comply with security requirements criterion.

On certain Samsung devices running Android 7 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: removal protection is enabled for Kaspersky Endpoint Security for Android and strength requirements are set for the screen unlock password. To unlock the device, you must send a special command to the device.

Configuring unlock password settings

To configure the use of an unlock password:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Security controls section.
On the Screen unlock settings card, click Settings.
The Screen unlock settings window opens.
Enable the settings using the Screen unlock settings toggle switch, if you want the app to check whether an unlock password has been set.
The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

If the app detects that no system password has been set on the device, it prompts the user to set one. The password is set according to the parameters defined by the administrator.
Specify the following options, if required:
- Minimum password length
  The minimum number of characters in the user password. Possible values: 4 to 16 characters.
  
  The user's password is 4 characters long by default.
  
  The following applies only to the user's personal space and the corporate container:
  - In the user's personal space, Kaspersky Endpoint Security converts the password strength requirements into one of values available in the system: medium or high on devices running Android 10 or later.
  - In the corporate container, Kaspersky Endpoint Security converts the password strength requirements into one of the values available in the system: medium or high on devices running Android 12 or later.
  The values are determined using the following rules:
  - If the required password length is 1 to 4 characters, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered sequences (e.g. 1234), or alphabetic/alphanumeric. The PIN or password must be at least 4 characters long.
  - If the required password length is 5 or more characters, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). A PIN must be at least 8 digits long. A password must be at least 6 characters long.
- Minimum password complexity requirements
  Specifies the minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:
  - Numeric
    The user can set a password that includes numbers or set any stronger password (for instance, an alphabetic or alphanumeric password).
    
    This option is selected by default.
  - Alphabetic
    The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, an alphanumeric password).
  - Alphanumeric
    The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.
  - No requirements
    The user can set any password.
  - Complex
    The user must set a complex password according to the specified password properties:
    - Minimum number of letters
    - Minimum number of digits
    - Minimum number of special characters
    - Minimum number of lowercase letters
    - Minimum number of uppercase letters
    - Minimum number of non-alphabetic characters
  - Complex numeric
    The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.
- Maximum password lifetime (days)
  Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.
  
  The default value is 0. This means that the password won't expire.
- Number of days to send a notification before a required password change
  Specifies the number of days to notify the user before the password expires.
  
  The default value is 0. This means that the user won't be notified about an expiring password.
- Number of recent passwords that cannot be set as a new password
  Specifies the maximum number of previous user passwords that can't be used as a new password. This setting applies only when the user sets a new password on the device.
  
  The default value is 0. This means that the new user password can match any previous password except the current one.
- Period of inactivity before the screen locks (sec)
  Specifies the period of inactivity before the device locks.
  
  The default value is 0. This means that the device won't lock after a certain period.
- Period after biometric unlock before password must be entered (min)
  Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.
  
  The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.
- Allow biometric unlock methods
  If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.
  
  If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.
  
  This check box is selected by default.
- Allow fingerprint unlock
  Specifies whether fingerprints can be used to unlock the screen.
  
  This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.
  
  If the check box is selected, the use of fingerprints on the mobile device is allowed.
  
  If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the device settings, the option to use fingerprints will be unavailable.
  
  This check box is available only if the Allow biometric unlock methods check box is selected.
  
  This check box is selected by default.
  
  On some Xiaomi devices with a corporate container, the corporate container may be unlocked by a fingerprint only if you set the Period of inactivity before corporate container is locked (sec) value after setting a fingerprint as the screen unlock method.
- Allow face unlock
  If the check box is selected, the use of face scanning is allowed on the mobile device.
  
  If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.
  
  This check box is available only if the Allow biometric unlock methods check box is selected.
  
  This check box is selected by default.
- Allow iris scanning
  If the check box is selected, the use of iris scanning is allowed on the mobile device.
  
  If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.
  
  This check box is available only if the Allow biometric unlock methods check box is selected.
  
  This check box is selected by default.
- Reset to factory settings after failed attempts to enter password
  Allows limiting the number of attempts to enter the screen unlock password.
  
  If the check box is selected, the app wipes all device data if the user fails to enter the correct password after the specified number of attempts.
  
  If the check box is cleared, the number of attempts is not limited.
  
  The check box is cleared by default.
- Maximum number of failed password attempts
  Specifies the number of password entry attempts that the user can make to unlock the device. The default value is 8. The maximum available value is 20.
  
  The field is available if the Reset to factory settings after failed attempts to enter password check box is selected.
- Set new password
  This option lets you set the password on the user corporate device.
  
  Click this button to open the New screen unlock password window and enter a new password.
  
  The complexity of the entered password must comply with requirements configured earlier in the Screen unlock settings card of the policy.
  
  Once you save the policy, this option applies to the device by sending a command with the specified password. The input is cleared and the specified password is not saved in Administration Console.
  - If the device is not protected with the password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately.
  - If the device is protected with the password or is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.
  If you leave this option empty, no changes are applied to the device.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Setting a new unlock password

To set a new password on a user's corporate device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Restrictions section.
On the New screen unlock password card, click Settings.
The New screen unlock password window opens.
Enable the settings using the New screen unlock password toggle switch.
Enter a new password that will be used to unlock the user's mobile device. This password must comply with current screen unlock password settings.
If you want to edit the current unlock password settings, click the Configure screen unlock settings button.
In the Screen unlock settings window that opens, configure screen unlock password settings, if required.
Click OK.
If the device is not protected with a password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately. If the device is protected with the password or is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.
Click Save to save the changes you have made.

The new password is set on user's mobile device. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Setting a PIN code on HUAWEI devices

Some HUAWEI devices display a message about screen unlocking method being too simple.

To set an acceptable PIN code on a HUAWEI device, the user must do the following:

In the message about the issue, tap the Edit button.
Enter the current PIN code.
In the Set new password window, tap the Change unlock method button.
Select the Custom PIN unlock method.
Set the new PIN code.
The PIN code must be compliant with policy requirements.

An acceptable PIN code is set on the device.

Page top

Configuring a strong unlock password for an iOS MDM device

These settings apply to supervised devices and devices operating in basic control mode.

To protect iOS MDM device data, configure the unlock password strength settings.

By default, the user can use a simple password. A simple password is a password that contains sequential or repeated characters such as "abcd" or "2222". The user is not required to enter an alphanumeric password that includes special symbols. By default, the password validity period and the number of password entry attempts are not limited.

To configure the unlock password strength settings for an iOS MDM device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Security controls section.
On the Screen unlock settings card, click Settings.
The Screen unlock settings window opens.
Enable the settings using the Screen unlock settings toggle switch.
The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.
Configure the unlock password strength settings:
- To allow the user to use a simple password, select the Allow simple password check box. Even if this check box is cleared, the user can set a password with less than 6 characters.
  If only the Allow simple password check box is selected, no password will be requested. To prompt the user to set a password, select both the Allow simple password check box and the Force use of password check box.
- To require use of both letters and numbers in the password, select the Prompt for alphanumeric value check box.
- To require use of a password, select the Force use of password check box. If the check box is cleared, the mobile device can be used without a password.
  If the Prompt for alphanumeric value, Minimum password length, or Minimum number of special characters options are enabled, a password is requested even if the Force use of password check box is cleared.
- In the Minimum password length list, select the minimum password length in characters.
- In the Minimum number of special characters list, select the minimum number of special characters in the password (such as "$", "&", "!").
  On some iOS MDM devices, if the Minimum number of special characters value is specified and the Allow simple password check box is selected, the device displays information about setting a password of 6 or more characters even though it is possible to set a password of 4 or more characters.
- In the Maximum password lifetime (days) field, specify the period of time in days during which the password will stay current. When this period expires, the iOS MDM Server prompts the user to change the password.
- In the Auto-Lock list, select the amount of time after which Auto-Lock should be enabled on the iOS MDM device. If the mobile device remains idle for this time period, it switches to sleep mode.
  On different iOS MDM devices, the actual time of the device's automatic locking may differ from the value that you have specified:
  
  On iPhone devices: if you set Auto-Lock in 10 or 15 minutes, the device will be locked in 5 minutes.
  
  On iPad devices: if you set Auto-Lock in 1 – 4 minutes, the device will be locked in 2 minutes.
  
  For other values the actual time of the device's automatic locking matches the specified time.
- In the Reuse of previous passwords field, specify the number of used passwords (including the current password) that the iOS MDM Server will compare with the new password when the user changes the current password. If the passwords match, the new password is rejected.
- In the Maximum time for unlock without password list, select the amount of time during which the user can unlock the iOS MDM device without entering the password.
- In the Maximum number of failed password attempts, select the number of attempts that the user can make to enter the unlock password on the iOS MDM device.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the iOS MDM Server checks the strength of the password set on the user's mobile device. If the strength of the device unlock password does not comply with the policy, the user is prompted to change the password.

Page top

Configuring a virtual private network (VPN)

This section contains information on configuring virtual private network (VPN) settings for secure connection to Wi-Fi networks.

In this section

Configuring VPN on Android devices (only Samsung)

Configuring VPN on iOS MDM devices

Configuring Per App VPN on iOS MDM devices

Page top

Configuring VPN on Android devices (only Samsung)

To securely connect an Android device to the internet and protect data transfer, you can configure VPN (Virtual Private Network) settings.

Configuration of VPN is possible only for Samsung devices running Android 11 or earlier.

The following requirements must be considered when using a virtual private network:

The app that uses the VPN connection must be allowed in the Firewall settings.
VPN settings configured in the policy cannot be applied to system apps. The VPN connection for system apps has to be configured manually.
Some apps that use a VPN connection need to have additional settings configured at first startup. To configure settings, a VPN connection has to be allowed in app settings.

To configure VPN on a user's mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Samsung Knox settings section.
On the VPN card, click Settings.
The VPN window opens.
Enable the settings using the VPN toggle switch.
Specify the following VPN settings:
- Settings in the Network section:
  - In the Network name field, enter the name of the VPN tunnel.
  - In the Protocol drop-down list, select the VPN connection type:
    - IPSec Xauth PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server using the Xauth authentication utility.
    - L2TP IPSec PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server via the IKE protocol using a preset key. This protocol is selected by default.
    - PPTP. A "point-to-point" tunneling protocol that lets the mobile device user establish a secure connection to the VPN server by creating a special tunnel on a standard unsecured network.
  - In the Server address field, enter the network name or IP address of the VPN server.
- Settings in the Protocol settings section:
  - In the DNS search domain(s) list, enter the DNS search domain to be automatically added to the DNS server name.
    You can specify several DNS search domains, separating them with blank spaces.
  - In the DNS server(s) field, enter the full domain name or IP address of the DNS server.
    You can specify several DNS servers, separating them with blank spaces.
  - In the Routing field, enter the range of network IP addresses with which data is exchanged via the VPN connection.
    If a range of IP addresses is not specified in the Routing field, all internet traffic will pass through the VPN connection.
Additionally, configure the following settings:
- For the IPSec Xauth PSK and L2TP IPSec PSK protocols:
  - In the IPSec shared key field, enter the password for the preset IPSec security key.
  - In the IPSec ID field, enter the name of the mobile device user.
- For the L2TP IPSec PSK protocol, specify the password for the L2TP key in the L2TP key field.
- For the PPTP network, select the Use SSL connection check box so that the app will use the MPPE (Microsoft Point-to-Point Encryption) method of data encryption to secure data transmission when the mobile device connects to the VPN server.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Configuring VPN on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

To connect an iOS MDM device to a virtual private network (VPN) and protect data while connected to the VPN, configure the VPN connection settings. The IKEv2 and IPSec VPN protocols also let you set up a Per App VPN connection.

To configure a VPN connection on a user's iOS MDM device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the VPN card, click Settings.
The VPN window opens.
Enable the settings using the VPN toggle switch.
Click Add.
The Add VPN configuration window opens.
On the General settings tab, in the Network section, configure the following settings:
1. In the Network name field, enter the name of the VPN tunnel.
2. In the Protocol drop-down list, select the type of the VPN connection.
  - L2TP (Layer 2 Tunneling Protocol). The connection supports authentication of the iOS MDM device user using MS-CHAP v2 passwords, two-factor authentication, and automatic authentication using a public key.
  - IKEv2 (Internet Key Exchange version 2). The connection establishes the Security Association (SA) attribute between two network entities and supports authentication using EAP (Extensible Authentication Protocols), shared secrets, and certificates.
  - IPSec. The connection supports password-based user authentication, two-factor authentication, and automatic authentication using a public key and certificates.
  - Cisco AnyConnect. The connection supports the Cisco Adaptive Security Appliance (ASA) firewall version 8.0(3).1 or later. To configure a VPN connection, install the Cisco AnyConnect app from the App Store on the iOS MDM device.
  - Juniper SSL. The connection supports the Juniper Networks SSL VPN gateway, Series SA, version 6.4 or later with the Juniper Networks IVE package version 7.0 or later. To configure a VPN connection, install the JUNOS app from the App Store on the iOS MDM device.
  - F5 SSL. The connection supports the F5 BIG-IP Edge Gateway, Access Policy Manager, and Fire SSL VPN solutions. To configure a VPN connection, install the F5 BIG-IP Edge Client app from the App Store on the iOS MDM device.
  - SonicWALL Mobile Connect. The connection supports SonicWALL Aventail E-Class Secure Remote Access devices version 10.5.4 or later, SonicWALL SRA devices version 5.5 or later, as well as SonicWALL Next-Generation Firewall devices, including TZ, NSA, and E-Class NSA with SonicOS version 5.8.1.0 or later. To configure a VPN connection, install the SonicWALL Mobile Connect app from the App Store on the iOS MDM device.
  - Aruba VIA. The connection supports Aruba Networks mobile access controllers. To configure them, install the Aruba Networks VIA app from the App Store on the iOS MDM device.
  - Custom SSL. The connection supports authentication of the iOS MDM device user using passwords and certificates and two-factor authentication.
3. In the Server address field, enter the network name or IP address of the VPN server.
Configure the settings for the VPN connection according to the selected type of virtual private network.
- L2TP
  - Settings in the Authentication section:
    - Authentication type
      Two-factor authentication of an iOS MDM device user using an RSA SecurID token or password-based authentication.
    - Account name
      The account name for authorization on the VPN server.
    - Password
      The password of the account for authentication on the virtual private network.
    - Authentication method
      The method of authenticating iOS MDM device users on the virtual private network.
    - Shared secret
      Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.
    - Authentication certificate
      The certificate used for user authentication.
  - Settings in the Other section:
    - Send all traffic via VPN
      Transmission of all outbound traffic via the VPN connection if a different network service is used (example: AirPort or Ethernet).
      
      If the check box is selected, all traffic is sent via the VPN connection.
      
      If the check box is cleared, outbound traffic is transmitted without requiring the use of the VPN connection.
      
      This check box is cleared by default.
- IPSec
  - Settings in the Authentication section:
    - Authentication method
      The method of authenticating iOS MDM device users on the virtual private network.
    - Account name
      The account name for authorization on the VPN server.
    - Password
      The password of the account for authentication on the virtual private network.
    - Shared secret
      Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.
    - Group name
      Name of the group of iOS MDM devices that connect to the VPN via L2TP and IPSec (Cisco) protocols. If the Use hybrid authentication check box is selected, the group name must end with "[hybrid]" (for example: "mycompany [hybrid]").
    - Use hybrid authentication
      Use of hybrid authentication when the user connects to a VPN. The VPN server uses a certificate for authentication, and the iOS MDM device user enters a public key for authentication via the IPSec (Cisco) protocol.
      
      If the check box is selected, hybrid authentication is used when the user connects to a VPN.
      
      If the check box is cleared, the hybrid authentication is not used.
      
      This check box is cleared by default.
    - Authentication certificate
      The certificate used for user authentication.
  - Settings in the Domains section:
    - Enable VPN when connecting to specified domains
      The domains for which the VPN connection will be enabled.
  - Settings in the Other section:
    - Prompt for PIN
      The application checks whether the system password is set when the mobile device is turned on.
      
      If the check box is selected, Kaspersky Mobile Devices Protection and Management checks if the system password is set on the device. If no system password is set on the device, the user has to set it. The password should be set in accordance with the settings configured by the administrator.
      
      If the check box is cleared, Kaspersky Mobile Devices Protection and Management does not require a system password.
      
      This check box is cleared by default.
- IKEv2
  - Settings in the Network section:
    - Dead peer detection interval
      The frequency at which the IKEv2 VPN client should run the Dead Peer Detection (DPD) algorithm. The following values are available:
      
      Not selected. Do not run DPD.
      Low. Run DPD every 30 minutes.
      Medium. Run DPD every 10 minutes.
      High. Run DPD every 1 minute.
      The default value is set to Medium.
  - Settings in the Authentication section:
    - Authentication method
      The method of authenticating iOS MDM device users on the virtual private network.
    - Local identifier
      The identifier of the IKEv2 VPN client (iOS MDM device).
    - Remote identifier
      The identifier of the IKEv2 VPN server.
    - Shared secret
      The shared secret used for IKEv2 VPN authentication.
    - Common Name (CN) of server certificate
      This name is used to validate the certificate sent by the IKEv2 VPN server. If this option is not set, the certificate is validated using the remote identifier.
    - Common Name (CN) of server certificate publisher
      If this option is set, IKEv2 sends a certificate request based on this certificate issuer to the server.
    - Authentication certificate
      The certificate used for user authentication.
    - EAP authentication
      The type of EAP authentication used for the VPN IKEv2 connection. The following values are available:
      
      Credentials
      Certificate
      The default value is Credentials.
    - Account name
      The account name for authorization on the VPN server.
    - Password
      The password of the account for authentication on the virtual private network.
    - Minimum TLS version
      The minimum TLS version used for EAP authentication. The following values are available:
      
      TLS 1.0
      TLS 1.1
      TLS 1.2
      The default value is TLS 1.0.
    - Maximum TLS version
      The maximum TLS version used for EAP authentication. The following values are available:
      
      TLS 1.0
      TLS 1.1
      TLS 1.2
      The default value is TLS 1.2.
  - Settings in the Security association section:
    - SA parameters
      Determines the object in which the parameters are sent. Possible values:
      
      IKEv2
      Child
      The default value is IKEv2.
    - Encryption algorithm
      Determines the encryption algorithm used for the connection. Possible values:
      
      DES
      3DES
      AES-128
      AES-256
      AES-128-GCM
      AES-256-GCM
      ChaCha20Poly1305
      The default value is AES-256.
    - Integrity algorithm
      Determines the integrity algorithm used for the connection. Possible values:
      
      SHA1-96
      SHA1-160
      SHA2-256
      SHA2-384
      SHA2-512
      The default value is SHA2-256.
    - Diffie-Hellman group
      Determines the Diffie-Hellman group used when setting up the VPN tunnel.
      
      The default value is 14.
    - SA Lifetime (min)
      The rekey interval in minutes.
  - Settings in the Other section:
    - Disable redirect
      Specifies whether IKEv2 VPN server redirects are disabled.
      
      If the check box is selected, the IKEv2 VPN connection is not redirected.
      
      If the check box is cleared, the IKEv2 VPN connection is redirected if a redirect request is received from the server.
      
      This check box is cleared by default.
    - Disable Mobility and Multi-homing Protocol
      Specifies whether Mobility and Multi-homing Protocol (MOBIKE) is disabled for the IKEv2 VPN connection.
      
      If the check box is selected, MOBIKE is disabled
      
      If the check box is cleared, MOBIKE is enabled.
      
      This check box is cleared by default.
    - Use internal IPv4 and IPv6 subnet attributes
      Specifies whether the IKEv2 VPN client should use the INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET configuration attributes sent by the IKEv2 VPN server.
      
      If the check box is selected, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are used.
      
      If the check box is cleared, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are not used.
      
      This check box is cleared by default.
    - Enable a tunnel over cellular data
      Specifies whether fallback is enabled.
      
      If the check box is selected, the device enables a tunnel over cellular data to carry traffic that is eligible for Wi-Fi Assist and also requires a VPN.
      
      If the check box is cleared, fallback is disabled.
      
      This check box is cleared by default.
    - Enable Perfect Forward Secrecy
      Specifies whether Perfect Forward Secrecy (PFS) is enabled for the IKEv2 VPN connection.
      
      If the check box is selected, PFS is enabled.
      
      If the check box is cleared, PFS is disabled.
      
      This check box is cleared by default.
- Cisco AnyConnect
  - Settings in the Network section:
    - Idle time before disconnection (min)
      The time to wait before disconnecting an on-demand connection.
  - Settings in the Authentication section:
    - Authentication method
      The method of authenticating iOS MDM device users on the virtual private network.
    - Account name
      The account name for authorization on the VPN server.
    - Password
      The password of the account for authentication on the virtual private network.
    - Group
      Alias of the tunneling group for Cisco AnyConnect clients connecting to the VPN.
    - Authentication certificate
      The certificate used for user authentication.
  - Settings in the Domains section:
    - Enable VPN when connecting to specified domains
      The domains for which the VPN connection will be enabled.
  - Settings in the Other section:
    - Send all traffic via VPN
      Routes all traffic via the VPN.
    - Exclude local traffic
      Excludes local traffic from traffic routed via the VPN connection.
      
      This check box is available if the Send all traffic via VPN check box is selected.
- Juniper SSL
  - Settings in the Network section:
    - Idle time before disconnection (min)
      The time to wait before disconnecting an on-demand connection.
  - Settings in the Authentication section:
    - Authentication method
      The method of authenticating iOS MDM device users on the virtual private network.
    - Account name
      The account name for authorization on the VPN server.
    - Password
      The password of the account for authentication on the virtual private network.
    - Scope
      Name of the network that includes VPN servers and iOS MDM devices for the VPN connection established using Juniper SSL.
    - Role
      Name of the user role that grants the user access to resources using Juniper SSL. A role can combine several users performing similar functions.
    - Authentication certificate
      The certificate used for user authentication.
  - Settings in the Domains section:
    - Enable VPN when connecting to specified domains
      The domains for which the VPN connection will be enabled.
  - Settings in the Other section:
    - Send all traffic via VPN
      Routes all traffic via the VPN.
    - Exclude local traffic
      Excludes local traffic from traffic routed via the VPN connection.
      
      This check box is available if the Send all traffic via VPN check box is selected.
- F5 SSL
  - Settings in the Network section:
    - Idle time before disconnection (min)
      The time to wait before disconnecting an on-demand connection.
  - Settings in the Authentication section:
    - Authentication method
      The method of authenticating iOS MDM device users on the virtual private network.
    - Account name
      The account name for authorization on the VPN server.
    - Password
      The password of the account for authentication on the virtual private network.
    - Authentication certificate
      The certificate used for user authentication.
  - Settings in the Domains section:
    - Enable VPN when connecting to specified domains
      The domains for which the VPN connection will be enabled.
  - Settings in the Other section:
    - Send all traffic via VPN
      Routes all traffic via the VPN.
    - Exclude local traffic
      Excludes local traffic from traffic routed via the VPN connection.
      
      This check box is available if the Send all traffic via VPN check box is selected.
- SonicWALL Mobile Connect
  - Settings in the Network section:
    - Idle time before disconnection (min)
      The time to wait before disconnecting an on-demand connection.
  - Settings in the Authentication section:
    - Authentication method
      The method of authenticating iOS MDM device users on the virtual private network.
    - Account name
      The account name for authorization on the VPN server.
    - Password
      The password of the account for authentication on the virtual private network.
    - Domain or group
      Domain name of the SSL VPN server (example: vpn.company.com) or the name of a group of SonicWALL Mobile Connect users.
    - Authentication certificate
      The certificate used for user authentication.
  - Settings in the Domains section:
    - Enable VPN when connecting to specified domains
      The domains for which the VPN connection will be enabled.
  - Settings in the Other section:
    - Send all traffic via VPN
      Routes all traffic via the VPN.
    - Exclude local traffic
      Excludes local traffic from traffic routed via the VPN connection.
      
      This check box is available if the Send all traffic via VPN check box is selected.
- Aruba VIA
  - Settings in the Network section:
    - Idle time before disconnection (min)
      The time to wait before disconnecting an on-demand connection.
  - Settings in the Authentication section:
    - Authentication method
      The method of authenticating iOS MDM device users on the virtual private network.
    - Account name
      The account name for authorization on the VPN server.
    - Password
      The password of the account for authentication on the virtual private network.
    - Authentication certificate
      The certificate used for user authentication.
  - Settings in the Domains section:
    - Enable VPN when connecting to specified domains
      The domains for which the VPN connection will be enabled.
  - Settings in the Other section:
    - Send all traffic via VPN
      Routes all traffic via the VPN.
    - Exclude local traffic
      Excludes local traffic from traffic routed via the VPN connection.
      
      This check box is available if the Send all traffic via VPN check box is selected.
- Custom SSL
  - Settings in the Network section:
    - Idle time before disconnection (min)
      The time to wait before disconnecting an on-demand connection.
  - Settings in the Configuration data section:
    - Key
      Contains a key with additional settings for the Custom SSL connection.
    - Value
      Contains a value with additional settings for the Custom SSL connection.
  - Settings in the Authentication section:
    - Authentication method
      The method of authenticating iOS MDM device users on the virtual private network.
    - Account name
      The account name for authorization on the VPN server.
    - Password
      The password of the account for authentication on the virtual private network.
    - Authentication certificate
      The certificate used for user authentication.
    - Bundle ID
      If the custom VPN configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.
  - Settings in the Domains section:
    - Enable VPN when connecting to specified domains
      The domains for which the VPN connection will be enabled.
If necessary, on the Advanced settings tab, in the Proxy server section, configure the settings of the VPN connection via a proxy server:
1. Select the Use a proxy server check box.
2. Configure a connection to a proxy server:
  1. If you want to configure the connection automatically:
    - Select Automatic.
    - In the PAC file URL field, specify the URL of the proxy PAC file.
    - To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
  2. If you want to configure the connection manually:
    - Select Manual.
    - In the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number.
    - In the User name field, select a macro that will be used as a user name for the connection to the proxy server.
  3. In the Password field, specify the password for the connection to the proxy server.
For IKEv2 and IPSec connections, if necessary, set up Per App VPN functionality for supported system apps (Mail, Calendar, Contacts, and Safari).
Click Add.
The new VPN is displayed in the list.

You can modify or delete VPN in the list using the Edit and Delete buttons at the top of the list.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the VPN connection will be configured on the user's iOS MDM device.

Page top

Configuring Per App VPN on iOS MDM devices

These settings apply to supervised devices and devices operating in basic control mode.

The Per App VPN functionality allows a device to establish a VPN connection when supported system apps are launched. This functionality is available for IKEv2 and IPSec connections.

The following system apps support Per App VPN connections:

Mail
Calendar
Contacts
Safari
Messages

To enable the Per App VPN functionality:

Perform the initial setup of the VPN connection.
On the Advanced settings tab, in the Per App VPN section, select the Enable Per App VPN check box.
Set up Per App VPN for supported system apps in the corresponding settings of the policy.

Mail

To specify the Per App VPN configuration for the Mail app:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Email card, click Settings.
The Email window opens.
Enable the settings using the Email toggle switch.
Click Add.
The Add email account window opens.
Configure a mailbox.
On the Advanced settings tab, in the Per App VPN section, select the Enable Per App VPN check box.
Select a configuration from the Per App VPN configuration drop-down list.
Click Save.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the Mail app.

Calendar

To specify the Per App VPN configuration for the Calendar app:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Calendar card, click Settings.
The Calendar window opens.
Enable the settings using the Calendar toggle switch.
Click Add.
The Add CalDAV account window opens.
Add a calendar account.
In the Per App VPN section, select the Enable Per App VPN check box.
Select a configuration from the Per App VPN configuration drop-down list.
Click Add.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the Calendar app.

Calendar subscriptions

A list of subscriptions to calendars of other CalDAV users, iCal calendars, and other published calendars.

To specify the Per App VPN configuration for calendar subscriptions:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Calendar subscriptions card, click Settings.
The Calendar subscriptions window opens.
Enable the settings using the Calendar subscriptions toggle switch.
Click Add.
The Add calendar subscription window opens.
Add a calendar subscription.
In the Per App VPN section, select the Enable Per App VPN check box.
Select a configuration from the Per App VPN configuration drop-down list.
Click Add.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for calendar subscriptions.

Contacts

To specify the Per App VPN configuration for the Contacts app:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Contacts card, click Settings.
The Contacts window opens.
Enable the settings using the Contacts toggle switch.
Click Add.
The Add CardDAV account window opens.
Add a contacts account.
In the Per App VPN section, select the Enable Per App VPN check box.
Select a configuration from the Per App VPN configuration drop-down list.
Click Add.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the Contacts app.

Safari

To specify the Per App VPN configuration for Safari:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Per App VPN for Safari card, click Settings.
The Per App VPN for Safari window opens.
Enable the settings using the Per App VPN for Safari toggle switch.
Click Add.
The Add a website domain window opens.
Select a configuration from the Per App VPN configuration drop-down list.
In the Domain name field, specify the website domain that will trigger the VPN connection in Safari. The domain must be in the www.example.com format.
Click Add.
The new domain appears in the Safari website domains list.

You can modify or delete Safari website domains in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for Safari website domains.

LDAP

An LDAP account provides access to corporate data and contacts in the standard iOS apps: Contacts, Messages, and Mail.

To specify the Per App VPN configuration for an LDAP account:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the LDAP card, click Settings.
The LDAP window opens.
Enable the settings using the LDAP toggle switch.
Click Add.
The Add LDAP account window opens.
Add an LDAP account.
In the Per App VPN section, select the Enable Per App VPN check box.
Select a configuration from the Per App VPN configuration drop-down list.
Click Add.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the LDAP account.

Page top

Configuring Firewall on Android devices (only Samsung)

Configure Firewall settings to monitor network connections on the user's mobile device.

Firewall can be configured only for Samsung devices.

To configure Firewall on a user's mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Samsung Knox settings section.
On the Firewall card, click Settings.
The Firewall window opens.
Enable the settings using the Firewall toggle switch.
In the Internet access drop-down list, select the Firewall mode. Depending on its operating mode, Firewall monitors connections established by the user's mobile device:
- If you want to allow inbound and outbound connections of all installed apps, select Allow for all apps. This mode is selected by default.
- If you want to block all network activity except for several specified apps, select Allow for listed apps.
If you selected Allow for listed apps as the Firewall mode, create a list of apps for which all network activity is allowed:
1. In the Apps with internet access section, click Add.
  The Add app window opens.
2. In the App name field, enter the name of the mobile app.
3. In the Package name field, enter the system name of the mobile app package (for example, com.mobileapp.example).
4. Click Add.
The new app for which Firewall is disabled appears in the list.

You can modify or delete mobile apps in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Protecting Kaspersky Endpoint Security for Android against removal

To protect mobile devices and comply with corporate security requirements, you can enable protection against removal of Kaspersky Endpoint Security for Android. In this case, the user cannot remove the app using the Kaspersky Endpoint Security for Android interface. When removing the app using Android operating system tools, you are prompted to disable administrator rights for Kaspersky Endpoint Security for Android. After disabling the rights, the mobile device will be locked.

To protect the app from removal on devices running Android 7 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or later disable these permissions in the device settings. If this is the case, the app is not protected from removal.

To enable protection against removal of Kaspersky Endpoint Security for Android:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the KES for Android settings section.
On the Configure access to app settings card, click Settings.
The Configure access to app settings window opens.
Enable the settings using the Configure access to app settings toggle switch.
The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.
Clear the Allow removing the app from device check box.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. If an attempt is made to remove the app, the mobile device will be locked.

Page top

Detecting hacked devices

Kaspersky Security Center Web Console lets you detect hacked (rooted) Android devices and jailbreaking on iOS devices. System files are unprotected on a hacked device and can therefore be modified. If a hack attempt is detected, we recommend that you immediately restore normal operation of the device.

If a device is hacked, you receive a notification. You can view hacking notifications in Kaspersky Security Center Web Console in the Monitoring & reporting → Dashboard section. You can also disable notifications about hacks in the event notification settings.

On Android devices, you can impose restrictions on the user's activity if the device is hacked (for example, lock the device). You can impose restrictions using the Compliance Control component. To do this, create a compliance rule with the Device has been rooted criterion.

Page top

Configuring a global HTTP proxy on iOS MDM devices

These settings apply to supervised devices.

To route the user's internet traffic, configure the iOS MDM device connect to the internet through a proxy server.

Be careful when configuring these settings. If the settings are incorrect, devices may lose their internet connection and will not synchronize with the iOS MDM Server. If this happens, you will have to add the devices again.

To configure global HTTP proxy settings on the user's iOS MDM device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Global HTTP proxy card, click Settings.
The Global HTTP proxy window opens.
Enable the settings using the Global HTTP proxy toggle switch.
Select the type of global HTTP proxy configuration:
- To specify the proxy server connection settings manually:
  1. In the Setting type section, select Manual.
  2. In the Proxy server address and Proxy server port fields, enter the name of a host or the IP address of a proxy server and the number of the proxy server port.
  3. In the User name field, set the user account name for authorization on the proxy server.
  4. In the Password field, set the user account password for authorization on the proxy server.
  5. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
- To configure the proxy server connection settings using a predefined PAC (Proxy Auto Configuration) file:
  1. In the Setting type section, select Automatic.
  2. In the PAC file URL field, enter the web address of the PAC file (for example: http://www.example.com/filename.pac).
  3. To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
  4. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box.
Click OK.
Click Save to save the changes you have made.

As a result, the mobile device user will connect to the internet via a proxy server after the policy is applied.

Page top

Adding security certificates to iOS MDM devices

These settings apply to supervised devices and devices operating in basic control mode.

You can add certificates to iOS MDM devices to simplify user authentication and ensure data security. The data signed with a certificate is protected against modification while it is transferred over the network. Data encryption using a certificate provides an added level of security for the data. The certificate can also be used to verify user identity.

Kaspersky Mobile Devices Protection and Management supports the following certificate standards:

PKCS#1. Encryption with a public key based on RSA algorithms.
PKCS#12. Storage and transmission of a certificate and a private key.

To add a security certificate to iOS MDM devices:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Certificate management card, click Settings.
The Certificate management window opens.
Enable the settings using the Certificate management toggle switch.
Click Upload and specify the path to the certificate.
Files of PKCS#1 certificates have the CER, DER, or PEM extension. Files of PKCS#12 certificates have the P12 or PFX extension. The password for a PKCS#12 certificate must not me empty.
Click Open.
If the certificate is password-protected, enter the password. The new certificate appears in the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, certificates are automatically installed on devices.

Page top

Adding a SCEP profile to iOS MDM devices

These settings apply to supervised devices and devices operating in basic control mode.

You have to add a SCEP profile to enable the iOS MDM device user to automatically receive certificates from the Certification Center via the internet. The SCEP profile enables support of the Simple Certificate Enrollment Protocol.

A SCEP profile with the following settings is added by default:

The alternative subject name is not used for registering certificates.
Three attempts are made at 10-second intervals to poll the SCEP server. If all attempts to sign the certificate fail, you have to generate a new certificate signing request.
The received certificate cannot be used for data signing or encryption.

You can edit the specified settings when adding the SCEP profile.

To add a SCEP profile:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the SCEP card, click Settings.
The SCEP window opens.
Enable the settings using the SCEP toggle switch.
Click Add.
The Add SCEP profile window opens.
In the SCEP Server section, specify the following SCEP server settings:
- In the Configuration name field, specify the name of the Certification Center deployed on the SCEP server. The Certification Center supplies the user of an iOS MDM device with certificates using the Simple Certificate Enrollment Protocol (SCEP).
- In the Server URL field, enter the web address of the SCEP server on which the Certification Center is deployed.
  The URL can contain the IP address or the full domain name (FQDN). For example, http://10.10.10.10/certserver/companyscep.
- In the Maximum number of polling attempts field, specify the maximum number of attempts to poll the SCEP server to get the certificate signed. By default, the value is 3 attempts.
  If all attempts to sign the certificate fail, you have to generate a new certificate signing request.
- In the Polling interval (sec) field, specify the number of seconds between attempts to poll the SCEP server to get the certificate signed. By default, the value is 10 seconds.
- In the Static challenge phrase field, enter a pre-published registration key.
  Before signing a certificate, the SCEP server prompts the mobile device user to enter the key. If this field is left blank, the SCEP does not request the key.
- In the Method for uploading certificate thumbprint drop-down list, select how to add a certificate thumbprint. You can use certificate thumbprints based on the SHA-1 or MD5 hashing algorithm.
  - If you selected the Manually option, in the Certificate thumbprint field that appears, enter a unique certificate thumbprint for verifying the authenticity of the response from the Certification Center.
  - If you selected the From file option, upload a CER, KEY, or PEM file. The thumbprint will be generated and added automatically.
  The certificate thumbprint has to be specified if data exchange between the mobile device and the Certification Center takes place via the HTTP protocol.
In the Subject section, specify the following settings:
- In the Subject Name field, enter a string with the attributes of the iOS MDM device user that are contained in the X.500 certificate.
  Attributes can contain details of the country (C), locality (L), state (ST), organization (O), organization unit (OU), and common user name (CN). For example, /C=RU/O=MyCompany/CN=User/.
  
  You can also use other attributes specified in RFC 5280.
  
  Attributes are used by DNS services to validate the certificate issued by the Authentication Authority at the user's request.
- Click the Add Subject Alternative Name button to add a field for specifying the subject alternative name:
  - In the Type of Subject Alternative Name drop-down list that appears, select the type of subject alternative name for the SCEP server. You can add only one alternative name of each type.
    You can use a subject alternative name to identify the user of the iOS MDM device. By default, identification based on the alternative name is not used.
    - DNS name. Identification using the domain name.
    - NT Principal Name. DNS name of the iOS MDM device user on the Windows NT network. The NT subject name is contained in the certificate request sent to the SCEP server. You can also use the name of the NT subject to identify the user of the iOS MDM device.
    - Email address. Identification using the email address. The email address must be specified according to RFC 822.
    - Uniform Resource Identifier (URI). Identification using the IP address or address in FQDN format.
  - In the Subject Alternative Name field, enter the alternative name of the subject of the X.500 certificate. The value of the subject alternative name depends on the selected subject type: the user's email address, domain, or web address.
In the Key section, configure the encryption key settings:
- In the Key size (bit) drop-down list, select the size of the registration key in bits: 1024, 2048, or 4096. The default value is 1024 bits.
- If you want to allow the user to use a certificate received from the SCEP server as a signing certificate, select the Use as digital signature check box.
  Data signing protects data against modification. For example, Safari can validate the authenticity of the certificate and establish a safe data exchange session.
- If you want to allow the user to use a certificate received from the SCEP server for data encryption, select the Use for encryption check box.
  Data encryption also protects confidential data during data exchange over a network. For example, Safari can establish a secure data exchange session using encryption. This guarantees website authenticity and confirms that the connection to the website is encrypted to prevent interception of personal and confidential data.
  
  You cannot simultaneously use the SCEP server certificate as a data signing certificate and a data encryption certificate.
- If you want to allow all installed apps to access the private key from the SCEP server certificate, select the Allow all apps to access private key check box.
- If you do not want the private key to be exported from the keychain, select the Prohibit exporting private key from the keychain check box.
Click Add.
The new SCEP profile appears in the list.

You can modify or delete SCEP profiles in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the user's mobile device is configured to automatically receive a certificate from the Certification Center via the internet.

Page top

Restricting SD card usage (only Samsung)

Expand all | Collapse all

Configure SD card restrictions to control usage of SD cards on the user's Samsung device that supports Knox.

To restrict SD card usage on a mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Samsung Knox settings section.
On the Device feature restrictions card, click Settings.
The Device feature restrictions window opens.
Enable the settings using the Device feature restrictions toggle switch.
In the SD card settings section, specify the required restrictions:
- Prohibit access to SD card
  This setting applies to devices with Android 5-12.
  
  Selecting or clearing this check box specifies whether access to the SD card is disabled or enabled on the device.
  
  This check box is cleared by default.
- Prohibit writing to SD card
  Selecting or clearing this check box specifies whether writing to the SD card is disabled or enabled on the device.
  
  This check box is cleared by default.
- Prohibit moving apps to SD card
  Selecting or clearing this check box specifies whether the device user is allowed to move apps to the SD card.
  
  This check box is cleared by default.
In the Additional settings section, you can specify any additional restrictions:
- Prohibit sending crash reports to Google
  This setting applies to devices running Android 11 or earlier.
  
  If the check box is selected, Kaspersky Endpoint Security for Android blocks sending crash reports to Google.
  
  If the check box is cleared, sending reports is allowed.
  
  This check box is cleared by default.
- Prohibit developer mode
  This setting applies to devices running Android 11 or earlier.
  
  If the check box is selected, the device user is not allowed to enable developer mode on the device.
  
  If the check box is cleared, the user is allowed to enable developer mode on the device.
  
  This check box is cleared by default.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. SD card settings are now configured.

Page top

Management of mobile devices

This section contains information about how to remotely manage mobile devices in Kaspersky Security Center Web Console.

In this section

Managing Android devices

Managing iOS MDM devices

Page top

Managing Android devices

Kaspersky Security Center Web Console lets you manage Android devices in the following ways:

Centrally manage devices by using commands.
View information about the settings for management of Android devices.
Install apps by using mobile app packages.
Disconnect Android devices from management.

In this section

Corporate devices

Enabling certificate-based authentication of devices

Creating a mobile application package for Android devices

Viewing information about an Android device

Disconnecting an Android device from management

Page top

Corporate devices

This section contains information about managing the settings of corporate Android devices. For information about installing Kaspersky Endpoint Security for Android on corporate devices, see here.

In this section

Restricting Android features on devices

Configuring kiosk mode for Android devices

Connecting to a NDES/SCEP server

Page top

Restricting Android features on devices

Expand all | Collapse all

These settings apply to corporate devices.

You can restrict Android operating system features on corporate devices. For example, you can restrict factory reset, changing credentials, use of Google Play and Google Chrome, file transfer over USB, changing location settings, and management of system updates. You can also restrict operating system features on personal devices and devices with a corporate container.

To restrict Android features:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Restrictions section.
On the Device feature restrictions card, click Settings.
The Device feature restrictions window opens.
Enable the settings using the Device feature restrictions toggle switch.
Enable device feature restrictions using toggle switches on the corresponding tabs and select the required restrictions.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Restrict device features

On the General tab, you can enable or disable the following features.

Features in the Data loss protection section:
- Prohibit reset to factory settings
  Selecting or clearing this check box specifies whether the device user is allowed to perform a factory reset from device settings.
  
  This check box is cleared by default.
- Prohibit screen capture
  Selecting or clearing this check box specifies whether the device user is allowed to take screenshots and record and share the device screen. It also specifies whether the contents of the device screen are allowed to be captured for artificial intelligence purposes.
  
  This check box is cleared by default.
- Prohibit safe boot
  Selecting or clearing this check box specifies whether the device user is allowed to boot the device in safe mode.
  
  The restriction is supported on devices with Android 6 or later.
  
  This check box is cleared by default.
Features in the Calls and SMS section:
- Prohibit outgoing phone calls
  Selecting or clearing this check box specifies whether the device user is allowed to make outgoing phone calls on this device.
  
  This check box is cleared by default.
- Prohibit sending and receiving SMS messages
  Selecting or clearing this check box specifies whether the device user is allowed to send and receive SMS messages on this device.
  
  This check box is cleared by default.

Features in the Location services section:

Prohibit use of location

Prevents turning location services on and off.

If the check box is selected, the device user cannot turn location services on or off. Search in Anti-Theft mode becomes unavailable.

If the check box is cleared, the device user can turn location services on or off.

This check box is cleared by default.

Various combinations of values for Prohibit use of location and Prohibit modifying location settings produce different results for the location services feature and configuration.

Prohibit use of location	Prohibit modifying location settings	Feature restriction result
Enabled	Enabled	Location services are disabled and cannot be enabled by the device user.
Enabled	Disabled	Location services are disabled and can be enabled by the device user. Disabling the Prohibit modifying location settings restriction makes it possible for the user to disable location services on the device, which may make some features unavailable.
Disabled	Enabled	Location services are enabled and cannot be disabled by the device user.
Disabled	Disabled	Location services are enabled and can be disabled by the device user. Disabling the Prohibit modifying location settings restriction makes it possible for the user to disable location services on the device, which may make some features unavailable.

Prohibit sharing location
If this option is enabled, the user cannot share the device location via apps that provide a location-sharing feature.

By default, the option is disabled.

Prohibit modifying location settings

Prevents changing location settings.

If the check box is selected, the device user cannot change location settings or disable location services.

If the check box is cleared, the device user can change location settings.

The restriction is supported on devices with Android 9 or later.

This check box is cleared by default.

Various combinations of values for Prohibit use of location and Prohibit modifying location settings produce different results for the location services feature and configuration.

Prohibit use of location	Prohibit modifying location settings	Feature restriction result
Enabled	Enabled	Location services are disabled and cannot be enabled by the device user.
Enabled	Disabled	Location services are disabled and can be enabled by the device user. Disabling the Prohibit modifying location settings restriction makes it possible for the user to disable location services on the device, which may make some features unavailable.
Disabled	Enabled	Location services are enabled and cannot be disabled by the device user.
Disabled	Disabled	Location services are enabled and can be disabled by the device user. Disabling the Prohibit modifying location settings restriction makes it possible for the user to disable location services on the device, which may make some features unavailable.

Features in the Keyguard section:
- Prohibit keyguard features
  Selecting or clearing the check box specifies whether a user's device can be unlocked with a swipe.
  
  This setting has no effect if a password, PIN code, or pattern is currently set as an unlock method on the device.
  
  This check box is cleared by default.
- Prohibit disabling keyguard notifications
  Selecting or clearing the check box specifies whether notifications are prohibited when the device screen is locked.
  
  This check box is cleared by default.
- Prohibit using keyguard camera
  Selecting or clearing the check box specifies whether the device user is prohibited to use the camera when the device is locked.
  
  This check box is cleared by default.
- Prohibit using keyguard trust agents
  Selecting or clearing this check box specifies whether trusted apps are prohibited when the device screen is locked. Trusted apps are apps that allow the device user to unlock the device without a password, PIN code, or fingerprint.
  
  This check box is cleared by default.
Features in the Users and accounts section:
- Prohibit adding Google accounts
  Selecting or clearing the check box specifies whether the device user is allowed to add and remove Google accounts.
  
  This check box is cleared by default.
- Prohibit adding users
  Selecting or clearing the check box specifies whether the device user is allowed to add new users.
  
  This check box is selected by default. If a corporate device was connected to Kaspersky Security Center via a QR code, the restriction is enabled and can't be disabled.
  
  The restriction can be disabled only on devices that meet the following requirements:
  - The corporate device was connected to Kaspersky Security Center via the adb.exe installation package.
  - The device must support multiple users.
- Prohibit switching user
  If this option is enabled, the user cannot switch the current user of the device.
  
  By default, the option is disabled.
- Prohibit removing users
  Selecting or clearing the check box specifies whether the device user is allowed to remove users.
  
  This check box is selected by default. If a corporate device was connected to Kaspersky Security Center via a QR code, the restriction can't be disabled.
  
  The restriction can be disabled only on devices that meet the following requirements:
  - The corporate device was connected to Kaspersky Security Center via the adb.exe installation package.
  - The device must support multiple users.
- Prohibit changing credentials
  Selecting or clearing this check box specifies whether the device user is allowed to change user credentials in the operating system.
  
  This check box is cleared by default.

Restrict app features

On the Apps tab, you can enable or disable the following features.

Features in the General section:
- Prohibit installation of apps
  Selecting or clearing the check box specifies whether the device user is allowed to install apps on the device.
  
  This check box is cleared by default.
- Prohibit installation of apps from unknown sources
  Selecting or clearing the check box specifies whether the device user is allowed to install apps from unknown sources.
  
  This check box is cleared by default.
- Prohibit modification of apps in Settings
  Prevents modifying apps in Settings.
  
  If the check box is selected, the device user is not allowed to perform the following actions:
  - Uninstall apps
  - Disable apps
  - Clear app caches
  - Clear app data
  - Force stop apps
  - Clear app defaults
  If the check box is cleared, the device user is allowed to modify apps in Settings.
  
  This check box is cleared by default.
- Prohibit disabling app verification
  Selecting or clearing the check box specifies whether the device user is allowed to disable app verification.
  
  This check box is cleared by default.
- Prohibit uninstallation of apps
  Selecting or clearing the check box specifies whether a device user is allowed to uninstall apps from this device.
  
  This check box is cleared by default.
Features in the Google apps section:
- Prohibit Google Play
  Selecting or clearing the check box specifies whether the device user is allowed to use Google Play.
  
  This check box is cleared by default.
- Prohibit Google Chrome
  Prevents use of Google Chrome.
  
  If the check box is selected, the device user cannot start Google Chrome or configure it in system settings.
  
  If the check box is cleared, the device user is allowed to use Google Chrome on the device.
  
  The check box is cleared by default.
- Prohibit Google Assistant
  Selecting or clearing the check box specifies whether the device user is allowed to use Google Assistant on the device.
  
  This check box is cleared by default.
Features in the Camera section:
- Prohibit use of camera
  Selecting or clearing the check box specifies whether the device user is allowed to use all cameras on the device.
  
  If the check box is selected, the solution usually blocks the camera from being opened. However, for Asus and OnePlus devices, the icon for the camera app is completely hidden when the check box is selected.
  
  This check box is cleared by default.
- Prohibit camera toggle
  Prevents the device user from toggling the camera.
  
  If the check box is selected, the device user cannot block the camera access via the system toggle.
  
  If the check box is cleared, the device user is allowed to use the camera toggle.
  
  The restriction is supported on devices with Android 12 or later.
  
  This check box is cleared by default.
  
  On some Xiaomi and HUAWEI devices running Android 12, this restriction does not work. This issue is caused by the specific features of MIUI firmware on Xiaomi devices and EMUI firmware on HUAWEI devices.
Granting runtime permissions for apps
This setting allows you to select an action to be performed when apps installed on corporate devices are running and request additional permissions. This does not apply to permissions granted in Settings (e.g. Access All Files) on the device.
- Allow users to configure permissions
  When a permission is requested, the user decides whether to grant the specified permission to the app.
  
  This option is selected by default.
- Grant permissions automatically
  All apps installed on corporate devices are granted permissions without user interaction.
- Deny permissions automatically
  All apps installed on corporate devices are denied permissions without user interaction.
  
  Users can adjust app permissions in device settings before these permissions are denied automatically.
On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select Grant permissions automatically, the app will prompt the user for these permissions:
- Location permissions
- Permissions for camera
- Permissions to record audio
- Permission for activity recognition
- Permissions to monitor SMS and MMS incoming messages
- Permissions to access body sensor data

Restrict storage features

On the Storage tab, in the General section, you can enable or disable the following features.

Prohibit debugging features
Prevents use of debugging features.

If the check box is selected, the device user cannot use USB debugging features and developer mode.

If the check box is cleared, the device user is allowed to enable and access debugging features and developer mode.

This check box is cleared by default.
Prohibit mounting physical external media
Selecting or clearing the check box specifies whether the device user is allowed to mount physical external media, such as SD cards and OTG adapters.

This check box is cleared by default.
Prohibit file transfer over USB
Selecting or clearing this check box specifies whether the device user is allowed to transfer files over USB.

This check box is cleared by default.
Prohibit backup service
Selecting or clearing the check box specifies whether the device user is allowed to enable or disable the backup service.

The restriction is supported on devices with Android 8 or later.

This check box is cleared by default.

Restrict network features

On the Network tab, you can enable or disable the following features.

Features in the General section:
- Prohibit airplane mode
  Selecting or clearing the check box specifies whether the device user is allowed to enable airplane mode on the device.
  
  This restriction is supported on devices with Android 9 or later.
  
  This check box is cleared by default.
- Prohibit use of Android Beam via NFC
  Selecting or clearing the check box specifies whether beaming out data from apps via NFC is allowed on the device. However, the device user can enable or disable NFC.
  
  This check box is cleared by default.
- Prohibit use of tethering
  Selecting or clearing the check box specifies whether the device user is allowed to configure tethering and hotspots.
  
  This check box is cleared by default.
- Prohibit modifying VPN settings
  Prevents changing VPN settings.
  
  If the check box is selected, the device user cannot configure a VPN in Settings and VPNs are prohibited from starting.
  
  If the check box is cleared, the device user is allowed to modify a VPN in Settings.
  
  This check box is cleared by default.
- Prohibit resetting network settings
  Selecting or clearing the check box specifies whether the device user is allowed to reset network settings in Settings.
  
  This restriction is supported on devices with Android 6 or later.
  
  This check box is cleared by default.
Features in the Wi-Fi section:
- Prohibit use of Wi-Fi
  Selecting or clearing the check box specifies whether the device user is allowed to use Wi-Fi and configure it in Settings.
  
  This check box is cleared by default.
- Prohibit enabling/disabling Wi-Fi
  If this option is enabled, the user cannot enable or disable Wi-Fi on the device. Also, Wi-Fi cannot be disabled via airplane mode.
  
  By default, the option is disabled.
- Prohibit modifying Wi-Fi settings
  Selecting or clearing the check box specifies whether the device user is allowed to configure Wi-Fi access points via Settings. The restriction does not affect Wi-Fi tethering settings.
  
  This check box is cleared by default.
- Prohibit Wi-Fi Direct
  If this option is enabled, the user cannot use the Wi-Fi Direct feature on the device.
  
  By default, the option is disabled.
- Prohibit sharing pre-configured Wi-Fi networks
  If this option is enabled, the user cannot share Wi-Fi networks that are configured in the policy settings. Other Wi-Fi networks on the device are not affected.
  
  By default, the option is disabled.
- Prohibit adding Wi-Fi networks
  If this option is enabled, the user cannot manually add new Wi-Fi networks on the device.
  
  By default, the option is disabled.
- Prohibit changing pre-configured Wi-Fi networks
  Selecting or clearing the check box specifies whether the device user is allowed to change Wi-Fi configurations added by the administrator in the Wi-Fi section.
  
  This check box is cleared by default.
Features in the Bluetooth section:
- Prohibit use of Bluetooth
  Prevents use of Bluetooth.
  
  If the check box is selected, the device user cannot turn on and configure Bluetooth via Settings.
  
  If the check box is cleared, the device user is allowed to use Bluetooth.
  
  The restriction is supported on devices with Android 8 or later.
  
  This check box is cleared by default.
- Prohibit modifying Bluetooth settings
  Selecting or clearing the check box specifies whether the device user is allowed to configure Bluetooth via Settings.
  
  This check box is cleared by default.
- Prohibit outgoing data sharing over Bluetooth
  Selecting or clearing the check box specifies whether outgoing Bluetooth data sharing is allowed on the device.
  
  The restriction is supported on devices with Android 8.0 or later.
  
  This check box is cleared by default.
Features in the Mobile networks section:
- Prohibit modifying mobile network settings
  Selecting or clearing the check box specifies whether the device user is allowed to change mobile network settings.
  
  This check box is cleared by default.
- Prohibit use of cellular data while roaming
  Selecting or clearing the check box specifies whether the device user is allowed to use cellular data while roaming.
  
  If the check box is selected, the device can't update anti-malware databases and synchronize with the Administration Server while roaming.
  
  To allow anti-malware database updates while roaming, this check box must be cleared and the Allow database update while roaming check box in the Database update settings of the policy must be selected.
  
  To allow device synchronization with the Administration Server while roaming, both this check box and the Do not synchronize while roaming check box in the Scheduled synchronization settings of the policy must be cleared.
  
  This restriction is supported on devices with Android 7 or later.
  
  This check box is cleared by default.

Additional restrictions

On the Additional settings tab, you can enable or disable the following features.

Features in the Language, date, and time section:
- Prohibit changing language
  Selecting or clearing the check box specifies whether the device user is allowed to change the device language.
  
  This restriction is supported on devices with Android 9 or later.
  
  This check box is cleared by default.
  
  On some corporate devices (for example, Xiaomi, TECNO, and Realme) running Android 9 or later, when you select the Prohibit changing language check box, the user still can change the language, and no warning message appears.
- Prohibit changing date, time, and time zone
  Selecting or clearing the check box specifies whether the device user is allowed to change date, time, and time zone in Settings.
  
  This restriction is supported on devices with Android 9 or later.
  
  This check box is cleared by default.
Features in the Display section:
- Prohibit changing wallpaper
  Selecting or clearing the check box specifies whether the device user is allowed to change the wallpaper on the mobile device.
  
  This restriction is supported on devices with Android 7 or later.
  
  This check box is cleared by default.
- Prohibit adjusting brightness
  Selecting or clearing the check box specifies whether the device user is allowed to adjust the brightness on the mobile device.
  
  This restriction is supported on devices with Android 9 or later.
  
  This check box is cleared by default.
- Prohibit status bar
  Prevents the status bar from being displayed.
  
  If the check box is selected, the status bar is not displayed on the device. Notifications and quick settings accessible via the status bar are also blocked.
  
  If the check box is cleared, the status bar can be displayed on the device.
  
  The restriction is supported on devices with Android 6 or later.
  
  This check box is cleared by default.
- Prohibit ambient display
  If this option is enabled, the user cannot use the Ambient Display feature on the device.
  
  By default, the option is disabled.
Features in the Screen on section:
- Force screen on when plugged in to AC charger
  Selecting or clearing the check box specifies whether the device screen will be on while the device is charging using an AC charger.
  
  The restriction is supported on devices with Android 6 or later.
  
  This check box is cleared by default.
- Force screen on when plugged in to USB charger
  Selecting or clearing the check box specifies whether the device screen will be on while the device is charging using a USB charger.
  
  The restriction is supported on devices with Android 6 or later.
  
  This check box is cleared by default.
- Force screen on when charging wirelessly
  Selecting or clearing this check box specifies whether the device screen will be on while the device is charging using a wireless charger.
  
  The restriction is supported on devices with Android 6 or later.
  
  This check box is cleared by default.
Features in the Microphone section:
- Prohibit unmuting microphone
  If this option is enabled, the device microphone is muted.
  
  If this option is disabled, the user can unmute the microphone and adjust its volume.
  
  By default, the option is disabled.
- Prohibit microphone toggle
  If this option is enabled, the user cannot disable access to the microphone via the system toggle on the device. If access to the microphone on the device is disabled when this option is enabled, it is automatically re-enabled.
  
  By default, the option is disabled.
  
  On some Xiaomi and HUAWEI devices running Android 12, this restriction does not work. This issue is caused by the specific features of MIUI firmware on Xiaomi devices and EMUI firmware on HUAWEI devices.
Features in the Volume section:
- Prohibit adjusting volume
  Restricts volume adjustment and muting the device.
  
  If the check box is selected, the device user can't adjust the volume and the device is muted.
  
  If the check box is cleared, the device user can adjust the volume and the device is unmuted.
  
  Anti-Theft can disregard this restriction to play a sound on the device. The restriction is disabled to allow the sound to play, and then it is re-enabled.
  
  This check box is cleared by default.

Restrict system updates

Management of update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may not work correct.

On the OS update tab, you can configure the following settings.

In the Update mode section:
- Set system update policy
  Type of system update policy.
  
  If the check box is selected, one of the following system update policies is set:
  - Install updates automatically. Installs system updates immediately without user interaction. This option is selected by default.
  - Install updates during daily window. Installs system updates during a daily maintenance window without user interaction.
    You also need to set the start and end of the daily maintenance window in the Start time and End time fields respectively.
  - Postpone updates for 30 days. Postpones the installation of system updates for 30 days.
    After the specified period, the operating system prompts the device user to install the updates. The period is reset and starts again if a new system update is available.
  If the check box is cleared, a system update policy is not set.
  
  This check box is selected by default.
  
  Management of update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may not work correct.
In the Freeze periods section:
- System update freeze periods
  This block lets you set one or more freeze periods of up to 90 days during which system updates will not be installed on the device. When the device is in a freeze period, it behaves as follows:
  - The device does not receive any notifications about pending system updates.
  - System updates are not installed.
  - The device user cannot check for system updates manually.
    To add a freeze period, click Add period and enter the start and end of the freeze period in the Start date and End date fields respectively.
  Each freeze period can be at most 90 days long, and the interval between consecutive freeze periods must be at least 60 days.
  
  The restriction is supported on devices with Android 9 or later.
  
  Management of update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may not work correct.

Page top

Configuring kiosk mode for Android devices

These settings apply to corporate devices.

Expand all | Collapse all

Kiosk mode is a Kaspersky Endpoint Security for Android feature that lets you limit the apps available to a device user to a single app or a set of multiple apps. You can also efficiently manage some device settings.

Kiosk mode does not affect the work of the Kaspersky Endpoint Security for Android app. It runs in the background, shows notifications, and can be updated.

Types of kiosk modes

The following types of kiosk mode are available in Kaspersky Endpoint Security:

Single-app mode
Kiosk mode with only a single app. In this mode, a device user can open only the one app that is allowed on the device and specified in the kiosk mode settings. If the app that you want to add to kiosk mode is not installed on the device, kiosk mode activates after the app is installed.

On Android 9 or later, the app launches directly in kiosk mode.

On Android 8 or earlier, the specified app must support kiosk mode functionality and call the startLockTask() method itself to launch the app.
Multi-app mode
Kiosk mode with multiple apps. In this mode, a device user can open only the set of apps that are allowed on the device and specified in the kiosk mode settings.

Before you configure kiosk mode

Before you configure kiosk mode, do the following:

Before specifying the apps that are allowed to be run on the device in kiosk mode, you first need to select the Install action for these apps on the App management tab of the App Control card. Then, they will appear in the App package list of the kiosk mode.
Before activating kiosk mode, we recommend that you prohibit starting Google Assistant by enabling the corresponding restriction in Assets (Devices) → Policies & profiles → Application settings → Android → Restrictions → Device feature restrictions → Apps → Prohibit Google Assistant. Otherwise, Google Assistant starts in kiosk mode and allows non-trusted apps to be opened.

Open the kiosk mode settings

To open the kiosk mode settings:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Restrictions section.
On the Kiosk mode card, click Settings.

The Kiosk mode window opens.

Configure single-app mode

To configure single-app mode:

Enable the settings using the Kiosk mode toggle switch.
In the Operating mode drop-down list, select Single-app mode.
In the App package drop-down list, select an app package with the app that is allowed to be run on the device.
Specify any required restrictions. For available restrictions, see the "Kiosk mode restrictions" section below.
Select the Allow navigation to trusted apps check box if you want to add other apps that a device user can navigate to. For more details, see the "Add additional apps" section below.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configure multi-app mode

To configure multi-app mode:

Enable the settings using the Kiosk mode toggle switch.
In the Operating mode drop-down list, select Multi-app mode.
Click Add package and select the apps that are allowed to be run on the device.
Specify any required restrictions. For available restrictions, see the "Kiosk mode restrictions" section below.
Select the Allow navigation to trusted apps check box if you want to add other apps that a device user can navigate to. For more details, see the "Add additional apps" section below.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Kiosk mode restrictions

You can set the following restrictions in kiosk mode:

Prohibit Overview button
Selecting or clearing this check box specifies whether the Overview button is hidden. This restriction is supported on devices with Android 9 or later.

The check box is selected by default.
Prohibit Home button
Selecting or clearing this check box specifies whether the Home button is hidden. This restriction is supported on devices with Android 9 or later.

The check box is selected by default.
Prohibit status bar
Selecting or clearing this check box specifies whether the status bar displays notifications, indicators such as connectivity and battery, and the sound and vibrate options. This restriction is supported on devices with Android 9 or later.

The check box is selected by default.
Prohibit system notifications
Selecting or clearing this check box specifies whether system notifications are hidden. This restriction is supported on devices with Android 9 or later.

The check box is selected by default.

Add additional apps

Besides locking the device to a single app or set of apps, you can also specify additional apps, that the main app can use. These additional apps allow the apps added to kiosk mode to provide their full functionality. For example, the user can view a document or access a website opened from the main app. By default, these additional apps are hidden on a device and a user cannot launch them manually.

To add additional apps:

In the Additional apps section, select the Allow navigation to trusted apps check box.
Click Add package and specify the desired app package name.
How to get the package name of an app
To get the name of an app package:
1. Open Google Play.
2. Find the app and open its page.
The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

To get the name of an app package that has been added to Kaspersky Security Center:
1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
2. Click Android apps.
  In the list of apps that opens, app identifiers are displayed in the Package name column.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Connecting to a NDES/SCEP server

Expand all | Collapse all

These settings apply to corporate devices.

You can connect to an NDES/SCEP server to obtain a certificate from a certificate authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). To do this, you need to add a connection to the certificate authority and a certificate profile.

To add a connection to the certificate authority and a certificate profile:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Device configuration section.
On the SCEP and NDES card, click Settings.
The SCEP and NDES window opens.
Enable the settings using the SCEP and NDES toggle switch.
The Add connection to certificate authority window opens.
Add a connection to the certificate authority:
1. In the Connection name field, enter the name of the connection to the certificate authority.
2. In the Protocol type drop-down list, select the protocol version.
3. In the Server URL field, enter the URL of a NDES or SCEP server.
  The format of the NDES server URL is http://<ServerName>/certsrv/mscep/mscep.dll.
4. In the Challenge phrase type drop-down list, select one of the following options to configure the authentication challenge:
  - None
    Challenge response is disabled. No authentication data is required.
  - Static
    Challenge response is enabled. You must enter the authentication phrase in the Static challenge phrase field.
5. If you selected the Static option, in the Static challenge phrase field, enter the authentication phrase.
6. Click Add.
The connection to the certificate authority is added. You can add multiple connections to certificate authorities.
Select the Certificate profile tab and click Add.
The Add profile window opens.
Add a certificate profile:
1. In the General settings section, in the Profile name field, enter the unique certificate profile name.
2. In the Certificate authority (CA) drop-down list select the certificate authority that you added on the Certificate authority tab.
3. In the Subject Name field specify the subject of the certificate. Subject name is a unique identifier that includes information about what is being certified, such as common name, organization, organizational unit, and country code. You can either enter a value or select a macro by clicking the button.
4. If you want to add an alternative name that represents the certificate subject name, click Add Subject Alternative Name and configure the following settings:
  1. In the Type of Subject Alternative Name drop-down list select the subject alternative name type.
  2. In the Subject Alternative Name field enter the alternative name. You can either enter a value or select a macro by clicking the button.
  You can add multiple subject alternative names.
5. In the Key section, in the Key size (bit) drop-down list, select the certificate's private key length.
6. In the Private key type drop-down list select the certificate's private key type:
7. If you want the certificate to be automatically reissued to the device before it expires, in the Certificate section, select the Renew certificate automatically check box. This check box is cleared by default.
8. If you selected the Renew certificate automatically check box, enter the number of days before the expiration date when the certificate is reissued in the Renew certificate before it expires in (days) field.
9. Click Add.
The certificate profile is added. You can add multiple certificate profiles.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

You can edit or remove the added connections to certificate authorities and certificate profiles by clicking Edit and Delete at the top of the list.

If you delete a connection to a certificate authority, all certificate profiles that use it are also removed.

Page top

Enabling certificate-based authentication of devices

To enable certificate-based authentication of a device:

Open the command line on a device where the Administration Server is installed.
Go to the directory containing the klscflag utility.
By default, the utility is located in /opt/kaspersky/ksc64/sbin.
Run the following command under an account with root privileges to configure certificate-based authentication of devices on the Administration Server:
./klscflag -fset -pv ".core/.independent" -s KLLIM -n LP_MobileMustUseTwoWayAuthOnPort13292 -t d -v 1
Restart the Administration Server service.

After you start the Administration Server service, certificate-based authentication of the device using a shared certificate will be required.

The first connection of the device to the Administration Server does not require a certificate.

By default, certificate-based authentication of devices is disabled.

Page top

Creating a mobile application package for Android devices

To create a mobile app package:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
Click Android apps, and then click Add.
The Add app window opens.
Specify the app name in the App name field. This name will be used to identify the app in policy settings.
Click Select and select an APK file on your computer.
Click Save to save the changes you have made.

The newly created app package is displayed in the list of apps on the Android apps tab.

If you select a large APK file, the app may take some time to upload. Do not close the Apps section until the app is uploaded.

In the Apps section, you can also add iOS apps.

See also:

Configuring managed apps

Page top

Viewing information about an Android device

To view information about an Android device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
The list of managed mobile devices opens.
To filter Android devices, click the OS column heading and select Android.
The list of Android devices is displayed.

Depending on the database you use, searches may be case-sensitive.
Select the mobile device you want to view information about.
A window with the properties of the Android device opens.

The mobile device properties window displays information about the connected Android device.

If an old version of Kaspersky Endpoint Security for Android (10.52.1.3 or earlier) is installed on the devices the Operating mode value is set to Unknown.

Page top

Disconnecting an Android device from management

To disconnect an Android device from management, the user has to remove Kaspersky Endpoint Security for Android from the mobile device. After the user has removed Kaspersky Endpoint Security for Android, the administrator can remove the mobile device from the list of managed devices in Web Console.

If Kaspersky Endpoint Security for Android has not been removed from the mobile device, that mobile device reappears in the list of managed devices after synchronization with the Administration Server.

To remove an Android device from the list of managed devices:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
The list of managed mobile devices opens.
To filter Android devices, click the OS column heading and select Android.
The list of Android devices is displayed.
Select the mobile device you want to disconnect.
Click Delete.

The mobile device is removed from the list of managed devices.

Page top

Managing iOS MDM devices

This section describes advanced features for management of iOS MDM devices in Kaspersky Security Center Web Console.

In this section

Adding a configuration profile

Installing a configuration profile on a device

Removing a configuration profile from a device

Configuring managed apps

Installing an app on a mobile device

Removing an app from a device

Configuring roaming on an iOS MDM mobile device

Viewing information about an iOS MDM device

Disconnecting an iOS MDM device from management

Configuring kiosk mode for iOS MDM devices

Page top

Adding a configuration profile

To create a configuration profile, you can use Apple Configurator 2, which is available on the Apple website. Apple Configurator 2 works only on devices running macOS. If you do not have such devices at your disposal, you can use iPhone Configuration Utility. However, Apple no longer supports iPhone Configuration Utility.

To add a configuration profile to an iOS MDM Server:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
In the iOS MDM Server settings window, select Application settings.
Select the Configuration profiles tab.
To add a new configuration profile, click Add.
In the window that opens, select the configuration profile that you want to add.
The configuration profile name should not be longer than 100 characters. If you enter a longer name, only part of it will be displayed.

The new configuration profile will be displayed in the list of configuration profiles.

You can install the profile that you have created on iOS MDM devices.

Page top

Installing a configuration profile on a device

To install a configuration profile on an iOS MDM device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
In the list of devices that opens, select the devices that you want to install configuration profiles on.
Click Send command.
In the Send command window that opens, in the Command field, select the Install configuration profile command.
In the Configuration profiles section, select the configuration profiles that you want to install on the devices.
Click Send.

The command is sent to the devices you selected.

To view the list of configuration profiles installed on a device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
In the list of devices that opens, click the device whose properties you want to view.
The device properties window opens.
Select the Configuration profiles tab.

The list of configuration profiles installed on the device is displayed.

Page top

Removing a configuration profile from a device

To remove a configuration profile from an iOS MDM device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
In the list of devices that opens, select the devices that you want to remove configuration profiles from.
Click Send command.
In the Send command window that opens, in the Command field, select the Delete configuration profile command.
In the Configuration profiles section, select the configuration profiles that you want to remove from the devices.
Click Send.

The command is sent to the devices you selected.

The profile may be displayed in the list of configuration profiles installed on the device for several minutes after it has been deleted.

To view the list of configuration profiles installed on a device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
In the list of devices that opens, click the device whose properties you want to view.
The device properties window opens.
Select the Configuration profiles tab.

The list of configuration profiles installed on the device is displayed.

Page top

Configuring managed apps

Expand all | Collapse all

Before installing an app on an iOS MDM device, you must add that app to the Administration Server. An app is considered managed if it has been installed on a device through Kaspersky Mobile Devices Protection and Management. A managed app can be managed remotely by means of Kaspersky Mobile Devices Protection and Management.

To add a managed app to an iOS MDM Server:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
Click iOS apps, and then click Add.
The Add app window opens.
Specify the app name in the App name field. This name will be used to identify the app in policy settings.
In the Installation method field, select one of the following methods to add the app:
- Installation package
- Link to manifest file
  A manifest file is a PLIST file, which is required to install an app on an iOS device. These files are dictionaries containing app installation settings (for example, the location of the installation package). When you use a manifest file to add an app, you have to fill in these settings manually. When you add an app from the App Store or an IPA file, the manifest file is generated automatically.
  
  To get a manifest file for an app, we recommend first adding the app to the iOS MDM Server using an IPA file. In this case, the iOS MDM Server automatically generates a manifest file, which you can download and modify later.
- App Store
Do one of the following:
- If you selected Installation package, click Select, and upload an IPA file from your computer.
- If you selected Link to manifest file, specify a link to a manifest file that can be used to download the app.
- If you selected App Store, specify a link or ID of the app to be added from the App Store.
If necessary, configure the following settings:
- Select the Remove when device management profile is deleted check box if you want the app to be removed from the user's mobile device along with the device management profile. By default, this check box is selected.
- Select the Block backup of app data to iCloud check box if you want to block backup of the app data to iCloud.

If you want to add a custom configuration for the app, in the App configuration section, click Select and select a configuration file in PLIST format on your computer.

To generate a configuration file, you can use a configuration generator (for example, https://appconfig.jamfresearch.com/generator) or refer to the official documentation on the app to be configured.

Example of a basic configuration for the Microsoft Outlook app

Microsoft Outlook app configuration

Configuration key	Description	Type	Value	Default value
`com.microsoft.outlook.EmailProfile.EmailAccountName`	Username	String	The username that will be used to pull the username from Microsoft Active Directory. It might be different from the user's email address. For example, `User`.
`com.microsoft.outlook.EmailProfile.EmailAddress`	Email address	String	The email address that will be used to pull the user's email address from Microsoft Active Directory. For example, `user@companyname.com`.
`com.microsoft.outlook.EmailProfile.EmailUPN`	User Principal Name or username for the email profile that is used to authenticate the account	String	The name of the user in email address format. For example, `userupn@companyname.com`.
`com.microsoft.outlook.EmailProfile.ServerAuthentication`	Authentication method	String	`Username and Password` – Prompts the device user for their password. `Certificates` – Certificate-based authentication.	`Username and Password`
`com.microsoft.outlook.EmailProfile.ServerHostName`	ActiveSync FQDN	String	The Exchange ActiveSync email server URL. You don't need to use HTTP:// or HTTPS:// in front of the URL. For example, `mail.companyname.com`.
`com.microsoft.outlook.EmailProfile.AccountDomain`	Email domain	String	The account domain of the user. For example, `companyname`.
`com.microsoft.outlook.EmailProfile.AccountType`	Authentication type	String	`ModernAuth` – Uses a token-based identity management method. Specify ModernAuth as the Account Type for Exchange Online. `BasicAuth` – Prompts the device user for their password. Specify BasicAuth as the Account Type for Exchange On-Premises.	`BasicAuth`
`IntuneMAMRequireAccounts`	Is sign-in required	String	Specifies whether account sign-in is required. You can select one of the following values: `Enabled` - The app requires the user to sign-in to the managed user account defined by the `IntuneMAMUPN` key to receive Org data. `Disabled` - No account sign-in is required
`IntuneMAMUPN`	UPN Address	String	The User Principal Name of the account allowed to sign into the app. For example, `userupn@companyname.com`.

Example of a configuration file for the Microsoft Outlook app

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.microsoft.outlook.EmailProfile.AccountType</key>

<string>BasicAuth</string>

<key>com.microsoft.outlook.EmailProfile.EmailAccountName</key>

<string>My Work Email</string>

<key>com.microsoft.outlook.EmailProfile.ServerHostName</key>

<string>exchange.server.com</string>

<key>com.microsoft.outlook.EmailProfile.EmailAddress</key>

<string>%email%</string>

<key>com.microsoft.outlook.EmailProfile.EmailUPN</key>

<string>%full_name%</string>

<key>com.microsoft.outlook.EmailProfile.AccountDomain</key>

<string>my-domain</string>

<key>com.microsoft.outlook.EmailProfile.ServerAuthentication</key>

<string>Username and Password</string>

<key>IntuneMAMAllowedAccountsOnly</key>

<string>Enabled</string>

<key>IntuneMAMUPN</key>

<string>%full_name%</string>

</dict>

</plist>

You can use macros in the corresponding fields of the configuration file to replace values. Available macros

Macros which can be used in configuration files

Macro	Description
`%full_name%`	Full user name
`%email%`	User's main email address
`%email1%`	User's first backup email address
`%email2%`	User's second backup email address
`%mobile_phone%`	User's mobile phone number
`%phone_number%`	User's main phone number
`%phone_number1%`	User's first backup phone number
`%phone_number2%`	User's second backup phone number
`%short_name%`	User name
`%domain_name%`	Name of user's domain
`%job_title%`	User's job title
`%department%`	Department name
`%company%`	Company name

Click Save to save the changes you have made.

The newly created app is displayed in the table of apps on the iOS apps tab.

If you select a large IPA file, the app may take some time to upload. Do not close the Apps section until the app is uploaded.

You can view and edit app properties by clicking the app in the list or remove the app using the Delete button.

Page top

Installing an app on a mobile device

To install an app on a mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
In the list of devices that opens, select the devices that you want to install apps on.
Click Send command.
In the Send command window that opens, in the Command field, select the Install app command.
In the Apps field, select the apps that you want to install on the devices.
Click Send.

The command is sent to the devices you selected.

Page top

Removing an app from a device

To remove an app from a mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
In the list of devices that opens, select the devices that you want to remove apps from.
Click Send command.
In the Send command window that opens, in the Command field, select the Delete app command.
In the Apps section, select the apps that you want to remove from the devices.
Click Send.

The command is sent to the devices you selected.

Page top

Configuring roaming on an iOS MDM mobile device

To configure roaming:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
In the list of devices that opens, select the devices that you want to configure roaming settings for.
Click Send command.
In the Send command window that opens, in the Command field, select the Change roaming settings command.
In the Action section, do one of the following:
- If you want to enable data roaming, select Enable data roaming.
- If you want to disable data roaming, select Disable data roaming.
Click Send.

The command is sent to the devices you selected.

Page top

Viewing information about an iOS MDM device

To view information about an iOS MDM device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
The list of managed mobile devices opens.
To filter iOS MDM devices, click the Operating mode column heading and select the operating mode of the iOS MDM device you want to view information about.
The list of iOS MDM devices is displayed.

Depending on the database you use, searches may be case-sensitive.
Select the mobile device you want to view information about.
A window with the properties of the iOS MDM device opens.

The General tab of the properties window displays information about the connected iOS MDM device.

The Certificates tab of the properties window displays information about the certificates installed on the selected iOS MDM device.

The Apps tab of the properties window displays information about the apps installed on the selected iOS MDM device.

The Configuration profiles tab of the properties window displays information about the configuration profiles installed on the selected iOS MDM device.

Page top

Disconnecting an iOS MDM device from management

If you want to stop managing an iOS MDM device, you can disconnect it from management in Kaspersky Security Center.

As an alternative, you or the device owner can remove the device management profile from the device. However, after that you must still disconnect the device from management, as described in this section. Otherwise, you will not be able to start managing this device again.

To disconnect an iOS MDM device from the iOS MDM Server:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
The list of managed mobile devices opens.
To filter iOS MDM devices, click the Operating mode column heading and select the operating mode of the iOS MDM device you want to disconnect.
The list of iOS MDM devices operating in the selected mode is displayed.
Select the mobile device you want to disconnect.
Click Delete.

In the list, the iOS MDM device is marked for removal. Within one minute, the device is removed from the database of the iOS MDM Server, after which it is automatically removed from the list of managed devices.

After the iOS MDM device is disconnected from management, all installed configuration profiles, the device management profile, and apps for which the Remove when device management profile is deleted option has been enabled in the iOS MDM Server settings, will be removed from the device. The iOS MDM policy will also be deleted.

Page top

Configuring kiosk mode for iOS MDM devices

These settings apply to supervised devices.

Expand all | Collapse all

Kiosk mode is an iOS feature that lets you limit the apps available to a device user to a single app. In this mode, a device user can open only the one app that is allowed on the device and specified in the kiosk mode settings.

Open the kiosk mode settings

To open the kiosk mode settings:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Restrictions section.
On the Kiosk mode card, click Settings.

The Kiosk mode window opens.

Configure kiosk mode

To enable kiosk mode:

Enable the settings using the Kiosk mode toggle switch to activate kiosk mode on a supervised device.
In the Bundle ID field, enter the unique identifier of an app selected for kiosk mode (for example, com.apple.calculator).
How to get the bundle ID of an app
To get the bundle ID of a built-in iPhone or iPad app,

Follow the instructions in the Apple documentation.

To get the bundle ID of any iPhone or iPad app:
1. Open the App Store.
2. Find the required app and open its page.
  The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).
3. Copy this identifier (without the letters "id").
4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.
  This downloads a text file.
5. Open the downloaded file and find the "bundleId" fragment in it.
The text that directly follows this fragment is the bundle ID of the required app.

To get the bundle ID of an app that has been added to Kaspersky Security Center:
1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
2. Click iOS apps.
  In the list of apps that opens, app identifiers are displayed in the Bundle ID column.
To select a different app, you need to disable kiosk mode, save the changes to the policy, and enable kiosk mode for a new app.

The app that is selected for kiosk mode must be installed on the device. Otherwise, the device will be locked until kiosk mode is disabled.

The use of the selected app must also be allowed in the policy settings. If the use of the app is prohibited, kiosk mode will not be enabled until the selected app is removed from the list of forbidden apps.

In some cases, kiosk mode can still be enabled even when the use of the selected app is prohibited in the policy settings.
Specify the settings that will be enabled on the device in kiosk mode in the corresponding section. For available settings, see the "Kiosk mode settings" section below.
Specify the settings that the user can edit on the device in kiosk mode in the corresponding section.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, kiosk mode is enabled. The selected app is forced to open on a supervised device, and the use of other apps is prohibited. The selected app reopens immediately after the device is restarted.

To edit the kiosk mode settings, you need to disable kiosk mode, save changes to the policy, and then enable kiosk mode again with the new settings.

To disable kiosk mode:

Disable the settings using the Kiosk mode toggle switch to deactivate kiosk mode on a supervised device.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, kiosk mode is disabled and the use of all apps is allowed on the supervised device.

Now, you can enable kiosk mode again with the new settings.

Kiosk mode settings

Auto-Lock
If the check box is selected, Auto-Lock is enabled. The screen is automatically locked on the device.

If the check box is cleared, Auto-Lock is disabled.

This check box is selected by default.
Touch (not recommended to disable)
If the check box is selected, all touch input capabilities are enabled.

If the check box is cleared, all touch input capabilities are disabled.

This check box is selected by default.
AssistiveTouch
If the check box is selected, AssistiveTouch is enabled. The device screen is adapted to the user's unique physical needs.

If the check box is cleared, AssistiveTouch is disabled.

This check box is cleared by default.
Voice Control
If the check box is selected, Voice Control is enabled. The user can navigate and interact with the device using voice commands.

If the check box is cleared, Voice Control is disabled.

This check box is cleared by default.
VoiceOver
If the check box is selected, VoiceOver is enabled. Audible descriptions of what appears on the screen are given.

If the check box is cleared, VoiceOver is disabled.

This check box is cleared by default.
Speak Selection
If the check box is selected, Speak Selection is enabled. The text selected on the screen is spoken.

If the check box is cleared, Speak Selection is disabled.

This check box is cleared by default.
Volume Buttons
If the check box is selected, the volume buttons are enabled. The user can adjust the volume on the device.

If the check box is cleared, the volume buttons are disabled.

This check box is selected by default.
Mono Audio
If the check box is selected, Mono Audio is enabled. The left and right headphone channels are combined to play the same content.

If the check box is cleared, Mono Audio is disabled.

This check box is cleared by default.
Zoom
If the check box is selected, Zoom is enabled. The user can zoom in and out on the content on the screen.

If the check box is cleared, Zoom is disabled.

This check box is selected by default.
Auto-Rotate Screen
If the check box is selected, Auto-Rotate Screen is enabled. Screen orientation automatically changes when the device is rotated.

If the check box is cleared, Auto-Rotate Screen is disabled.

This check box is selected by default.
Invert Colors
If the check box is selected, inverting colors on the screen is enabled. The displayed colors are changed to their opposite colors.

If the check box is cleared, inverting colors on the screen is disabled.

This check box is cleared by default.
Ring/Silent Switch
If the check box is selected, Ring/Silent Switch is enabled. The user can switch between Ring and Silent modes to mute or unmute sounds and alerts.

If the check box is cleared, Ring/Silent Switch is disabled.

This check box is selected by default.
Sleep/Wake Button
If the check box is selected, the Sleep/Wake button is enabled. The user can put the device to sleep or wake the device.

If the check box is cleared, the Sleep/Wake button is disabled.

This check box is selected by default.

Page top

Management of mobile device settings

This section contains information about how to remotely manage the settings of mobile devices in Kaspersky Security Center Web Console.

In this section

Configuring connection to a Wi-Fi network

Configuring email

Configuring protection levels in Kaspersky Security Center

Managing app configurations

Managing app permissions

Creating a report on installed mobile apps

Installing root certificates on Android devices

Configuring notifications for Kaspersky Endpoint Security for Android

Connecting iOS MDM devices to AirPlay

Connecting iOS MDM devices to AirPrint

Configuring the Access Point Name (APN)

Corporate container

Adding an LDAP account

Adding a contacts account

Adding a calendar account

Configuring a calendar subscription

Page top

Configuring connection to a Wi-Fi network

This section provides instructions on how to configure automatic connection to a corporate Wi-Fi network on Android and iOS MDM devices.

In this section

Connecting Android devices to a Wi-Fi network

Connecting iOS MDM devices to a Wi-Fi network

Page top

Connecting Android devices to a Wi-Fi network

Expand all | Collapse all

For an Android device to automatically connect to an available Wi-Fi network and protect data during the connection, you must configure the connection settings.

To connect a mobile device to a Wi-Fi network:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Device configuration section.
On the Wi-Fi card, click Settings.
The Wi-Fi window opens.
Enable the settings using the Wi-Fi toggle switch.
Click Add.
The Add Wi-Fi network window opens.
In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
Select the Connect automatically check box if you want Android devices to automatically connect to the Wi-Fi network.
Select the Hidden network check box if you want the Wi-Fi network to be hidden in the list of available networks on the device.
In this case, to connect to the network the user needs to manually enter the service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.
In the Protection section, select the type of Wi-Fi network security (open network or secure network protected with the WEP, WPA2 PSK, or 802.1.x EAP protocol).
The 802.1.x EAP security protocol is supported only in Kaspersky Endpoint Security for Android 10.48.1.1 or later. The WEP protocol is supported only on Android 9 or earlier.
If you selected the 802.1.x EAP security protocol, specify the following network protection settings:
- EAP method
  Specifies an Extensible Authentication Protocol (EAP) method for network authentication. Possible values:
  - TLS (default)
  - PEAP
  - TTLS
- Method for uploading root certificate
  Specifies the way you want to upload a root certificate. Possible values:
  - From the list of root certificates – Lets you select any available certificate from the drop-down list.
  - From file – Lets you upload a certificate file from your computer.
- Root certificate
  Specifies the root certificate to be used by the Wi-Fi network.
- User certificate
  Specifies the user certificate to be used by the Wi-Fi network if the TLS EAP method is selected.
  
  The following values are available in the drop-down list:
  - Not selected – The user certificate is not specified.
  - User certificates – The VPN certificates that were added in the Certificates section and installed on the user device. If you choose this option, but no VPN certificate is installed on the device, the user certificate is not used for this Wi-Fi network.
  - SCEP profiles – SCEP certificate profiles configured in the SCEP and NDES settings and used to obtain certificates.
- Domain name
  Specifies the constraint for the server domain name.
  
  If set, this Fully Qualified Domain Name (FQDN) is used as a suffix match requirement for the root certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met.
  
  You can specify multiple match strings using semicolons to separate the strings. A match with any of the values is considered a sufficient match for the certificate (i.e., the OR operator is used).
  
  If you specify *, any root certificate is considered valid. This value is specified by default.
- Two-factor authentication type
  Specifies a two-factor authentication type. Possible values:
  - Not selected (default)
  - MSCHAP
  - MSCHAPV2
  - GTC
- User ID
  Specifies a user ID to be used to connect to the Wi-Fi network.
- Anonymous ID
  Specifies an anonymous identity that is different from the user identity and is used if the PEAP or TTLS method of network authentication is selected.
- Password
  Specifies a password for accessing the wireless network. The password will be sent in a QR code.
  
  Do not send a password for a confidential Wi-Fi network that should not be publicly available. The password is transmitted unencrypted along with other data to configure the device.
In the Password field, set a network access password if you selected a secure network at step 9.
On the Additional settings tab, select the Use a proxy server check box if you want to use a proxy server to connect to the Wi-Fi network.
If you selected Use a proxy server, in the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number, if necessary.
On devices running Android 8 or later, proxy server settings for Wi-Fi cannot be redefined with a policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.

If you are not using a proxy server to connect to a Wi-Fi network, there are no limitations on using policies to manage a Wi-Fi network connection.
In the Do not use proxy server for the specified addresses field, add web addresses that can be accessed without the use of the proxy server.
For example, you can enter the address example.com. In this case, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

On devices running Android 8 or later, excluding web addresses from the proxy server does not work.
Click Add.
The added Wi-Fi network is displayed in the list of Wi-Fi networks.

This list contains the names of suggested wireless networks.

On personal devices running Android 10 or later, the operating system prompts the user to connect to such networks. Suggested networks don't appear in the saved networks list on these devices.

On corporate devices and personal devices running Android 9 or earlier, after synchronizing the device with the Administration Server, the device user can select a suggested wireless network in the saved networks list and connect to it without having to specify any network settings.

You can modify or delete Wi-Fi networks in the list of networks using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

On devices running Android 10 or later, if a user refuses to connect to the suggested Wi-Fi network, the app's permission to change Wi-Fi state is revoked. The user must grant this permission manually.

Page top

Connecting iOS MDM devices to a Wi-Fi network

For an iOS MDM device to automatically connect to an available Wi-Fi network and protect data during the connection, you must configure the connection settings.

To configure the connection of an iOS MDM device to a Wi-Fi network:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Wi-Fi card, click Settings.
The Wi-Fi window opens.
Enable the settings using the Wi-Fi toggle switch.
Click Add.
The Add Wi-Fi network window opens.
In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
If you want iOS MDM devices to automatically connect to the Wi-Fi network, select the Connect automatically check box.
If you disable automatic connection to an existing Wi-Fi network in the policy settings, you will not be able to enable automatic connection to this network again. This is due to an issue known to Apple.
If you don't want iOS MDM devices to connect to Wi-Fi networks requiring preliminary authentication (captive networks), select the Bypass captive portal check box.
To use a captive network, you must subscribe, accept an agreement, or make a payment. Captive networks may be deployed in cafes and hotels, for example.
If you want the Wi-Fi network to be hidden in the list of available networks on the iOS MDM device, select the Hidden network check box.
In this case, to connect to the network the user needs to manually enter the service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.
If you want iOS MDM devices to use static MAC addresses when they connect to the Wi-Fi network, select the Disable MAC address randomization check box.
In the Protection section, select the type of Wi-Fi network security (open network or secure network protected with the WEP, WPA, WPA2, or WPA3 protocol).
On devices running iOS 15 or earlier, selecting WPA, WPA2, or WPA3 is identical and lets you connect to any network protected using WPA.
- Open network. User authentication is not required.
- WEP. The network is protected using Wireless Encryption Protocol (WEP).
  WEP protection is available on devices running iOS 5 or later.
- WPA. The network is protected using the WPA (Wi-Fi Protected Access) or WPA2 protocol.
- WPA2. The network is protected using the WPA2 or WPA3 protocol.
- WPA3. The network is protected using the WPA3 protocol.
- Personal network (any). The network is protected using the WEP, WPA, WPA2, or WPA3 encryption protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication.
- WEP (corporate network). The network is protected using the WEP protocol with the use of a dynamic key.
- WPA (corporate network). The network is protected using the WPA or WPA2 encryption protocol with the use of the 802.1X protocol.
- WPA2 (corporate network). The network is protected using the WPA2 or WPA3 encryption protocol with the use of one key shared by all users (802.1X).
- WPA3 (corporate network). The network is protected using the WPA3 encryption protocol with the use of one key shared by all users (802.1X).
- Corporate network (any). The network is protected using the WEP, WPA, WPA2, or WPA3 protocol depending on the type of Wi-Fi router. Authentication is performed using a single encryption key shared by all users.
If you have selected any of the corporate network options, in the EAP protocol section you can select the types of EAP protocols (Extensible Authentication Protocol) for user identification on the Wi-Fi network.

In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the iOS MDM device user on trusted servers.
In the Authentication section, configure the settings of the account for user authentication upon connection of the iOS MDM device to the Wi-Fi network:
1. In the User name field, enter the account name for user authentication upon connection to the Wi-Fi network.
2. In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name.
  The user ID is designed to make the authentication process more secure, since the user name is not displayed openly, but rather transmitted via an encrypted TLS tunnel.
3. In the Password field, enter the password of the account for authentication on the Wi-Fi network.
4. If you want the user to enter the password manually upon every connection to the Wi-Fi network, select the Prompt for password at each connection check box.
5. In the Authentication certificate drop-down list, select a certificate for user authentication on the Wi-Fi network.
6. In the Minimum TLS version drop-down list, select the minimum allowed TLS version.
7. In the Maximum TLS version drop-down list, select the maximum allowed TLS version.
If necessary, on the Additional settings tab, configure the settings for connecting to the Wi-Fi network via a proxy server:
1. Select the Use a proxy server check box.
2. Configure a connection to a proxy server:
  1. If you want to configure the connection automatically:
    - Select Automatic.
    - In the PAC file URL field, specify the URL of the proxy PAC file.
    - To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
  2. If you want to configure the connection manually:
    - Select Manual.
    - In the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number.
    - In the User name field, select a macro that will be used as a user name for the connection to the proxy server.
    - In the Password field, specify the password for the connection to the proxy server.
Click Add.
The new Wi-Fi network is displayed in the list.
Click OK.
Click Save to save the changes you have made.

As a result, a Wi-Fi network connection will be configured on the user's iOS MDM device once the policy is applied. The user's mobile device will automatically connect to available Wi-Fi networks. Data security during a Wi-Fi network connection is ensured by the selected authentication method.

Page top

Configuring email

This section contains information on configuring mailboxes on mobile devices.

In this section

Configuring a mailbox on iOS MDM devices

Configuring an Exchange mailbox on iOS MDM devices

Configuring an Exchange mailbox on Android devices

Page top

Configuring a mailbox on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

To enable an iOS MDM device user to work with email, add the user's email account to the list of accounts on the iOS MDM device.

By default, the email account is added with the following settings:

Email protocol – IMAP.
The user can move email messages between the user's accounts and synchronize account addresses.
The user can use any email client (other than Mail) to use email.
The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding an account.

To add an email account of the iOS MDM device user:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Email card, click Settings.
The Email window opens.
Enable the settings using the Email toggle switch.
Click Add.
The Add email account window opens.
Specify the email account settings:
- On the General settings tab, configure the following settings:
  1. In the User name field, specify the name of the iOS MDM device user. You can either enter a value or select a macro by clicking the button.
  2. In the Email address field, specify the email address of the iOS MDM device user. You can either enter a value or select a macro by clicking the button.
  3. In the Account description field, enter a description of the user's email account.
  4. In the Email protocol field, select one of the following protocols:
    - POP
    - IMAP
  5. If you selected IMAP, specify the IMAP path prefix in the IMAP path prefix field.
    The IMAP path prefix must be entered using uppercase letters (for example: GMAIL for Google Mail).
  6. In the Incoming mail server settings and Outgoing mail server settings sections, configure the server connection settings:
    - In the Server address field, specify names of hosts or IP addresses of incoming and outgoing mail servers.
    - In the Server port fields, specify the port numbers of incoming and outgoing mail servers.
    To configure optional settings for the incoming and outgoing mail servers, click More settings and do the following:
    - In the User name field, specify the name of the user's account for authorization on the incoming and outgoing mail servers. You can either enter a value or select a macro by clicking the button.
    - In the Authentication type field, select the type of authentication of the user's email account on the incoming and outgoing mail servers.
    - In the Password field, specify the account password for authenticating on incoming and outgoing mail servers protected using the selected authentication method.
    - If you want to use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box.
    - If you want to use the same password for user authentication on the incoming and outgoing mail servers, select the Use the same password for incoming and outgoing mail servers check box.
- On the Advanced settings tab, configure the additional settings of the email account:
  1. In the Restrictions section, select or clear the following check boxes, if necessary:
    - Allow syncing recent addresses
      Moving email messages between accounts.
      
      If the check box is selected, the user can move email messages from one account to another.
      
      If the check box is cleared, the user is prohibited from moving email messages from one account to another.
      
      This check box is selected by default.
      
      If you want to prohibit saving, moving, and sharing attachments from a corporate mailbox, clear the Allow movement of messages between accounts (including work and personal accounts) check box and select the Prohibit non-managed apps from using documents from managed apps and Prohibit managed apps from using documents from non-managed apps check boxes.
    - Allow movement of messages between accounts (including work and personal accounts)
      Synchronization of email addresses between accounts.
      
      If the check box is selected, when creating messages the user can use another email account's address history.
      
      If this check box is cleared, used email addresses are not synchronized. When creating a message, the user of an iOS MDM device cannot use another email account's address history.
      
      This check box is selected by default.
    - Allow Mail Drop
      Use of the Mail Drop service to forward large attachments.
      
      If the check box is selected, the user can use Mail Drop.
      
      If the check box is cleared, the user cannot use Mail Drop.
      
      This check box is cleared by default.
    - Allow using only the Mail app
      Use of only the standard iOS mail client for processing messages.
      
      If the check box is selected, the user can use email only in the standard iOS email client.
      
      If the check box is cleared, the user can use email both in the standard iOS email client and in other apps.
      
      This check box is cleared by default.
  2. In the Signature and Encryption sections, configure the settings for signing and encrypting outgoing mail using the S/MIME protocol in the Mail app.
    S/MIME is a protocol for transmitting digitally signed encrypted messages. S/MIME provides cryptographic security capabilities such as authentication, message integrity control, and non-repudiation of origin (using digital signatures). The protocol also helps improve the confidentiality and security of data in email messages by using encryption.
    - Sign messages
      Digital signature of outgoing messages in the Mail app.
      
      If the check box is selected, outgoing messages are signed with a digital signature using the S/MIME protocol. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A recipient certificate (public key) must be selected for a message signature.
      
      This check box is cleared by default.
    - Signing certificate for outgoing messages
      Certificate for signing outgoing messages with a digital signature using the S/MIME protocol. The digital signature guarantees that the message was sent by the iOS MDM device user. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.
      
      This drop-down list is available only if the Sign messages check box is selected.
    - Encrypt messages by default
      Encryption of outgoing messages in the Mail app.
      
      If the check box is selected, outgoing messages are encrypted by default using the S/MIME protocol. A recipient certificate (public key) must be selected for sending encrypted messages. If a recipient certificate is not installed, messages cannot be encrypted. Encrypted messages can be viewed only by users whose devices have a certificate installed.
      
      This check box is cleared by default.
    - Encryption certificate
      Encryption certificate for encrypting outgoing messages using the S/MIME protocol. Encryption keeps messages confidential during transmission and storage. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.
      
      This drop-down list is available only if the Encrypt messages by default check box is selected.
    - Show toggle button for encrypting selected messages
      Display of the icon in the Mail app in the To field for sending encrypted messages.
      
      If this check box is selected, the mobile device user can encrypt individual messages by clicking the icon.
      
      If the check box is cleared, the icon for encrypting messages is not displayed. In this case, the Encrypt messages by default check box determines whether outgoing mail is encrypted.
  - If necessary, in the Per App VPN section, configure Per App VPN.
Click Save.
The new email account appears in the list.

You can modify or delete email accounts in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, email accounts from the list are added on the user's mobile device.

We recommend closing and opening the Settings app on the iOS MDM device after you configure a mailbox.

Page top

Configuring an Exchange mailbox on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

To allow an iOS MDM device user to use corporate email, calendar, contacts, notes, and tasks, add the user's Exchange ActiveSync account on the Microsoft Exchange server.

By default, an account with the following settings is added on the Microsoft Exchange server:

Email is synchronized once per week.
The user can move messages between the user's accounts and synchronize account addresses.
The user can use any email clients (other than Mail) to use email.
The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the Exchange ActiveSync account.

To add an Exchange ActiveSync account of an iOS MDM device user:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Exchange ActiveSync card, click Settings.
The Exchange ActiveSync window opens.
Enable the settings using the Exchange ActiveSync toggle switch.
Click Add.
The Add Exchange ActiveSync account window opens.
Specify the Exchange ActiveSync settings:
- On the General settings tab, specify the user's data:
  - In the Account name field, enter the account name for authorization on the Microsoft Exchange server. You can either enter a value or select a macro by clicking the button.
  - In the Exchange ActiveSync server address field, enter the DNS name or IP address of the Microsoft Exchange server.
  - Settings in the User credentials section:
    - In the User domain field, enter the name of the iOS MDM device user's domain. You can either enter a value or select a macro by clicking the button.
    - In the User name field, enter the name of the iOS MDM device user. You can either enter a value or select a macro by clicking the button.
      If you leave this field blank, Kaspersky Mobile Devices Protection and Management prompts the user to enter the user name when applying the policy on the iOS MDM device.
    - In the Email address field, specify the email address of the iOS MDM device user. You can either enter a value or select a macro by clicking the button.
  - Settings in the Authentication section:
    - In the Password field, enter the password of the Exchange ActiveSync account for authorization on the Microsoft Exchange server.
    - In the Authentication certificate drop-down list, select the certificate used for authenticating the iOS MDM device user on the Microsoft Exchange server. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.
- On the Additional settings tab, configure the additional settings of the Exchange ActiveSync account:
  - In the Email synchronization section, in the Synchronization period drop-down list, select the time interval for which email is automatically synchronized and stored on the iOS MDM device. The longer the email synchronization period, the more free space required in the memory of the mobile device. Messages that have not been synchronized are not available without an internet connection. The default value is 1 week.
  - In the Restrictions section, select or clear the following check boxes, if necessary:
    - Allow movement of messages between accounts (including work and personal accounts)
      Moving email messages between accounts.
      
      If the check box is selected, the user can move email messages from one account to another.
      
      If the check box is cleared, the user is prohibited from moving email messages from one account to another.
      
      This check box is selected by default.
      
      If you want to prohibit saving, moving, and sharing attachments from a corporate mailbox, clear the Allow movement of messages between accounts (including work and personal accounts) check box and select the Prohibit non-managed apps from using documents from managed apps and Prohibit managed apps from using documents from non-managed apps check boxes.
    - Allow syncing recent addresses
      Synchronization of email addresses between accounts.
      
      If the check box is selected, when creating messages the user can use another email account's address history.
      
      If this check box is cleared, used email addresses are not synchronized. When creating a message, the user of an iOS MDM device cannot use another email account's address history.
      
      This check box is selected by default.
    - Allow using only the Mail app
      Use of only the standard iOS mail client for processing messages.
      
      If the check box is selected, the user can use email only in the standard iOS email client.
      
      If the check box is cleared, the user can use email both in the standard iOS email client and in other apps.
      
      This check box is cleared by default.
    - Use SSL connection
      Select this check box to use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data.
      
      This check box is selected by default.
  - In the Signature and encryption section, configure the settings for signing and encrypting outgoing mail using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages. S/MIME provides cryptographic security capabilities such as authentication, message integrity control, and non-repudiation of origin (using digital signatures). The protocol also uses encryption to help improve the level of confidentiality and security of data in email messages.
    - Sign messages
      Digital signature of outgoing messages in the Mail app.
      
      If the check box is selected, outgoing messages are signed with a digital signature using the S/MIME protocol. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A recipient certificate (public key) must be selected for a message signature.
      
      This check box is cleared by default.
    - Signing certificate for outgoing messages
      Certificate for signing outgoing messages with a digital signature using the S/MIME protocol. The digital signature guarantees that the message was sent by the iOS MDM device user. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.
      
      This drop-down list is available only if the Sign messages check box is selected.
    - Encrypt messages by default
      Encryption of outgoing messages in the Mail app.
      
      If the check box is selected, outgoing messages are encrypted by default using the S/MIME protocol. A recipient certificate (public key) must be selected for sending encrypted messages. If a recipient certificate is not installed, messages cannot be encrypted. Encrypted messages can be viewed only by users whose devices have a certificate installed.
      
      This check box is cleared by default.
    - Encryption certificate
      Encryption certificate for encrypting outgoing messages using the S/MIME protocol. Encryption keeps messages confidential during transmission and storage. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.
      
      This drop-down list is available only if the Encrypt messages by default check box is selected.
    - Show toggle button for encrypting selected messages
      Display of the icon in the Mail app in the To field for sending encrypted messages.
      
      If this check box is selected, the mobile device user can encrypt individual messages by clicking the icon.
      
      If the check box is cleared, the icon for encrypting messages is not displayed. In this case, the Encrypt messages by default check box determines whether outgoing mail is encrypted.
Click Add.
The new Exchange ActiveSync account appears in the list.

You can modify or delete Exchange ActiveSync accounts in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Exchange ActiveSync accounts from the compiled list are added on the user's mobile device.

Page top

Configuring an Exchange mailbox on Android devices

To work with corporate mail, contacts, and the calendar on the mobile device, you can configure the Exchange mailbox settings for the standard Samsung Email app.

An Exchange mailbox can be configured only for Samsung devices running Android 9 or earlier.

To configure an Exchange mailbox on a user's mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Samsung Knox settings section.
On the Exchange ActiveSync card, click Settings.
The Exchange ActiveSync window opens.
Enable the settings using the Exchange ActiveSync toggle switch.
In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
In the Domain name field, enter the name of the mobile device user's domain on the corporate network.
In the Synchronization interval drop-down list, select the interval for mobile device synchronization with the Microsoft Exchange server.
To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box. The SSL protocol uses encryption and certificate-based authentication for secure data transfer. This check box is selected by default.
To use digital certificates to protect data transfer between the user's mobile device and the Microsoft Exchange server, select the Verify server certificate check box. The server certificate is verified to have been issued from the trusted root certificate. This check box is selected by default.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Configuring protection levels in Kaspersky Security Center

These settings apply to Android devices.

Expand all | Collapse all

To configure rules for assigning protection levels in Kaspersky Security Center:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the KES for Android settings section.
On the Severity settings for device protection level card, click Settings.
The Severity settings for device protection level window opens.
Enable the settings using the Severity settings for device protection level toggle switch.
Select the OK, Warning, or Critical protection level for each of the following conditions:
- Real-time protection is not running
  Drop-down list where you can select the protection level of a mobile device on which real-time protection is not running.
  
  Real-time protection lets you detect threats in files being opened, as well as scan new apps and stop device infections in real time.
  
  Real-time protection may fail to run for the following reasons:
  - The user declined to use Kaspersky Security Network on the mobile device in the Anti-Malware settings of Kaspersky Endpoint Security for Android.
  - The user did not grant the app access to manage all files.
  If real-time protection is not running, you can also configure restrictions on operation of the mobile device in the Compliance Control settings of the policy.
- Web Protection and Web Control are not running
  Drop-down list where you can select the protection level of a mobile device on which Web Protection and Web Control are not running.
  
  Web Protection lets you scan websites and block malicious and phishing websites.
  
  Web Control lets you configure user access to specific websites and categories of websites.
  
  Web Protection and Web Control may fail to run for the following reasons:
  - The user disabled Web Protection on the mobile device in the Kaspersky Endpoint Security for Android settings.
  - The user did not enable Kaspersky Endpoint Security for Android as an Accessibility feature.
  - The Ignore battery optimization permission has not been granted.
  - The Web Protection Statement has not been accepted.
  If Web Protection and Web Control are not running, you can also configure restrictions on the operation of the mobile device in the Compliance Control settings of the policy.
- App Control is not running
  Drop-down list where you can select the protection level of a mobile device on which App Control is not running.
  
  App Control lets you block apps from running on mobile devices if those apps do not meet the corporate security requirements.
  
  App Control may not run if the user did not enable the app as an Accessibility feature on devices running Android 5 or later.
  
  If App Control is not running, you can also configure restrictions on the operation of the mobile device in the Compliance Control settings of the policy.
- Device lock is not available
  Drop-down list where you can select the protection level of a mobile device on which device lock is not available.
  
  The device may be locked in the following cases:
  - The Anti-Theft command is received.
  - The SIM card is replaced or the device is turned on without a SIM card.
  - An attempt is made to remove Kaspersky Endpoint Security for Android while app removal protection is enabled.
  Device lock may be unavailable for the following reasons:
  - The user did not set the app as a device administrator.
  - The user did not enable the app as an Accessibility service on devices running Android 7 or later.
  - The user did not enable the app to overlay other windows on devices running Android 7 or later.
- Device location is not available
  Drop-down list where you can select the protection level of a mobile device whose location cannot be determined.
  
  The location is determined after the Locate device command is received.
  
  Locating the device may be unavailable for the following reasons:
  - The user did not grant the device locate permission to the app.
  - The user turned off the GPS module in the device settings.
- Versions of the Kaspersky Security Network Statement do not match
  Drop-down list where you can select the protection level of a mobile device if the version of the Kaspersky Security Network Statement accepted by the administrator does not match the version accepted by the device user. Statistics not listed in the version of the Statement accepted by the user are not sent to Kaspersky Security Network.
- Versions of the Marketing Statement do not match
  Drop-down list where you can select the protection level of a mobile device if the version of the Statement regarding data processing for marketing purposes accepted by the administrator does not match the version accepted by the device user. Data is not transferred to third-party services.
  
  The list of third-party services can be found in the Statement regarding data processing for marketing purposes.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

For more information about default values, reasons, and conditions for assigning protection levels, please refer to the Mobile device protection levels section.

Page top

Managing app configurations

This section provides instructions on how to manage settings and edit configurations of the apps installed on your users' devices.

In this section

Managing Google Chrome settings

Managing Exchange ActiveSync for Gmail

Configuring other apps

Page top

Managing Google Chrome settings

Expand all | Collapse all

These settings apply to corporate devices and devices with a corporate container.

To configure Google Chrome settings:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the App configuration section.
On the Google Chrome settings card, click Settings.
The Google Chrome settings window opens.
Enable the settings using the Google Chrome settings toggle switch.
The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.
Configure the required settings.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Manage content settings

On the Content tab, you can manage the following settings:

In the Cookies section:
- Default mode
  Default cookie settings.
  
  Available options:
  - Allow all websites to save local data (default)
  - Prohibit all websites from saving local data
  - Configure settings for selected websites
  - Do not configure cookie settings
- Exceptions
  Exceptions from the websites that are prohibited from or allowed to save local data.
  
  For more information on URL patterns, see the Chrome enterprise documentation.
- Websites
  The websites that are prohibited from or allowed to save local data.
  
  For more information on URL patterns, see the Chrome enterprise documentation.
In the JavaScript section:
- Default mode
  Default JavaScript settings.
  
  Available options:
  - Allow JavaScript on all websites (default)
  - Prohibit JavaScript on all websites
- Exceptions
  Exceptions from the websites that are prohibited from or allowed to use JavaScript.
  
  For more information on URL patterns, see the Chrome enterprise documentation.
In the Pop-ups section:
- Default mode
  Default pop-up setting.
  
  Available options:
  - Allow pop-ups on all websites. Lets all sites open pop-up windows. This value is selected by default.
  - Prohibit pop-ups on all websites. Prohibits all sites from opening pop-up windows.
  Only pop-ups included into the Google abusive pop-ups database will be blocked.
- Exceptions
  Exceptions from the websites that are prohibited from or allowed to display pop-up windows.
In the Location tracking section:
- Default mode
  The default geographic location settings.
  
  Available options:
  - Allow all websites to track user's location
  - Prohibit all websites from tracking user's location
  - Ask whenever website wants to track user's location (default)

Manage proxy settings

On the Proxy tab, you can manage the following settings:

Default mode
Proxy settings for Google Chrome and ARC-apps.

Available options:
- Never use proxy. Prohibits use of proxies and all other proxy settings are ignored.
- Detect proxy settings automatically. Detects proxy settings automatically and all other options are ignored.
- Use PAC file. Uses the proxy PAC file specified in the PAC file URL field.
- Use fixed proxy servers. Uses the data specified in the Proxy server URL field and Exceptions list.
- Use system proxy settings. Uses the system proxy settings. This option is selected by default.
PAC file URL
A URL to a proxy PAC file.
Proxy server URL
A URL of the proxy server.
Exceptions
A list of hosts for which the proxy will be bypassed.

Manage search settings

On the Search tab, you can manage the following settings:

In the Touch to Search section:
- Enable Touch to Search
  Selecting or clearing this check box specifies whether the device user is allowed to use Touch to Search and turn the feature on or off.
  
  This check box is selected by default.
In the Search provider section:
- Operating mode
  This option lets you determine whether to configure a search provider that will be used on user devices.
  
  If you select Enable default search provider, you can specify search provider settings.
- Search provider name
  The default search provider name.
- Search URL
  The URL of the search engine used during default searches.
- Suggest URL
  The URL of the search engine to provide search suggestions.
- Icon URL
  The URL of the default search provider's favicon.
- Encodings
  Character encodings supported by the search provider. The supported encodings are:
  - UTF-8
  - UTF-16
  - GB2312
  - ISO-8859-1
- Alternate URLs
  A list of alternate URLs to retrieve search terms from the search engine.
- Image search URL
  The URL of the search engine used for image search.
- New tab URL
  The URL of the search engine used to provide a New Tab page.
- Parameters for search URL that uses POST
  URL parameters when searching a URL with the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:
  
  q={searchTerms},ie=utf-8,oe=utf-8
- Parameters for suggest URL that uses POST
  URL parameters for search suggestions using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:
  
  q={searchTerms},ie=utf-8,oe=utf-8
- Parameters for image URL that uses POST
  URL parameters for image search using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{imageThumbnail}', it is replaced with the real image thumbnail. For example:
  
  content={imageThumbnail},url={imageURL},sbisrc={SearchSource}

Manage security settings

On the Security tab, you can manage the following settings:

In the Google Safe Browsing and SafeSearch section:
- Safe Browsing operating mode
  Google Safe Browsing protection level.
  
  Available options:
  - No protection. Disables Google Safe Browsing completely.
  - Standard protection. Makes Google Safe Browsing always enabled in standard protection mode. This option is selected by default.
  - Enhanced protection. Makes Google Safe Browsing always enabled in enhanced protection mode, but device user browsing experience data will be sent to Google.
- Force SafeSearch
  Selecting or clearing this check box specifies whether Google Search queries will be performed via Google SafeSearch.
  
  This check box is cleared by default.
- Disable proceeding from the Safe Browsing warning page
  Selecting or clearing this check box specifies whether the device user is allowed to proceed to the flagged site on Google Safe Browsing warnings, such as malware and phishing. The restriction does not apply to issues related to an SSL certificate, such as invalid or expired certificates.
  
  This check box is cleared by default.
In the Blocked websites section:
- Block access to these websites
  A list of forbidden URLs. You can also set URL patterns, for example: [*.]example.com.
- Exceptions
  A list of URLs that are exceptions to the list specified in Block access to these websites. You can also set URL patterns, for example: [*.]example.com.
In the Passwords and autofill section:
- Enable saving passwords
  Selecting or clearing the check box specifies whether Google Chrome will remember the passwords the device user enters and also offer them the next time the device user signs in.
  
  This check box is selected by default.
- Enable autofill for addresses
  Autofill settings for addresses.
  
  If the check box is selected, the device user is allowed to manage autofill for addresses in the user interface.
  
  If the check box is cleared, autofill never suggests or fills in address information, nor does it save additional address information that the device user submits while browsing the web.
  
  This check box is selected by default.
- Enable autofill for bank cards
  Autofill settings for bank cards.
  
  If the check box is selected, the device user is allowed to manage autofill suggestions for bank cards in the user interface.
  
  If the check box is cleared, autofill never suggests or fills in bank card information, nor does it save additional bank card information that the device user submits while browsing the web.
  
  This check box is selected by default.
In the Network section:
- Minimum TLS version
  Minimum allowed TLS version.
  
  Available options:
  - TLS 1.0 (default)
  - TLS 1.1
  - TLS 1.2
- Enable network prediction
  Selecting or clearing this check box specifies whether Google Chrome will predict such network actions as DNS prefetching, TCP and SSL preconnection and prerendering of webpages.
  
  If the check box is cleared, network prediction is disabled, but the device user can enable it.
  
  This check box is selected by default.

Manage additional settings

On the Additional settings tab, you can manage the following settings:

In the Bookmarks section:
- Managed bookmarks
  An admin-managed list of bookmarks. The list is a dictionary with name and url keys. In other words, the key holds a bookmark's name and target. You can also set up a subfolder with a children key, which also has a list of bookmarks.
  
  By default, the folder name for managed bookmarks is "Managed bookmarks". You can change it by adding a new sub-dictionary. To do this, specify the toplevel_name key with the required folder name as its value.
  
  If you enter an incomplete URL as a bookmark's target, Google Chrome will substitute it with a URL as if it was submitted through the address bar. For example, kaspersky.com becomes https://www.kaspersky.com.
  
  For example:
  
  "ManagedBookmarks": [{
  
  //Changes the default folder name
  
  "toplevel_name": "My managed bookmarks folder"
  
  },
  
  {
  
  //Adds a bookmark to the managed bookmarks folder
  
  "name": "Kaspersky",
  
  "url": "kaspersky.com"
  
  },
  
  {
  
  "name": "Kaspersky products",
  
  "children": [{
  
  "name": "Kaspersky Endpoint Security",
  
  "url": "kaspersky.com/enterprise-security/endpoint"
  
  },
  
  {
  
  "name": "Kaspersky Security for Mail Server",
  
  "url": "kaspersky.com/enterprise-security/mail-server-security"
  
  }
  
  ]
  
  }
  
  ]
- Enable bookmark editing
  Selecting or clearing this check box specifies whether the device user is allowed to add, remove, or modify bookmarks.
  
  This check box is selected by default.
In the History and Incognito mode section:
- Availability of Incognito mode
  Specifies whether the device user can enable Incognito mode in Google Chrome.
  
  Available options:
  - Incognito mode is available (default)
  - Incognito mode is disabled
- Disable saving browser history
  Selecting or clearing this check box specifies whether browsing history is saved and tab syncing is on.
  
  This check box is cleared by default.
In the Other section:
- Restricted Mode for YouTube
  Minimum required Restricted Mode level for YouTube.
  
  Available options:
  - Do not enforce Restricted Mode. Specifies that Google Chrome does not force Restricted Mode. However, external policies might still enforce Restricted Mode. This option is selected by default.
  - Enforce at least Moderate Restricted Mode. Lets a device user enable the Moderate Restricted Mode on YouTube.
  - Enforce Strict Restricted Mode. Makes Strict Restricted Mode on YouTube always active.
- Google Translate operating mode
  Translation functionality.
  
  Available options:
  - Always offer translation. Shows the integrated translation notification and a translate option at the top of the screen.
  - Never offer translation. Disables all built-in translation functionality.
  - Prompt the user for action. Lets the user decide whether to use translation functionality. This option is selected by default.
- Enable alternate error pages
  Selecting the check box specifies whether Google Chrome is allowed to use built-in error pages, such as "Page not found".
  
  This check box is cleared by default.
- Enable printing
  Selecting or clearing this check box specifies whether the device user is allowed to print in Google Chrome.
  
  This check box is selected by default.
- Enable search suggestions
  Selecting or clearing this check box specifies whether search suggestions are enabled in Google Chrome's address bar.
  
  This check box is selected by default.

Page top

Managing Exchange ActiveSync for Gmail

Expand all | Collapse all

These settings apply to corporate devices and devices with a corporate container.

The Exchange ActiveSync settings let you manage Exchange ActiveSync for the Gmail app.

To configure Exchange ActiveSync settings:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the App configuration section.
On the Exchange ActiveSync card, click Settings.
The Exchange ActiveSync window opens.
Enable the settings using the Exchange ActiveSync toggle switch.
Specify the Exchange ActiveSync settings:
- On the General settings tab, specify the following settings:
  - Exchange ActiveSync server address
    The Exchange ActiveSync email server URL. You don't need to use http:// or https:// in front of the URL.
  - Settings in the User credentials section:
    - Device ID
      A string used by a Kaspersky Security Center proxy or a third-party gateway to identify the device and connect it to Exchange ActiveSync. You can either enter a value or select a macro by clicking the button.
    - User name
      The user name that will be used to pull the user name from Microsoft Active Directory. It might be different from the user's email address. You can either enter a value or select a macro by clicking the button.
    - Email address
      The email address that will be used to pull the user's email address from Microsoft Active Directory. You can either enter a value or select a macro by clicking the button.
  - Settings in the Authentication section:
    - Authentication type
      The authentication type used to verify a device user's email credential. Possible values:
      
      Modern token-based authentication. Uses a token-based identity management method. This value is selected by default.
      Basic authentication. Prompts the device user for their password and stores it for future use.
    - Authentication certificate
      The authentication certificate used to verify user identity, simplify user authentication, and ensure data security.
      
      The following values are available in the drop-down list:
      
      Not selected. The authentication certificate is not specified.
      User certificates. The list of Mail certificates configured in the Assets (Devices) → Mobile → Certificates section.
      SCEP profiles. The list of SCEP certificate profiles configured in the SCEP and NDES card of the Device configuration section of the policy and used to obtain certificates.
- On the Additional settings tab, specify the following settings:
  - Settings in the Email synchronization section:
    - Synchronization period
      The default time interval for synchronization of mail items between Exchange ActiveSync servers and Gmail. Possible values:
      
      1 day
      3 days
      1 week (default)
      2 weeks
      1 month
  - Settings in the Restrictions section:
    - Use SSL connection
      Selecting or clearing this check box specifies whether communication to the server port specified in the Exchange ActiveSync server address field will use the SSL protocol.
      
      This check box is selected by default.
    - Disable SSL certificate verification
      Selecting or clearing this check box specifies whether validation checks on SSL certificates used on Exchange ActiveSync servers will be performed. Performing a check is useful if certificates are self-signed.
      
      This check box is cleared by default.
    - Allow unmanaged accounts
      Selecting or clearing the check box specifies whether the device user is allowed to add other accounts to the Gmail app.
      
      This check box is selected by default.
  - Settings in the Signature section:
    - Default email signature
      The default email signature that is automatically added at the bottom of emails.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Configuring other apps

Expand all | Collapse all

These settings apply to corporate devices and devices with a corporate container.

The Configure other apps settings let you configure installed apps that support configurations.

To add app configurations:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the App configuration section.
On the Configure other apps card, click Settings.
The Configure other apps window opens.
Enable the settings using the Configure other apps toggle switch.
Click Add.
The Add app configuration window opens.
In the Method for adding configuration drop-down list, select how to add configuration:
- App package uploaded by administrator
  When adding an app configuration by using an APK file from your computer, you must select a file saved on your computer.
  
  After that, you can view the description for each setting of the configuration. These descriptions are part of the configuration file.
  
  Configuration keys uploaded from the app package cannot be deleted. If you want to add a new setting to the uploaded configuration, click the Add setting button.
- Kaspersky Security Center installation package
  When adding an app configuration using an installation package from Kaspersky Security Center, you need to select the app from a list of mobile app packages.
  
  After that, you can view the description for each setting of the configuration. These descriptions are part of the configuration file.
  
  Settings of configurations added using installation packages cannot be deleted.
- Manual configuration
  When this method is selected, click the Add setting button to add a new setting to the configuration.

In the Configuration data section, specify the following settings:

App name
Name of the app to which the configuration is to be applied.

When importing a configuration from an APK file or an installation package, the value is inserted automatically.
Package name
Name of the package to which the configuration is to be applied.

How to get the package name of an app
To get the name of an app package:
1. Open Google Play.
2. Find the app and open its page.
The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

To get the name of an app package that has been added to Kaspersky Security Center:
1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
2. Click Android apps.
  In the list of apps that opens, app identifiers are displayed in the Package name column.
When importing a configuration from an APK file or an installation package, the value is inserted automatically.

You can add only one configuration for each package name.
Version
Version of the app, that the created configuration will be based on.

When importing a configuration from an APK file or installation package, the value is inserted automatically.
Comment
An optional comment.

An example of configured basic parameters for the Microsoft Outlook app.

Microsoft Outlook app configuration

Configuration key	Description	Type	Value	Default value
`com.microsoft.outlook.EmailProfile.EmailAccountName`	Username	String	The username that will be used to pull the username from Microsoft Active Directory. It might be different from the user's email address. You can either enter a value or select a macro by clicking the button. For example, `User`.
`com.microsoft.outlook.EmailProfile.EmailAddress`	Email address	String	The email address that will be used to pull the user's email address from Microsoft Active Directory. You can either enter a value or select a macro by clicking the button. For example, `user@companyname.com`.
`com.microsoft.outlook.EmailProfile.EmailUPN`	User Principal Name or username for the email profile that is used to authenticate the account	String	The name of the user in email address format. For example, `userupn@companyname.com`.
`com.microsoft.outlook.EmailProfile.ServerAuthentication`	Authentication method	String	`Username and Password` – Prompts the device user for their password. `Certificates` – Certificate-based authentication.	`Username and Password`
`com.microsoft.outlook.EmailProfile.ServerHostName`	ActiveSync FQDN	String	The Exchange ActiveSync email server URL. You don't need to use `http://` or `https://` in front of the URL. For example, `mail.companyname.com`.
`com.microsoft.outlook.EmailProfile.AccountDomain`	Email domain	String	The account domain of the user. You can either enter a value or select a macro by clicking the button. For example, `companyname`.
`com.microsoft.outlook.EmailProfile.AccountType`	Authentication type	String	`ModernAuth` – Uses a token-based identity management method. Specify ModernAuth as the Account Type for Exchange Online. `BasicAuth` – Prompts the device user for their password. Specify BasicAuth as the Account Type for Exchange On-Premises.	`BasicAuth`

Click the Add setting button to add a block of the app configuration settings. You can add several blocks of settings.
Specify the following parameters for each block of settings of the configuration:
- Key
  Cannot be left blank. The value of this parameter is filled in manually.
- Type
  Cannot be left blank. The value of this parameter is selected from a drop-down list.
  
  The following types are available:
  - String. A sequence of characters, digits, or symbols, always treated as text.
  - Bool. True or false.
  - Integer. A numeric data type for numbers without fractions.
  - Bundle. A set of fields of any type, except for Bundle or BundleArray.
  - BundleArray. A set of Bundles.
- Value
  An optional parameter, whose value depends on the setting type.
For some types of settings, additional parameters can be configured. For example:
- You can add macros for a String.
- You can add a field to a Bundle.
- You can add a Bundle to a BundleArray.
It is also possible to edit a setting to be added to a BundleArray by clicking the Configure Bundle button and configuring the setting's parameters.

For information about configuring rules, please refer to the official documentation for the app to be configured.
Click Add.
The configuration appears in the list of app configurations.

You can modify or delete app configurations in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

The app configuration is applied.

Some apps may not notify Kaspersky Endpoint Security for Android that the app configuration has been applied.

When configuring some apps, certificates installed on devices via Kaspersky Security Center can be used. In this case, you must specify a certificate alias in the app configuration:

VpnCert for VPN certificates.
MailCert for mail certificates.
SCEP_profile_name for certificates received using SCEP.

Page top

Managing app permissions

Expand all | Collapse all

These settings apply to corporate devices and devices with a corporate container.

App permission management settings let you configure rules for granting runtime permissions to installed apps.

To add app permissions:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the App configuration section.
On the App permission management card, click Settings.
The App permission management window opens.
Enable the settings using the App permission management toggle switch.
Click Add.
The Add app with permission granting rules window opens.
In the Method for adding configuration section, select how to add a configuration with permission granting rules:
- App package uploaded by administrator
  When adding a configuration by uploading an app package, you need to select an APK file saved on your computer.
  
  After that, you can view a list of runtime permissions and select an action to be performed for each permission.
- Kaspersky Security Center installation package
  When adding a configuration using an installation package added to Kaspersky Security Center, you need to select the app from the list of mobile app packages.
  
  After that, you can view a list of runtime permissions and select the action to be performed for each permission.
- Manual configuration
  When adding a configuration manually, you must click the Add rule button to select a permission and a corresponding action from the drop-down lists.
In the App data section, specify the following settings:
- App name
  Name of the app for which permissions are to be configured.
  
  When importing a configuration from an APK file or an installation package, the value is inserted automatically.
- Package name
  Name of the package for which permissions are to be configured.
  
  How to get the package name of an app
  To get the name of an app package:
  1. Open Google Play.
  2. Find the app and open its page.
  The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).
  
  To get the name of an app package that has been added to Kaspersky Security Center:
  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
  2. Click Android apps.
    In the list of apps that opens, app identifiers are displayed in the Package name column.
  When importing a configuration from an APK file or an installation package, the value is inserted automatically.
- Comment
  An optional comment.
Click the Add rule button to add and configure a new rule. You can add several permissions.
Select one of the following permissions.
- Permission for call handover
- Location permissions
- Permission to use saved geographic locations
- Permission for activity recognition
- Permission for answerphone voice mails
- Permission to answer phone calls
- Permissions for Bluetooth
- Permissions to access body sensors data
- Permission for phone calls
- Permissions for camera
- Permission to access account list
- Permissions to access nearby devices via Wi-Fi
- Permission to send notifications
- Permission to manage outgoing calls
- Permission to read calendar data
- Permission to read call log
- Permission to read contact list
- Permissions to read external storage
- Permission to read device's phone numbers
- Permission to read phone state
- Permissions to monitor SMS and MMS incoming messages
- Permission to receive WAP push messages
- Permission to record audio
- Permission to send SMS
- Permission to use SIP telephony
- Permission to access devices that use UWB
- Permission to write data to calendar
- Permission to write and read data of call log
- Permission to write contacts
- Permission to write data to external storage
To configure granting rules for app runtime permissions, you need to select one of the following actions for each permission:
- Allow users to configure permissions
  When a permission is requested, the user decides whether to grant the specified permission to the app.
  
  This option is selected by default.
- Grant permissions automatically
  The app is granted the permission without user interaction.
  
  On devices with a corporate container running Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select this option, the app will prompt the user for these permissions:
  - Location permissions
  - Permissions for camera
  - Permissions to record audio
  - Permission for activity recognition
  - Permissions to monitor SMS and MMS incoming messages
  - Permissions to access body sensor data
- Deny permissions automatically
  The app is denied the permission without user interaction.
You can save only one granting rule for each app permission.
Click Add.
The configuration appears in the Apps with configured permission granting rules list.

You can modify or delete configurations in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

The configuration with permission granting rules is applied. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Permission granting rules configured for specific apps have precedence over the general policy for granting permissions. For example, if you first select the Deny permissions automatically option in the Corporate container on devices section, and then select the Grant permissions automatically option for a specific app in the App permission management section, the permission for this app will be granted automatically.

Page top

Creating a report on installed mobile apps

Expand all | Collapse all

The Report on installed mobile apps lets you get detailed information about the apps installed on users' Android devices.

To allow the report to display information, the Send data on installed apps check box must be selected in App Control settings and the An app was installed or removed (list of installed apps) informational event type must be stored in the Administration Server database.

To enable sending data:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Security controls section.
On the App Control card, click Settings.
The App Control window opens.
In the Report on installed apps section, select the Send data on installed apps check box.
If you want to receive data about system apps, select the Send data on built-in apps check box.
If you want to receive data about service apps, which do not have an interface and cannot be opened by the user, select the Send data on service apps check box.
Click OK.
Click Save to save the changes you have made.
Click the name of the policy and select Event configuration.
Go to the Info section.
Click the An app was installed or removed (list of installed apps) event to open its properties.
In the event properties window, turn on the Store in the Administration Server database for (days) toggle switch and set the storage period. By default, the storage period is 30 days.
After the storage period expires, the Administration Server deletes outdated information from the database. For more information about events, please refer to the Kaspersky Security Center Help.
Click OK.
Click Save to save the changes you have made.

Sending data is enabled.

To configure a report on installed mobile apps:

In the main window of Kaspersky Security Center Web Console, select Monitoring & reporting → Reports.
Click the Report on installed mobile apps report template to open its properties.
In the window that opens, click Edit.
Edit the report template properties:
- On the General tab, specify the following parameters:
  - Report template name
  - Maximum number of entries to display
    If this option is enabled, the number of entries displayed in the table with detailed report data does not exceed the specified value.
    
    Report entries are first sorted according to the rules specified in the Fields > Details fields section of the report template properties, and then only the first of the resulting entries are kept. The heading of the table with detailed report data shows the displayed number of entries and the total available number of entries that match other report template settings.
    
    If this option is disabled, the table with detailed report data displays all available entries. We do not recommend that you disable this option. Limiting the number of displayed report entries reduces the load on the database management system (DBMS) and reduces the time required for generating and exporting the report. Some reports contain an excessive number of entries. If this is the case, you may find it difficult to read and analyze them all. Also, your device may run out of memory while generating such a report. Consequently, you will not be able to view the report.
    
    By default, this option is enabled. The default value is 1000.
  - Group
    The set of client devices the report is created for.
  - Include data from secondary and virtual Administration Servers
    If this option is enabled, the report includes the information from the secondary and virtual Administration Servers that are subordinate to the Administration Server for which the report template is created.
    
    Disable this option if you want to view data only from the current Administration Server.
    
    By default, this option is enabled.
  - Up to nesting level
    The report includes data from secondary and virtual Administration Servers that are located under the current Administration Server on a nesting level that is less than or equal to the specified value.
    
    The default value is 1. You may want to change this value if you have to get information from secondary Administration Servers located at lower levels in the tree.
  - Data wait interval (min)
    Before generating the report, the Administration Server for which the report template is created waits for data from secondary Administration Servers during the specified number of minutes. If no data is received from a secondary Administration Server at the end of this period, the report runs anyway. Instead of up-to-date data, the report shows data taken from the cache (if the Cache data from secondary Administration Servers option is enabled), or N/A (not available) otherwise.
    
    The default value is 5 (minutes).
  - Cache data from secondary Administration Servers
    Secondary Administration Servers regularly transfer data to the Administration Server for which the report template is created. The transferred data is stored in the cache on that Administration Server.
    
    If the current Administration Server cannot receive data from a secondary Administration Server while generating the report, the report shows data taken from the cache. The date when the data was transferred to the cache is also displayed.
    
    Enabling this option lets you view information from secondary Administration Servers even if up-to-date data cannot be retrieved. However, the displayed data may be obsolete.
    
    By default, this option is disabled.
  - Transfer detailed information from secondary Administration Servers
    In the generated report, the table with detailed report data includes data from secondary Administration Servers of the Administration Server for which the report template is created.
    
    Enabling this option slows report generation and increases traffic between Administration Servers. However, it lets you view all data in one report.
    
    Instead of enabling this option, you may want to analyze detailed report data to detect a faulty secondary Administration Server, and then generate the same report only for that faulty Administration Server.
    
    By default, this option is disabled.
- On the Fields tab, select the fields that will be displayed in the report and the order of these fields, and configure whether the report must be sorted and filtered by each of the fields.
Click Save to save the changes you have made.

The updated report template appears in the list of report templates.

To create and view a report on installed mobile apps:

In the main window of Kaspersky Security Center Web Console, select Monitoring & reporting → Reports.
Click a report with the Report on installed mobile apps type.

A report using the selected template is generated and displayed.

For more information about using reports, managing custom report templates, using report templates to generate new reports, and creating report delivery tasks, please refer to the Kaspersky Security Center Help.

Page top

Installing root certificates on Android devices

A root certificate is a public key certificate issued by a trusted certificate authority (CA). Root certificates are used to verify custom certificates and guarantee their identity.

Kaspersky Security Center Web Console lets you add root certificates to be installed to a trusted certificate store on Android devices.

These certificates are installed on user devices as follows:

On corporate devices, the certificates are installed automatically.
If you delete a root certificate in the policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.
On personal devices:
- If a corporate container was not created, the device user is prompted to install each certificate manually in a personal space by following the instructions in the notification.
- If a corporate container was created, the certificates are installed automatically to the container. If the Duplicate installation of root certificates in user's personal space check box is selected in the corporate container settings, the certificates can also be installed in a personal space. The device user is prompted to do this manually by following the instructions in the notification.
  If you delete a root certificate in the policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.
  
  For instructions on how to install certificates in a personal space, please refer to Installing root certificates on the device.

To add a root certificate:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Device configuration section.
On the Root certificates card, click Settings.
The Root certificates window opens.
Enable the settings using the Root certificates toggle switch.
Click Add.
The file explorer opens.
Select a certificate file (a CER, PEM, KEY, or CRT file) and click Open.
The certificate file must be no larger than 10 MB.

The certificate will appear in the list of root certificates.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

Page top

Configuring notifications for Kaspersky Endpoint Security for Android

If you don't want the mobile device user to be distracted by Kaspersky Endpoint Security for Android notifications, you can disable certain notifications.

Kaspersky Endpoint Security for Android uses the following tools to display the status of device protection:

Protection status notification. This notification is pinned to the notification bar. A protection status notification cannot be removed. The notification displays the device protection status (for example, ) and the number of issues, if any. You can tap the device protection status and see security issues in the app.
App notifications. These notifications inform the device user about the application (for example, the detection of a threat).
Pop-up messages. Pop-up messages require action from the device user (for example, action to take when a threat is detected).

All Kaspersky Endpoint Security for Android notifications are enabled by default.

On Android 13, the device user must grant the permission to send notifications during or after the Initial Configuration Wizard.

The user can disable all notifications from Kaspersky Endpoint Security for Android in the settings on the notification bar. If notifications are disabled, the user is not monitoring operation of the app and may ignore important information (for example, information about failures during device synchronization with Kaspersky Security Center). In this case, to find out the app operating status, the user must open Kaspersky Endpoint Security for Android.

To configure displaying notifications about the operation of Kaspersky Endpoint Security for Android:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the KES for Android settings section.
On the Notifications card, click Settings.
The Notifications window opens.
Enable the settings using the Notifications toggle switch.
If you want to hide all notifications and pop-up messages, in the Background notifications section, select the Disable notifications when Kaspersky Endpoint Security is in the background check box.
Kaspersky Endpoint Security for Android will display only the protection status notification. The notification displays the device protection status (for example, ) and the number of issues.

In-app notifications (for example, when the user updates anti-malware databases manually) will still be displayed.

We recommend that you enable notifications and pop-up messages. If you disable notifications and pop-up messages when the app is in the background, the app will not warn users about threats in real time. In this case, mobile device users will not see the device protection status unless they open the app.
In the Notifications about device security issues section, select the Kaspersky Endpoint Security for Android issues that you want to display on the user's mobile device.
Displaying certain Kaspersky Endpoint Security for Android issues is mandatory. These issues are always displayed on the device (for example, issues about license expiration).
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The notifications that you disable will not be displayed on the user's mobile device.

Page top

Connecting iOS MDM devices to AirPlay

Configure the connection to AirPlay devices to stream music, photos, and videos from an iOS MDM device to AirPlay devices. To be able to use AirPlay, the mobile device and AirPlay devices must be connected to the same wireless network. AirPlay devices include Apple TV devices (second generation or later), AirPort Express devices, speakers, TVs, and radios with AirPlay support.

Automatic connection to AirPlay devices is available for devices operating in basic control mode and for supervised devices.

To configure the connection of an iOS MDM device to AirPlay devices:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the AirPlay card, click Settings.
The AirPlay window opens.
Enable the settings using the AirPlay toggle switch.
In the Passwords section, click Add password.
In the Device field, enter the name of the AirPlay device on the wireless network.
In the Password field, enter the password to the AirPlay device.
If you want iOS MDM devices to connect only to specific AirPlay devices, create a list of allowed devices in the Allowed devices section. To do this, click Add device and specify the MAC addresses of AirPlay devices.
Both the Wi-Fi and Ethernet address for each device must be added.

Access to AirPlay devices that are not in the list of allowed devices is blocked. If the list of allowed devices is empty, Kaspersky Mobile Devices Protection and Management allows access to all AirPlay devices.
Click OK.
Click Save to save the changes you have made.

As a result, once the policy is applied, the user's mobile device will automatically connect to AirPlay devices to stream media.

Page top

Connecting iOS MDM devices to AirPrint

To enable printing documents from an iOS MDM device wirelessly using AirPrint, configure automatic connection to AirPrint printers. The mobile device and printer must be connected to the same wireless network. Shared access for all users must be configured on the AirPrint printer.

To configure the connection of an iOS MDM device to an AirPrint printer:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the AirPrint card, click Settings.
The AirPrint window opens.
Enable the settings using the AirPrint toggle switch.
Click Add.
The Add printer window opens.
In the IP address or FQDN field, enter the IP address or a fully qualified domain name (FQDN) of the AirPrint printer.
In the Port field, enter the listening port of the AirPrint destination.
In the Resource path field, enter the path to the AirPrint printer.
The path to the printer corresponds to the rp (resource path) key of the Bonjour protocol. For example:
- printers/Canon_MG5300_series
- ipp/print
- Epson_IPP_Printer
If you want to protect the connection to the AirPrint printer using the TLS protocol, select the Use TLS check box.
Click Add.
The newly added AirPrint printer appears in the list.
Click OK.
Click Save to save the changes you have made.

As a result, once the policy is applied, the mobile device user can wirelessly print documents on the AirPrint printer.

Page top

Configuring the Access Point Name (APN)

This section provides instructions on how to connect a mobile device to cellular data services on a mobile network.

In this section

Configuring APN on Android devices (only Samsung)

Configuring APN on iOS MDM devices

Page top

Configuring APN on Android devices (only Samsung)

APN can be configured only for Samsung devices.

A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile operator. Incorrect access point settings may result in additional mobile charges.

To configure the Access Point Name (APN) settings on a user's mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Samsung Knox settings section.
On the APN settings card, click Settings.
The APN settings window opens.
Enable the settings using the APN settings toggle switch.
The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.
Specify the following access point settings for connecting the user to the data service:
- In the APN type drop-down list, select the type of access point (APN) for data transmission on a GPRS/3G/4G mobile network:
  - Internet. Connection of the user's mobile device to the internet.
  - MMS. Exchange of MMS multimedia messages.
  - Internet and MMS. Connection to the internet and exchange of multimedia messages. This is the default value.
- In the APN name field, specify the name of the access point.
- In the MCC field, enter the mobile country code (MCC).
- In the MNC field, enter the mobile network code (MNC).
If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS server settings in the MMS server section:
- In the MMS server name field, specify the full domain name of the mobile carrier's server used for MMS exchange (for example, mms.mobile.com).
- In the MMS proxy server address field, specify the network name or IP address of the proxy server.
- In the MMS proxy server port field, specify the port number of the mobile carrier's server used for MMS exchange.
In the Authentication section, specify the authentication settings:
- In the Authentication type drop-down list, select the type of authentication of the mobile device user that will be used on the mobile carrier's server for network access. By default, user authentication is not required. The following types are available:
  - None. User authentication is not required to access the mobile network.
  - PAP (Password Authentication Protocol). An authentication protocol that uses passwords as plain non-encrypted text.
  - CHAP (Challenge Handshake Authentication Protocol). A request-response authentication protocol that uses standard MD5 hashing to encrypt the response.
  - Concurrently. Combined use of CHAP and PAP protocols.
- In the User name field, enter the user name for authorization on the mobile network.
- In the Password field, enter the password for user authorization on the mobile network.
In the Network section, specify the following network settings:
- In the Network name field, enter the name of the network.
- In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed.
In the Proxy server section, specify the following proxy server settings:
- Select the Use a proxy server check box to enable the use of a proxy server. This check box is cleared by default.
- In the Proxy server address field, specify the network name or IP address of the mobile carrier's proxy server for network access. This field is available only if the Use a proxy server check box is selected.
- In the Proxy server port field, specify the port number of the mobile carrier's proxy server for network access. This field is available only if the Use a proxy server check box is selected.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top

Configuring APN on iOS MDM devices

The Access Point Name (APN) has to be configured in order to enable the mobile network data transmission service on the user's iOS MDM device.

To configure an access point on a user's iOS MDM device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the APN settings card, click Settings.
The APN settings window opens.
Enable the settings using the APN settings toggle switch.
The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.
In the APN type drop-down list, select the type of access point for data transfer on a GPRS/3G/4G mobile network:
- Built-in APN. Configure cellular communication settings for data transfer via a mobile network operator that supports operation with a built-in Apple SIM. For more details about devices with a built-in Apple SIM, visit the Apple Support website.
- APN. Configure cellular communication settings for data transfer via the mobile network operator of the inserted SIM card.
- Built-in APN and APN. Configure cellular communication settings for data transfer via the mobile network operators of the inserted SIM card and the built-in Apple SIM. For more details about devices with a built-in Apple SIM and a SIM card slot, visit the Apple Support website.
If you selected APN, in the APN section click Add.
The Add APN window opens.
Configure the following settings:
1. In the APN name field, specify the name of the access point.
2. In the Authentication type drop-down list, select the type of user authentication on the mobile operator's server for network access (internet and MMS).
3. In the User name field, enter the user name for authorization on the mobile network.
4. In the Password field, enter the password for user authorization on the mobile network.
5. In the Proxy server address field, enter the name of the host or the IP address of the proxy server.
6. In the Proxy server port field, enter the number of the proxy server port.
7. In the Allowed protocol drop-down list, select the internet protocol.
8. In the Allowed protocol for roaming drop-down list, select the internet protocol that will be used during international roaming.
9. In the Allowed protocol for domestic roaming drop-down list, select the internet protocol that will be used during domestic roaming.
10. If you want devices on IPv6-only networks to be able to access IPv4-only internet services, select the Use the 464XLAT technology check box.
11. Click OK.
If you selected Built-in APN, configure the following settings:
1. In the Built-in APN name field, specify the name of the access point.
2. In the Authentication type drop-down list, select the type of user authentication on the mobile operator's server for network access (internet and MMS).
3. In the User name field, enter the user name for authorization on the mobile network.
4. In the Password field, enter the password for user authorization on the mobile network.
5. In the Allowed protocol drop-down list, select the internet protocol.
Click OK.
Click Save to save the changes you have made.

As a result, the access point name (APN) is configured on the user's mobile device after the policy is applied.

Page top

Corporate container

This section contains information about working with a corporate container.

In this section

About corporate containers

Configuring a corporate container

Unlocking the corporate container

Page top

About corporate containers

Android Enterprise is a platform for managing the corporate mobile infrastructure and provides company employees with a safe work environment in which they can use mobile devices. For details on using Android Enterprise, see the Google support website.

You can create a corporate container that uses an Android Work Profile on a user's personal mobile device. A corporate container is a safe environment in which the administrator can manage apps and user accounts without restricting the user's use of their own data. When a corporate container is created on the user's mobile device, the following corporate apps are automatically installed in it: Google Play, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Apps installed in the corporate container as well as notifications from these apps are marked with a briefcase icon. You have to create a separate Google corporate account for the Google Play app. Apps installed in a corporate container appear in the common list of apps.

Page top

Configuring a corporate container

Expand all | Collapse all

To configure the settings of a corporate container:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Corporate container section.
On the Corporate container on devices card, click Settings.
The Corporate container on devices window opens.
Enable the settings using the Corporate container on devices toggle switch.
Specify the corporate container settings:
- On the General tab, you can specify the settings for data sharing, contacts, and more.
  - Settings in the Data access and sharing section:
    - Prohibit personal apps from sharing data with corporate container apps
      Restricts sharing files, pictures, or other data from personal apps with corporate container apps.
      
      If the check box is selected, personal apps can't share data with corporate container apps.
      
      If the check box is cleared, personal apps can share data with corporate container apps.
      
      This check box is selected by default.
    - Prohibit corporate container apps from sharing data with personal apps
      Restricts sharing files, pictures, or other data from corporate container apps with personal apps.
      
      If the check box is selected, the apps in the corporate container can't share data with personal apps.
      
      If the check box is cleared, the apps in the corporate container can share data with personal apps.
      
      This check box is selected by default.
    - Prohibit corporate container apps from accessing personal files
      Restricts access of corporate container apps to personal files.
      
      If the check box is selected, the user can't access personal files when using corporate container apps.
      
      If the check box is cleared, the user can access personal files when using corporate container apps. Note that the access must be also supported by the apps that are being used.
      
      This check box is selected by default.
    - Prohibit personal apps from accessing files in corporate container
      Restricts access of personal apps to files in the corporate container.
      
      If the check box is selected, the user can't access files in the corporate container when using personal apps.
      
      If the check box is cleared, the user can access files in the corporate container when using personal apps. Note that the access must be supported by the apps that are being used.
      
      This check box is selected by default.
    - Prohibit use of clipboard between personal apps and corporate container
      Selecting or clearing this check box specifies whether the device user is allowed to copy data via the clipboard between personal apps and the corporate container.
      
      This check box is selected by default.
    - Prohibit activation of USB debugging
      Restricts the use of USB debugging on the user's mobile device in the corporate container. In USB debugging mode, the user can download an app via a workstation, for example.
      
      If the check box is selected, USB debugging mode is not available to the user. The user is unable to configure the mobile device via USB after connecting the device to a workstation.
      
      If the check box is cleared, the user can enable USB debugging mode, connect the mobile device to a workstation via USB, and configure the device.
      
      This check box is selected by default.
    - Prohibit users from adding and removing accounts in corporate container
      If the check box is selected, the user is prohibited to add and remove accounts in the corporate container via the Settings or Google apps. This includes restricting the ability to sign in to Google apps for the first time. However, the user can sign in, add, and remove accounts via some other third-party apps in the corporate container.
      
      Accounts that were added before the restriction is set will not be removed and sign in to these accounts is not restricted.
      
      This check box is selected by default.
    - Prohibit screen sharing, recording, and screenshots in corporate container apps
      Selecting or clearing this check box specifies whether the device user is allowed to take screenshots of, record and share the device screen in corporate container apps. It also specifies whether the contents of the device screen are allowed to be captured for artificial intelligence purposes.
      
      This check box is selected by default.
  - Settings in the Contacts section:
    - Prohibit showing contact name from corporate container for incoming personal calls
      Selecting or clearing this check box specifies whether a contact name from the corporate container will be shown for personal incoming calls.
      
      This check box is selected by default.
    - Prohibit personal apps from accessing corporate container contacts
      Selecting or clearing this check box specifies whether personal contact management apps are allowed to access corporate container contacts.
      
      This check box is selected by default.
- On the Apps tab, specify the following settings:
  - Settings in the General section:
    - Enable App Control in corporate container only
      Controls the startup of apps in the corporate container on the user's mobile device. You can create lists of allowed, forbidden, and recommended apps as well as allowed and forbidden app categories in the App Control section.
      
      If this check box is selected, then depending on the App Control settings, Kaspersky Endpoint Security blocks or allows startup of apps only in the corporate container. Moreover, App Control does not work in the user's personal space.
      
      This check box is selected by default.
    - Enable Web Protection and Web Control in corporate container only
      Restricts user access to websites in the corporate container on the device. You can specify website access settings in the Web Control settings.
      
      If this check box is selected, Web Protection and Web Control block or allow access to websites only in the corporate container. Moreover, Web Protection and Web Control do not work in the user's personal space.
      
      If this check box is cleared, then depending on the Web Protection and Web Control settings, Kaspersky Endpoint Security blocks or allows access to websites in the user's personal space and the corporate container.
      
      This check box is selected by default.
    - Prohibit installation of apps from unknown sources in corporate container
      Restricts installation of apps in the corporate container from all sources other than Google Play Enterprise.
      
      If the check box is selected, the user can install apps only from Google Play. Users use their own Google corporate accounts to install apps.
      
      If the check box is cleared, the user can install apps in any available way. Only apps forbidden in the App Control settings can't be installed.
      
      This check box is cleared by default.
    - Prohibit removing apps from corporate container
      Selecting or clearing this check box specifies whether the user is prohibited from removing apps from the corporate container.
      
      This check box is cleared by default.
    - Prohibit displaying notifications from corporate container apps when screen is locked
      Restricts displaying the contents of notifications from corporate container apps on the lock screen of the device.
      
      If the check box is selected, the contents of notifications from corporate container apps can't be viewed on the device lock screen. To view these notifications, the user has to unlock the device or corporate container.
      
      If the check box is cleared, notifications from corporate container apps are displayed on the device lock screen.
      
      This check box is selected by default.
    - Prohibit use of camera for corporate container apps
      Selecting or clearing this check box specifies whether corporate container apps can access the device camera.
      
      This check box is selected by default.
  - In the Granting runtime permissions for corporate container apps section you can select an action to be performed when corporate container apps are running and request additional permissions. This does not apply to permissions granted in the device settings (for example, Access All Files).
    - Allow users to configure permissions
      When a permission is requested, the user decides whether to grant the specified permission to the app.
      
      This option is selected by default.
    - Grant permissions automatically
      All corporate container apps are granted permissions without user interaction.
      
      On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select this option, the app will prompt the user for these permissions:
      
      Location permissions
      Permissions for camera
      Permissions to record audio
      Permission for activity recognition
      Permissions to monitor SMS and MMS incoming messages
      Permissions to access body sensor data
    - Deny permissions automatically
      All corporate container apps are denied permissions without user interaction.
      
      Users can adjust app permissions in the device settings before these permissions are denied automatically.
  - In the Adding widgets of corporate container apps to device home screen section you can choose whether the device user is allowed to add widgets of corporate container apps to the device home screen.
    - Prohibit for all apps
      The device user is prohibited from adding widgets of apps installed in the corporate container.
      
      This option is selected by default.
    - Allow for all apps
      The device user is allowed to add widgets of all apps installed in the corporate container.
    - Allow only for the listed apps
      The device user is allowed to add widgets of listed apps installed in the corporate container.
      
      To add an app to the list, click Add and enter an app package name.
      
      How to get the package name of an app
      
      To get the name of an app package:
      
      Open Google Play.
      Find the app and open its page.
      The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).
      
      To get the name of an app package that has been added to Kaspersky Security Center:
      
      In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
      Click Android apps.
      In the list of apps that opens, app identifiers are displayed in the Package name column.
- On the Certificates tab, you can configure the following settings:
  - Duplicate installation of VPN certificates in user's personal space
    Selecting or clearing the check box specifies whether the VPN certificate added in the Mobile → Certificates section of the Kaspersky Security Center Web Console and installed in the corporate container will also be installed in the user's personal space.
    
    By default, VPN certificates received from Kaspersky Security Center are installed in the corporate container. This setting is applied when a new VPN certificate is issued.
    
    This check box is cleared by default.
  - Duplicate installation of root certificates in user's personal space
    Selecting or clearing the check box specifies whether the root certificates added in the Root certificates settings and installed in the corporate container will also be installed in the user's personal space.
    
    This check box is cleared by default.
- On the Password tab, specify the corporate container password settings:
  - Require setting a password for corporate container
    Lets you specify the requirements for the corporate container password according to company security requirements.
    
    If the check box is selected, password requirements are available for configuration. When the policy is applied, the user receives a notification prompting them to set up a corporate container password according to company requirements.
    
    If the check box is cleared, password settings cannot be edited.
    
    This check box is cleared by default.
  - Minimum password length
    The minimum number of characters in the user password. Possible values: 4 to 16 characters.
    
    The user's password is 4 characters long by default.
    
    The following applies only to the user's personal space and the corporate container:
    - In the user's personal space, Kaspersky Endpoint Security converts the password strength requirements into one of values available in the system: medium or high on devices running Android 10 or later.
    - In the corporate container, Kaspersky Endpoint Security converts the password strength requirements into one of the values available in the system: medium or high on devices running Android 12 or later.
    The values are determined using the following rules:
    - If the required password length is 1 to 4 characters, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered sequences (e.g. 1234), or alphabetic/alphanumeric. The PIN or password must be at least 4 characters long.
    - If the required password length is 5 or more characters, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). A PIN must be at least 8 digits long. A password must be at least 6 characters long.
  - Minimum password complexity requirements
    Specifies the minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:
    - Numeric
      The user can set a password that includes numbers or set any stronger password (for instance, an alphabetic or alphanumeric password).
      
      This option is selected by default.
    - Alphabetic
      The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, an alphanumeric password).
    - Alphanumeric
      The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.
    - No requirements
      The user can set any password.
    - Complex
      The user must set a complex password according to the specified password properties:
      
      Minimum number of letters
      Minimum number of digits
      Minimum number of special characters (for example, !@#$%)
      Minimum number of uppercase letters
      Minimum number of lowercase letters
      Minimum number of non-alphabetic characters (for example, 1^*9)
    - Complex numeric
      The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.
  - Maximum number of failed password attempts before corporate container is deleted
    Specifies the maximum number of user attempts to enter the password to unlock the corporate container. When the policy is applied, the corporate container will be deleted from the device after the maximum number of failed attempts is exceeded.
    
    Possible values are 4 to 16.
    
    The default value is not set. This means that the attempts are not limited.
  - Maximum password lifetime (days)
    Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.
    
    The default value is 0. This means that the password won't expire.
  - Number of days to send a notification before a required password change
    Specifies the number of days to notify the user before the password expires.
    
    The default value is 0. This means that the user won't be notified about an expiring password.
  - Number of recent passwords that cannot be set as a new password
    Specifies the maximum number of previous user passwords that can't be used as a new password. This setting applies only when the user sets a new password on the device.
    
    The default value is 0. This means that the new user password can match any previous password except the current one.
  - Period of inactivity before corporate container is locked (sec)
    Specifies the period of inactivity before the device locks.
    
    The default value is 0. This means that the device won't lock after a certain period.
  - Period after biometric unlock before password must be entered (min)
    Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.
    
    The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.
  - Allow biometric unlock methods
    If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.
    
    If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.
    
    This check box is selected by default.
  - Allow fingerprint unlock
    Specifies whether fingerprints can be used to unlock the screen.
    
    This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.
    
    If the check box is selected, the use of fingerprints on the mobile device is allowed.
    
    If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the device settings, the option to use fingerprints will be unavailable.
    
    This check box is available only if the Allow biometric unlock methods check box is selected.
    
    This check box is selected by default.
    
    On some Xiaomi devices with a corporate container, the corporate container may be unlocked by a fingerprint only if you set the Period of inactivity before corporate container is locked (sec) value after setting a fingerprint as the screen unlock method.
  - Allow face unlock
    If the check box is selected, the use of face scanning is allowed on the mobile device.
    
    If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.
    
    This check box is available only if the Allow biometric unlock methods check box is selected.
    
    This check box is selected by default.
  - Allow iris scanning
    If the check box is selected, the use of iris scanning is allowed on the mobile device.
    
    If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.
    
    This check box is available only if the Allow biometric unlock methods check box is selected.
    
    This check box is selected by default.
- On the Passcode tab, specify the one-time passcode settings. The user will be prompted to enter the one-time passcode to unlock their corporate container if it is locked.
  - Passcode length
    The number of digits in the passcode. Possible values: 4, 8, 12, or 16 characters.
    
    The passcode length is 4 characters by default.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The user's mobile device is divided into a corporate container and a personal space.

Page top

Unlocking the corporate container

The corporate container can be locked if the device does not meet the Compliance Control security requirements.

To unlock the corporate container, the user of the mobile device must enter a one-time corporate container passcode on the locked screen. The passcode is generated by Kaspersky Security Center and is unique for each mobile device. When the corporate container is unlocked, the corporate container password is set to the default value (1234).

As an administrator, you can view the passcode in the policy settings that are applied to the mobile device. The length of the passcode can be changed (4, 8, 12, or 16 digits) in the Corporate container on devices settings of the policy.

To unlock a corporate container using a one-time passcode:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
Click the mobile device for which you want to get a one-time passcode.
Select Applications → Kaspersky Mobile Devices Protection and Management.
The Kaspersky Mobile Devices Protection and Management properties window opens.
Select the Application settings tab.
The unique passcode for the selected device is shown in the One-time code field of the One-time corporate container passcode section.
Use any available method (such as email) to communicate the one-time passcode to the user.
The user then must enter the received one-time passcode on their device.

The corporate container of the user's mobile device is unlocked.

After the corporate container on a device is locked, the history of corporate container passwords is cleared. This means that the user can specify a recent password, regardless of the corporate container password settings.

Page top

Adding an LDAP account

These settings apply to supervised devices and devices operating in basic control mode.

To enable an iOS MDM device user to access corporate contacts on the LDAP server, add an LDAP account.

To add an LDAP account of an iOS MDM device user:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the LDAP card, click Settings.
The LDAP window opens.
Enable the settings using the LDAP toggle switch.
Click Add.
The Add LDAP account window opens.
On the General settings tab. specify the following LDAP settings:
- In the Server section, specify the server settings:
  - In the Description field, enter a description of the user's LDAP account. You can either enter a value or select a macro by clicking the button.
  - In the Server address field, enter the name of the LDAP server domain.
- In the Authentication section, specify the user's credentials:
  - In the Account name field, enter the account name for authorization on the LDAP server. You can either enter a value or select a macro by clicking the button.
  - In the Password field, enter the password of the LDAP account for authorization on the LDAP server.
  - To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of messages, select the Use SSL connection check box.
- If necessary, in the Per App VPN section, configure Per App VPN.
On the Search settings tab, compile a list of search queries for the iOS MDM device user to access corporate data on the LDAP server:
1. Click the Add setting button to add a block of the search query settings.
2. In the Name field, enter the name of a search query.
3. In the Search scope drop-down list, select the nesting level of the folder for searching corporate data on the LDAP server:
  - Root folder of the LDAP server. Search in the base folder of the LDAP server.
  - First level subfolders. Search in folders in the first nesting level, counting from the base folder.
  - All subfolders. Search in folders in all nesting levels, counting from the base folder.
4. In the Search base field, enter the path to the folder on the LDAP server where the search begins (for example: "ou=people", "o=example corp").
5. Repeat steps a-d for all search queries that you want to add to the iOS MDM device.
Click Add.
The new LDAP account appears in the list.

You can modify or delete LDAP accounts in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, LDAP accounts from the compiled list is added on the user's mobile device. The user can access corporate contacts in the standard iOS apps: Contacts, Messages, and Mail.

Page top

Adding a contacts account

These settings apply to supervised devices and devices operating in basic control mode.

To let the iOS MDM device user synchronize data with the CardDAV server, add a CardDAV account. Synchronization with the CardDAV server lets the user access the contact details from any device.

To add a CardDAV account of an iOS MDM device user:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Contacts card, click Settings.
The Contacts window opens.
Enable the settings using the Contacts toggle switch.
Click Add.
The Add CardDAV account window opens.
In the Server section, in the Description field, enter a description of the user's CardDAV account.
In the Server address and Server port fields, enter the host name or the IP address of the CardDAV server and the number of the CardDAV server port.
In the Contact URL field, specify the URL of the CardDAV account of the iOS MDM device user on the CardDAV server (for example: http://example.com/carddav/users/mycompany/user).
The URL must begin with http:// or https://.
In the Authentication section, in the Account name field, enter the account name for authorization on the CardDAV server.
In the Password field, enter the CardDAV account password for authorization on the CardDAV server.
If you want to use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data between the CardDAV server and the mobile device, select the Use SSL connection check box.
If necessary, in the Per App VPN section, configure Per App VPN.
Click Add.
The new CardDAV account appears in the list.

You can modify or delete CardDAV accounts in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, CardDAV accounts from the compiled list will be added on the user's mobile device.

If you experience problems when adding or updating accounts, check whether the settings you configured are correct.

Page top

Adding a calendar account

To let an iOS MDM device user access their calendar events on a CalDAV server, add a CalDAV account. Synchronization with the CalDAV server lets the user create and receive invitations, receive event updates, and synchronize tasks with the Reminders app.

To add an iOS MDM device user's CalDAV account:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Calendar card, click Settings.
The Calendar window opens.
Enable the settings using the Calendar toggle switch.
Click Add.
The Add CalDAV account window opens.
In the Server section, in the Description field, enter a description of the user's CalDAV account.
In the Server address and Server port fields, enter the host name or the IP address of a CalDAV server and the number of the CalDAV server port.
In the Calendar URL field, specify the URL of the CalDAV account of the iOS MDM device user on the CalDAV server (for example, http://example.com/caldav/users/mycompany/user).
The URL must begin with http:// or https://.
In the Authentication section, in the Account name field, enter the account name for authorization on the CalDAV server.
In the Password field, set the CalDAV account password for authorization on the CalDAV server.
If you want to use the SSL (Secure Sockets Layer) data transport protocol to secure transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
If necessary, in the Per App VPN section, configure Per App VPN.
Click Add.
The new CalDAV account appears in the list.

You can modify or delete CalDAV accounts in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, CalDAV accounts from the compiled list is added on the user's mobile device.

If you experience problems when adding or updating accounts, check whether the settings you configured are correct.

Page top

Configuring a calendar subscription

These settings apply to supervised devices and devices operating in basic control mode.

To let the iOS MDM device user add events of shared calendars (such as a corporate calendar) to the user's calendar, add a subscription to these calendars. Shared calendars are calendars of other users who have a CalDAV account, iCal calendars, and other published calendars.

To add a calendar subscription:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Calendar subscriptions card, click Settings.
The Calendar subscriptions window opens.
Enable the settings using the Calendar subscriptions toggle switch.
Click Add.
The Add calendar subscription window opens.
In the Description field, enter a description of the calendar subscription.
In the Server address field, specify the URL of a third-party calendar.
In this field, you can enter the mail URL of the CalDAV account of a user whose calendar you are subscribing to. You can also specify the URL of an iCal calendar or a different published calendar.
In the User name field, enter the user account name for authentication on the server of the third-party calendar.
In the Password field, enter the calendar subscription password for authentication on the server of the third-party calendar.
If you want to use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
If necessary, in the Per App VPN section, configure Per App VPN.
Click Add.
The new calendar subscription appears in the list.

You can modify or delete calendar subscriptions in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, events from the shared calendar in the list will be added to the calendar on the user's mobile device.

Page top

Configuring SSO

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

The SSO settings let you configure account settings for using Single Sign-On technology. Single Sign-On (SSO) is an authentication method that allows a user to sign in to multiple services with a single ID. The Kerberos protocol is used for user authentication.

To configure the use of SSO on iOS MDM devices:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the SSO card, click Settings.
The SSO window opens.
Enable the settings using the SSO toggle switch.
Specify the following settings:
- In the Account name field, specify the name of the user's Single Sign-On account for Kerberos server authorization. You can either enter a value or select a macro by clicking the button.
- In the Authentication section, specify the authentication settings:
  - Kerberos user name
    Main name of the account of an iOS MDM device user on the Kerberos server. The Kerberos user name is case-sensitive and must be specified in the format <primary>/<instance>, where:
    
    1. <primary> is the user name.
    
    2. <instance> is a description of the primary name, such as "admin". The instance may be omitted.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM or mycompany@EXAMPLE.COM, you must enter mycompany/admin or mycompany respectively,
    
    You can either enter a value or select a macro by clicking the button.
    
    Do not use the at sign (@) in this field. Otherwise the SSO profile will not be applied on the device.
  - Kerberos scope
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
  - Authentication certificate
    The certificate used for user authentication.
- In the URL prefixes section, specify the addresses of websites on which Kaspersky Mobile Devices Protection and Management allows using SSO:
  - Limit account to the listed URLs
    Use of Single Sign-On for automatic sign-in only to websites added to the list of allowed web addresses. You can create a list of allowed web addresses by clicking the Add URL button next to the check box.
    
    If the check box is selected, the user can use Single Sign-On for authorization on websites that have been added to the list of allowed web addresses.
    
    If the check box is cleared or the list is empty, the user can use Single Sign-On for all websites within the Kerberos scope.
    
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
    
    This check box is cleared by default.
  - Add URL
    Clicking the button adds the URL prefix field for specifying a new website in the list of web addresses for which automatic Single Sign-On is allowed.
    
    The button is available if the Limit account to the listed URLs check box is selected.
    
    The web address must begin with http:// or https://. Automatic Single Sign-On is performed only when the URL fully matches the URL template. For example, the web address https://example.com/ does not match the web address https://example.com:443/.
    
    To allow Single Sign-On access only to websites that use the HTTP protocol, enter the value http://. To allow access only to websites that use the secure HTTPS protocol, enter https://.
    
    If the web address does not end with the "/" symbol, Kaspersky Mobile Devices Protection and Management adds this symbol automatically.
    
    If the list of allowed web addresses is empty, the user can use Single Sign-On to automatically sign in to all websites within the Kerberos scope.
    
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
- In the Bundle IDs section, specify the IDs of apps in which Kaspersky Mobile Devices Protection and Management allows using SSO:
  - Limit account to the listed apps
    Using Single Sign-On for automatic sign-in to apps added to the list of bundle identifiers. You can create a list of bundle IDs by clicking the Add app button next to the check box.
    
    If the check box is selected, the user can use Single Sign-On only for authorization in apps that have been added to the list of bundle IDs.
    
    If the check box is cleared or the list is empty, the user can use Single Sign-On for all apps within the Kerberos scope.
    
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
    
    This check box is cleared by default.
  - Add app
    Clicking the button adds the Bundle ID field for specifying a new bundle ID in the list of apps for which automatic Single Sign-On is allowed.
    
    The button is available if the Limit account to the listed apps check box is selected.
    
    Automatic Single Sign-On is performed only when the added ID fully matches the bundle ID. For example: com.mycompany.myapp.
    
    To grant access to several apps using Single Sign-On, use the "*" symbol after the "." character. For example: com.mycompany.*. Access will be allowed to all apps whose bundle ID begins with the specified prefix.
    
    If the list of bundle IDs is empty, the user can use Single Sign-On to automatically sign in to all apps within the Kerberos scope.
    
    Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.
    
    The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.
    
    Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, SSO is configured on the iOS MDM device.

Page top

Managing Web Clips

A Web Clip is an app that opens a website from the home screen of a mobile device. By clicking Web Clip icons on the home screen of the device, the user can quickly open websites (such as the corporate website). Web Clips may also pop-up if the user taps and holds the Kaspersky Endpoint Security for Android app icon.

You can add or delete Web Clips on user devices and specify icons displayed on the screen. Web Clips can be added on both Android and iOS MDM devices.

Managing Web Clips on Android devices

To manage Web Clips on a user's Android device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Device configuration section.
On the Web Clips card, click Settings.
The Web Clips window opens.
Enable the settings using the Web Clips toggle switch.
Click Add.
The Add Web Clip window opens.
In the Web Clip name field, enter the name of the Web Clip to be displayed on the home screen of the Android device.
In the Website URL field, enter the web address of the website that will open when the user taps the Web Clip icon. The address should begin with http:// or https://.
If the entered website is forbidden or is not on the list of allowed websites in the Web Control settings of the policy, users will not be able to access this website via the Web Clip.
Click Select to specify the image for the Web Clip icon. The PNG, JPEG, and ICO file formats are supported. If you do not select an image for the Web Clip, a blank square is displayed as the icon.
Click Add.
The new Web Clip appears in the list.

You can modify or delete Web Clips in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Once the policy is applied to a device, the Kaspersky Endpoint Security for Android app shows notifications to prompt the user to install the Web Clips you created. After the user installs these Web Clips, the corresponding icons are added on the home screen of the device.

If there is no in-app notifications prompting the user to install Web Clips, make sure the Device has not been synchronized with the Administration Server for a long time check box is selected in the Notifications settings of the KES for Android settings section.

The deleted Web Clips are disabled on the home screen of the Android device. If the user taps the corresponding icon, a notification appears that the Web Clip is no longer available. The user should delete the Web Clip from the home screen by following a vendor-specific procedure.

Managing Web Clips on iOS MDM devices

By default, the following restrictions apply to Web Clips:

The user cannot manually remove Web Clips from the mobile device.
The corner rounding, shadow, and gloss visual effects are applied to the Web Clip icon on the screen.
Websites that open when the user taps a Web Clip icon do not open in full-screen mode.

To manage Web Clips on a user's iOS MDM device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Web Clips card, click Settings.
The Web Clips window opens.
Enable the settings using the Web Clips toggle switch.
Click Add.
The Add Web Clip window opens.
In the Web Clip name field, enter the name of the Web Clip to be displayed on the home screen of the iOS MDM device.
In the Website URL field, enter the web address of the website that will open when the user taps the Web Clip icon. The address should begin with http:// or https://.
If the entered website is forbidden or is not on the list of allowed websites in the Web Control settings of the policy, users will not be able to access this website via the Web Clip.
Click Select to specify the image for the Web Clip icon.
The image must meet the following requirements:
- Image size no greater than 400 х 400 pixels.
- File format: PNG, JPEG, or ICO.
- File size no larger than 1 MB.
If you do not select an image for the Web Clip, a blank square is displayed as the icon.

If the selected image has a transparent background, the background will be black on the device.
In the Options section, specify the following additional settings:
1. If you want to allow the user to remove the Web Clip from the iOS MDM device, select the Allow removal of Web Clip check box.
2. If you want the Web Clip icon to be displayed without special visual effects (rounding of icon corners and gloss effect), select the Precomposed icon check box.
3. If you want the website to open in full-screen mode on the iOS MDM device when the user taps the icon, select the Full screen Web Clip check box.
  In full-screen mode, the Safari toolbar is hidden and only the website is shown on the device screen.
Click Add.
The new Web Clip appears in the list.

You can modify or delete Web Clips in the list using the Edit and Delete buttons at the top of the list.
Click OK.
Click Save to save the changes you have made.

Once the policy is applied, the Web Clip icons in the list you have created are added on the home screen of the user's mobile device.

The deleted Web Clips are removed from the home screen of the iOS MDM device.

Page top

Setting a wallpaper

Expand all | Collapse all

You can set an image as the home screen wallpaper and lock screen wallpaper on users' devices that fall under the same policy.

To set a wallpaper on users' Android devices:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Device configuration section.
On the Custom wallpapers card, click Settings.
The Custom wallpapers window opens.
Enable the settings using the Custom wallpapers toggle switch.
In the Home screen wallpaper section, in the How to set wallpaper drop-down list, select the method for specifying the wallpaper:
- Upload file
  For this option, you need to upload a PNG or JPEG image no larger than 1 MB from your computer.
- Download image from the internet
  For this option, you need to specify a URL beginning with http:// or https://. Use only trusted URLs.
Add an image to be used as a wallpaper:
- If you selected the Upload file option, click Select to upload an image. When the upload is finished, an image preview will be displayed.
- If you selected the Download image from the internet option, specify the link to the image in the Link to image field. You can click Open preview to view the image in a new browser tab.
If you want to use the same image as the lock screen wallpaper, in the Lock screen wallpaper section, select the Use home screen wallpaper for lock screen check box.
Click OK.
Click Save to save the changes you have made.

The imported image is set as a wallpaper on users' devices.

Page top

Adding fonts

These settings apply to supervised devices and devices operating in basic control mode.

To add a font on a user's iOS MDM device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Device configuration section.
On the Custom fonts card, click Settings.
The Custom fonts window opens.
Enable the settings using the Custom fonts toggle switch.
Click Add.
Select the font file saved on your computer. The file must have the .TTF or .OTF extension.
Fonts with the .TTC or .OTC extension are not supported.

Fonts are identified using the PostScript name. Do not install fonts with the same PostScript name even if their content is different. Installing fonts with the same PostScript name will result in an error.
Click Open.
The new font appears in the list.

You can delete fonts in the list using the Delete button at the top of the list.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the user will be prompted to install fonts from the list that has been created.

Page top

Working with commands for mobile devices

This section contains information about commands for managing mobile devices supported by Kaspersky Security Center. It provides instructions on how to send commands to mobile devices, as well as how to view the execution statuses of commands in the command history.

In this section

Commands for mobile devices

Sending commands

Viewing the statuses of commands in the command history

Page top

Commands for mobile devices

Kaspersky Security Center supports commands for remote mobile device management. For instance, if a mobile device is lost or stolen, you can send commands to locate the device or wipe all corporate data from the device.

You can send commands to the following types of managed mobile devices:

Android devices managed via the Kaspersky Endpoint Security for Android app
iOS MDM devices

Each device type supports a dedicated set of commands.

You can cancel commands in the Command history.

Commands may be delivered almost immediately to devices connected to the internet. As a result, they may fail to cancel despite being displayed as canceled.

Commands for Android devices

Command	Result

Lock device	The mobile device is locked. To obtain access to data, you must unlock the device using the Unlock device command or a one-time passcode.
Unlock device	The mobile device is unlocked. After unlocking a device running Android 5 – 6, the screen unlock password is reset to "1234". After unlocking a device running Android 7 or later, the screen unlock password is not changed.
Reset to factory settings	All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands. This command is unavailable for personal devices and devices with a corporate container running Android 14 or later.
Wipe corporate data	Corporate data is wiped from the device. The list of wiped data depends on the mode the device is operating in: On a personal device, the Knox container and mail certificate are wiped. On a corporate device, the Knox container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped. Additionally, if a corporate container was created, the corporate container (its contents, configurations, and restrictions) and the certificates installed in the corporate container (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
Synchronize device	The mobile device data is synchronized with the Administration Server. The Executed status may be displayed when the command has been successfully sent but not yet received by the device.
Locate device	The mobile device's location coordinates are obtained. To view the device location on a map, go to the Assets (Devices) → Mobile → Devices section. Then choose a device and select Command history → Locate device → Device coordinates → Open Maps. On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received within the past 30 minutes. Otherwise, the command fails. This command does not work on Android devices if Google Location Accuracy is disabled in the settings. Please be aware that not all Android devices come with this location setting.
Take photos	The mobile device is locked. Photos are taken using the front camera of the device when somebody attempts to unlock the device. On devices with a pop-up front camera, the photo will be black if the camera is stowed. When attempting to unlock the device, the user automatically consents to having their photo taken on the device. If the permission to use the camera has been revoked, the mobile device displays a notification and prompts to provide the permission. On a mobile device running Android 12 or later, if the permission to use the camera has been revoked via Quick Settings, the notification is not displayed but the taken photo is black.
Sound alarm	The mobile device sounds an alarm. The alarm is sounded for 5 minutes (or for 1 minute if the device battery is low).
Wipe app data	The data of a specified app is wiped from the mobile device. For this action, you need to specify the package name for the app whose data is to be deleted. As a result, the app is rolled back to its default state. The data of system and administrative apps is not wiped.
Wipe data of all apps	The data of all apps is wiped from the mobile device. On a corporate device, the data of all apps on the device is wiped. On a device with a corporate container, the data of all apps in the corporate container is wiped. As a result, apps are rolled back to their default state. The data of system and administrative apps is not wiped.
Send message	A message with the specified title and text is sent to the user's mobile device. You can send only a push notification or both a push notification and an alert.
Get location history	The mobile device's location history for the last 14 days is displayed. To view the device location on a map, go to the Assets (Devices) → Mobile → Devices section. Then choose a device and select Command history → Get location history → View on map. Due to technical limitations on Android devices, the device location may be retrieved less often than specified in the Location tracking settings.

Commands for iOS MDM devices

Command	Result
Lock device	The mobile device is locked. To access data, you must unlock the device.
Reset unlock password	The mobile device's screen unlock password is reset, and the user is prompted to set a new password in accordance with policy requirements.
Reset to factory settings	All data is deleted from the mobile device and the settings are rolled back to their factory values. After this command is executed, the device will not be able to receive or execute subsequent commands.
Wipe corporate data	All installed configuration profiles, the device management profile, and apps for which the Remove when device management profile is deleted check box has been selected are removed from the device.
Synchronize device	The mobile device data is synchronized with the Administration Server.
Install configuration profile	A configuration profile is installed on the mobile device. You cannot install a configuration profile with settings for a supervised device on a device in basic control mode.
Delete configuration profile	The configuration profile is deleted from the mobile device. The profile may be displayed in the list of configuration profiles installed on the device for several minutes after it has been deleted.
Install app	The specified app is installed on the mobile device.
Update app	The specified app is updated on the mobile device.
Delete app	The specified app is removed from the mobile device.
OS update (supervised only)	Operating system updates are scheduled on the mobile device according to the specified update settings. This command may fail to be executed when a device does not have enough storage space or the specified OS version is not available for the selected device. We recommend specifying the latest available OS version.
Change roaming settings	Data roaming and voice roaming are enabled or disabled.
Set Bluetooth state (supervised only)	Bluetooth is enabled or disabled on the mobile device. This command is supported only for supervised devices running iOS 11.3 or later.
Enable Lost Mode (supervised only)	Lost Mode is enabled on the supervised mobile device, and the device is locked. The device screen shows a message and phone number that you can edit. If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network.
Locate device (Lost Mode only)	The location of the mobile device is obtained.
Sound alarm (Lost Mode only)	A sound is played on the lost mobile device.
Disable Lost Mode (supervised only)	Lost Mode is disabled on the mobile device, and the device is unlocked.

Permissions for executing commands

Page top

Sending commands

To send a command to the user's mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
In the list of devices that opens, select a device that you want to send a command to.
You can select multiple devices.
Click Send command.
In the Send command window that opens, in the Command field, select a command.
Configure the command that you want to send.
Click Send.
You can view and cancel commands in the Command history.

The command is sent to the devices you selected.

Page top

Viewing the statuses of commands in the command history

The application saves information about all commands that have been sent to mobile devices to the command history. The command history contains information about the time and date that each command was sent to the mobile device, their statuses, and descriptions of the results. For example, when a command fails, the history displays the cause of the error.

Commands sent to mobile devices can have the following statuses:

Sent
The command has been sent to the mobile device.
Executed
Execution of the command has succeeded.
Error
Execution of the command failed.
Canceling
The command is being removed from the queue of commands sent to the mobile device.
Canceled
The command has been successfully removed from the queue of commands sent to the mobile device.

The application maintains a command history for each mobile device.

To view the command history:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
In the list of mobile devices, select the one for which you want to view the command history.
Click Command history.
The Command history window opens. The sections of the Command history window correspond to the commands that can be sent to the mobile device.
Select sections containing the necessary commands and view information about how the commands are sent and executed.

Page top

Contents

Configuration and management

Control

Configuring restrictions

Configuring restrictions for personal Android devices

Configuring iOS MDM device restrictions

Configuring user access to websites

Configuring access to websites on Android devices

Configuring access to websites on iOS MDM devices

Compliance Control

Compliance Control of Android devices

Compliance Control of iOS MDM devices

App Control

App Control on Android devices

App Control on iOS MDM devices

Mobile device protection levels

Software inventory on Android devices

Protection

Configuring anti-malware protection on Android devices

Protecting Android devices on the internet

Protection of data on a stolen or lost device

Sending commands to a lost or stolen mobile device

Unlocking a mobile device

Configuring the device unlock password strength

Configuring a strong unlock password for an Android device

Configuring a strong unlock password for an iOS MDM device

Configuring a virtual private network (VPN)

Configuring VPN on Android devices (only Samsung)

Configuring VPN on iOS MDM devices

Configuring Per App VPN on iOS MDM devices

Configuring Firewall on Android devices (only Samsung)

Protecting Kaspersky Endpoint Security for Android against removal

Detecting hacked devices

Configuring a global HTTP proxy on iOS MDM devices

Adding security certificates to iOS MDM devices

Adding a SCEP profile to iOS MDM devices

Restricting SD card usage (only Samsung)

Management of mobile devices

Managing Android devices

Corporate devices

Restricting Android features on devices

Configuring kiosk mode for Android devices

Connecting to a NDES/SCEP server

Enabling certificate-based authentication of devices

Creating a mobile application package for Android devices

Viewing information about an Android device

Disconnecting an Android device from management

Managing iOS MDM devices

Adding a configuration profile

Installing a configuration profile on a device

Removing a configuration profile from a device

Configuring managed apps

Installing an app on a mobile device

Removing an app from a device

Configuring roaming on an iOS MDM mobile device

Viewing information about an iOS MDM device

Disconnecting an iOS MDM device from management

Configuring kiosk mode for iOS MDM devices

Management of mobile device settings

Configuring connection to a Wi-Fi network

Connecting Android devices to a Wi-Fi network

Connecting iOS MDM devices to a Wi-Fi network

Configuring email

Configuring a mailbox on iOS MDM devices

Configuring an Exchange mailbox on iOS MDM devices

Configuring an Exchange mailbox on Android devices

Configuring protection levels in Kaspersky Security Center

Managing app configurations

Managing Google Chrome settings

Managing Exchange ActiveSync for Gmail

Configuring other apps

Managing app permissions

Creating a report on installed mobile apps

Installing root certificates on Android devices

Configuring notifications for Kaspersky Endpoint Security for Android

Connecting iOS MDM devices to AirPlay

Connecting iOS MDM devices to AirPrint

Configuring the Access Point Name (APN)

Configuring APN on Android devices (only Samsung)

Configuring APN on iOS MDM devices