Contents
Control
This section contains information about how to remotely monitor mobile devices in the Kaspersky Security Center Web Console.
Configuring restrictions
This section provides instructions on how to configure user access to the features of mobile devices.
Configuring restrictions for personal Android devices
These settings apply to personal devices and devices with a corporate container.
To keep an Android device secure, Kaspersky Mobile Devices Protection and Management lets you configure user access to the following features of mobile devices:
- Wi-Fi
- Camera
- Bluetooth
By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.
To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select Android and go to the Restrictions section.
- On the Device feature restrictions card, click Settings.
The Device feature restrictions window opens.
- Enable the settings using the Device feature restrictions toggle switch.
- Configure usage of Wi-Fi, camera, and Bluetooth:
- To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.
On personal devices and devices with a corporate container running Android 10 or later, prohibiting the use of Wi-Fi networks is not supported.
- To disable the camera on the user's mobile device, select the Prohibit use of camera check box.
When camera usage is prohibited, the app displays a notification upon opening and then closes shortly after. On Asus and OnePlus devices, the notification is shown in full screen. The device user can tap the Close button to exit the app.
On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or later disable this service in the device settings. If this is the case, you will not be able to restrict use of the camera.
- To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.
On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby devices permission. The user can grant this permission during the Initial Configuration Wizard or later.
On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.
- To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.
- Click OK.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
You can also restrict additional operating system features on corporate devices.
Page topConfiguring iOS MDM device restrictions
To ensure compliance with corporate security requirements, configure restrictions on the operation of iOS MDM devices.
Configuring feature restrictions
To configure iOS MDM device feature restrictions:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select iOS and go to the Restrictions section.
- On the Device feature restrictions card, click Settings.
The Device feature restrictions window opens.
- Enable the settings using the Device feature restrictions toggle switch.
- Enable iOS MDM device feature restrictions using toggle switches on corresponding tabs and select the required restrictions.
- Click OK.
- Click Save to save the changes you have made.
As a result, feature restrictions will be configured on the user's mobile device after the policy is applied.
Configuring app restrictions
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select iOS and go to the Restrictions section.
- On the App restrictions card, click Settings.
The App restrictions window opens.
- Enable the settings using the App restrictions toggle switch.
- Configure iOS MDM device app restrictions.
- Click OK.
- Click Save to save the changes you have made.
As a result, app restrictions will be configured on the user's mobile device after the policy is applied.
Configuring content restrictions
Categories used for content restrictions are determined by Apple. In some cases, when content restrictions are configured, actual results may differ from expected results.
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select iOS and go to the Restrictions section.
- On the Content restrictions card, click Settings.
The Content restrictions window opens.
- Enable the settings using the Content restrictions toggle switch.
- Configure iOS MDM device content restrictions.
- Click OK.
- Click Save to save the changes you have made.
As a result, content restrictions will be configured on the user's mobile device after the policy is applied.
Page topConfiguring user access to websites
This section contains instructions on how to configure access to websites on Android and iOS devices.
Configuring access to websites on Android devices
You can use Web Control to configure Android device users' access to websites. Web Control supports website filtering by categories defined in the Kaspersky Security Network cloud service. Filtering allows you to restrict user access to certain websites or categories of websites (for example, "Gambling, lotteries, sweepstakes" or "Internet communication"). Web Control is enabled by default.
Web Control on Android devices is supported only in Google Chrome, HUAWEI Browser, Samsung Internet, and Yandex Browser.
On corporate devices, if Kaspersky Endpoint Security for Android is not enabled as an Accessibility feature, Web Control is supported only in Google Chrome and checks only the domain of a website. To allow other browsers (Samsung Internet, Yandex Browser, and HUAWEI Browser) to support Web Control, enable Kaspersky Endpoint Security as an Accessibility feature. This will also let you use the Custom Tabs feature.
If Kaspersky Endpoint Security for Android is not enabled as an Accessibility feature and a proxy is enabled in the Google Chrome settings card, Web Control will not work.
To configure the settings for device users' access to websites:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select Android and go to the Security controls section.
- On the Web Control card, click Settings.
The Web Control window opens.
- Select one of the following options:
- If you want the app to restrict user access to websites depending on their content, do the following:
- In the Operating mode drop-down list, in the drop-down list select Prohibit websites in selected categories.
- In the Categories section, create a list of prohibited categories by selecting the check boxes next to the categories of websites to which the app will block access.
- If you want the app to allow or block user access only to specified websites, do the following:
- In the Operating mode drop-down list, select Allow only listed websites or Allow all websites except listed ones.
- Click Add.
- In the window that opens, create a list of websites to which the app will allow or block access, depending on the value selected in the drop-down list. You can add websites by link (full URL, including the protocol, for example,
https://example.com).To make sure that the app allows or blocks access to the specified website in all supported versions of Google Chrome, HUAWEI Browser, Samsung Internet, and Yandex Browser include the same URL twice — once with the HTTP protocol (for example,
http://example.com) and once with the HTTPS protocol (for example, https://example.com).For example:
https://example.com— The main page of the website is either allowed or blocked. This URL can only be accessed through the HTTP protocol.http://example.com— The main page of the website is either allowed or blocked, but only when accessed through the HTTP protocol. Other protocols like HTTPS are not affected.https://example.com/page/index.html— Only the index.html page of the website will be allowed or blocked. The rest of the website is not affected by this entry.
The app also supports regular expressions. When entering the address of an allowed or forbidden website, use the following templates:
https://example\.com/.*— This template blocks or allows all child pages of the website, accessed via the HTTPS protocol (for example,https://example.com/about).https?://example\.com/.*— This template blocks or allows all child pages of the website, accessed via both the HTTP and HTTPS protocols.https?://.*\.example\.com— This template blocks or allows all subdomain pages of the website (for example,https://pictures.example.com).https?://example\.com/[abc]/.*— This template blocks or allows all child pages of the website where the URL path begins with 'a', 'b', or 'c' as the first directory (for example,https://example.com/b/about).https?://\w{3,5}.example\.com/.*— This template blocks or allows all child pages of the website where the subdomain consists of a word with 3 to 5 characters (for example,http://abde.example.com/about).
Use the
https?expression to select both the HTTP and HTTPS protocols. For more details on regular expressions, please refer to the Oracle Technical Support website. - Click Add.
- If you want the app to block user access to all websites, in the Operating mode section, in the drop-down list, select Prohibit all websites.
- If you want the app to restrict user access to websites depending on their content, do the following:
- If you want the app to check the full URL when opening a website in Custom Tabs, select the Check full URL when using Custom Tabs check box.
Custom Tabs is an in-app browser that allows the user to view web pages without having to leave the app and switch to a full web browser version. This option provides better URL recognition and checks URLs against the configured Web Control rules. If the check box is selected, Kaspersky Endpoint Security for Android opens the website in a full version of the browser and checks the whole web address of the website. If the check box is cleared, Kaspersky Endpoint Security for Android checks only the domain of the website in Custom Tabs.
The Custom Tabs feature is supported in Google Chrome, HUAWEI Browser, and Samsung Internet.
- If you want to lift content-based restrictions on user access to websites, disable the settings using the Web Control toggle switch and click Disable.
- Click OK.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Managing the website list
You can manage the list of websites with the following buttons:
- Add — Click to add a website to the list by entering a URL or regular expression.
- Upload — Click to add multiple websites to the list by specifying a TXT file that contains the required URLs or regular expressions. The file must be encoded in UTF-8. URLs or regular expressions in the file must be separated by semicolons or line breaks.
- Edit — Click to change the address of a website.
- Delete — Click to remove one or more websites from the list.
Configuring access to websites on iOS MDM devices
These settings apply to supervised devices.
Configure Web Control settings to control access to websites for iOS MDM device users. Web Control manages users' access to websites based on lists of allowed and forbidden websites. Web Control also lets you add website bookmarks on the bookmark panel in Safari.
By default, access to websites is not restricted.
If a URL is redirected to a different website, Web Control checks only the redirect target.
To configure settings for device users' access to websites:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select iOS and go to the Security controls section.
- On the Web Control card, click Settings.
The Web Control window opens.
- Enable the settings using the Web Control toggle switch.
- In the Operating mode drop-down list do one of the following:
- If you want to create a list of allowed websites, select Allow only listed websites.
- If you want to create a list of forbidden websites, select Allow all websites except listed ones.
- Do one of the following:
- If you want to add websites manually:
- Click Add:
- Add websites to which the app will allow or block access, depending on the value selected in the drop-down list.
The website address should begin with
http://orhttps://. Kaspersky Mobile Devices Protection and Management allows or blocks access to all websites in the domain. For example, if you addhttp://www.example.comto the list of allowed websites, access is allowedhttp://pictures.example.comandhttp://example.com/movies.If you want to add an allowed website to bookmarks in Safari on mobile devices, select the Add to bookmarks on device check box below the website address.
- Click Add.
- If you want to upload a TXT file with a list of websites, click Upload.
The TXT file must be saved with the UTF-8 encoding and LF or CR+RF line breaks.
- If you want to add websites manually:
- Click OK.
- Click Save to save the changes you have made.
As a result, once the policy is applied, Web Control will be configured on the mobile devices.
Page topCompliance Control
This section contains instructions on how to monitor the compliance of devices with corporate requirements and configure compliance control rules.
Compliance Control of Android devices
You can control Android devices for compliance with corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance Control is based on a list of rules. A compliance rule includes the following components:
- Device check criterion (for example, absence of blocked apps on the device).
- Time period allocated for the user to fix the non-compliance (for example, 24 hours).
- Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, lock the device).
If the device is in battery saver mode, Kaspersky Endpoint Security for Android may perform this task later than specified.
To create a rule for checking devices for compliance with a policy:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select Android and go to the Security controls section.
- On the Compliance Control card, click Settings.
The Compliance Control window opens.
- Enable the settings using the Compliance Control toggle switch.
- In the When non-compliance is detected section:
- Select the Notify user check box to inform the user that the device does not comply with the policy.
If the check box is cleared, the user is not notified of the non-compliance issue, and the response is performed on the device as soon as the time allocated for fixing the non-compliance expires.
- Select the Notify the administrator through the "Events" section check box to inform the administrator that the device does not comply with the policy.
- Select the Notify user check box to inform the user that the device does not comply with the policy.
- Click Add.
The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.
Step 1. Criterion for non-compliance
Click Add criterion to specify the non-compliance criterion to trigger the rule.
The following criteria are available:
- Real-time protection is disabled
Kaspersky Endpoint Security for Android is not installed or running on the device.
- Anti-malware databases on device are out of date
Anti-malware databases were last updated 3 or more days ago.
- Forbidden apps are installed
The list of apps on the device contains apps that are set as forbidden in the App Control settings of the policy.
- Apps from forbidden categories are installed
The list of apps on the device contains apps from the categories that are set as forbidden in the App Control settings of the policy.
- Not all required apps are installed
The list of apps on the device does not contain an app that is set as required in the App Control settings of the policy.
- Operating system version is outdated
The Android version on the device is outside the allowed range.
For this criterion, specify the minimum and maximum allowed versions of Android in the Minimum version and Maximum version fields. If the maximum allowed version is set to Any, future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.
- Device has not been synchronized for a long time
The last synchronization of the device with the Administration Server is checked.
For this criterion, specify the maximum period after the last synchronization in the Period without synchronization field.
- Device has been rooted
The device is hacked (root access is gained on the device).
- Unlock password is not compliant with security settings specified in policy
The unlock password on the device is not compliant with the settings defined in the Screen unlock settings card.
- Installed version of Kaspersky Endpoint Security for Android is outdated
Kaspersky Endpoint Security for Android installed on the device is obsolete.
This criterion applies only to an app installed using a Kaspersky Endpoint Security for Android installation package and if the minimum allowed version of Kaspersky Endpoint Security for Android is specified in the App update settings of the policy.
- SIM card usage is not compliant with security requirements
The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.
For this criterion, select the specific condition that must be monitored:
- The SIM card must not be replaced or removed
- The SIM card must not be replaced or removed; additional SIM cards must not be inserted
- Device location
The device is outside the specified geofence areas.
Specifying the geofence area will result in increased device power consumption.
For this criterion, select the specific condition that must be monitored:
- The device is within a specified geofence (the geofence areas are combined using the OR logical operator).
- The device is outside specified geofences (the geofence areas are combined using the AND logical operator).
To add a geofence area:
- Click Add geofences.
The Add geofences window opens.
- Specify the Geofence name.
- Specify the geofence perimeter by entering a latitude and a longitude for each point.
For each geofence area, you can manually enter from 3 to 100 coordinate pairs (latitude, longitude) as decimal numbers.
A geofence perimeter must not contain intersecting lines.If needed, you can specify more than 3 points by clicking the Add point button.
To delete a point, click the X button.
You can view the specified geofence area in the Yandex.Maps program by clicking View on map.
- Click OK to add the specified geofences.
- Kaspersky Endpoint Security for Android has no access to precise or background location
Kaspersky Endpoint Security for Android is not allowed to access the precise location of the device or use the device location in the background.
Step 2. Responses for non-compliance with security requirements
Add the responses to be performed on the device if the specified non-compliance criterion is detected.
Choose one of the following options:
- Add instant response. The response is applied instantly after the non-compliance criterion is detected.
- Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.
The following responses are available:
- Block all apps except system apps
All apps on the device, except system apps, are blocked from starting.
As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.
- Lock device
The mobile device is locked. To obtain access to data, you must unlock the device by entering the one-time passcode or using the Unlock device command.
- Wipe corporate data
The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:
- On a personal device, Knox profile and mail certificate are wiped.
- On a corporate device, Knox profile and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
- Additionally, on a device with corporate container, the container (its content, configurations, and restrictions) and the certificates installed in it (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
- Reset to factory settings
All data is wiped from the device and settings are rolled back to their factory values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.
On devices running Android 14 or later, this response is only applicable if the device is operating in corporate device mode.
- Lock corporate container
Corporate container on the device is locked. To obtain access to corporate container, you must unlock it.
The response is only applicable to devices running Android 6 or later.
After the corporate container on a device is locked, the history of the container passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the corporate container password settings.
- Wipe data of all apps
On a corporate device, data of all apps on the device is wiped.
On a device with corporate container, data of all apps in the container is wiped.
As a result, apps are rolled back to their default state.
The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.
- Wipe data of a specified app
For this response, you need to specify the package name for the app whose data is to be wiped. How to get the package name of an app
As a result, the app is rolled back to its default state.
The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.
- Prohibit safe boot
The user is not allowed to boot the device in safe mode.
The response is only applicable to corporate devices running Android 6 or later.
- Prohibit use of camera
The user is not allowed to use any cameras on the device.
- Prohibit use of Bluetooth
The user is not allowed to turn on and configure Bluetooth settings.
The response is only applicable to personal devices running Android 12 or earlier, corporate devices, or devices with corporate container.
- Prohibit use of Wi-Fi
The user is not allowed to use and configure Wi-Fi settings.
The response is only applicable to personal devices running Android 9 or earlier or corporate devices.
- Prohibit USB debugging features
The user is not allowed to use USB debugging features and developer mode on the device.
The response is only applicable to corporate devices or devices with corporate container.
- Prohibit airplane mode
The user is not allowed to enable airplane mode on the device.
The response is only applicable to corporate devices running Android 9 or later.
- Block all apps except system apps
Click Add rule to finish the Add rule wizard. The new rule and its details appear in the list of the Compliance Control rules. To temporarily disable a rule, use the toggle switch next to the selected rule.
To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and select one of the following actions:
- Wipe corporate data
- Reset to factory settings
On devices running Android 14 or later, this action is only applicable if the device is operating in corporate device mode.
These settings require integration with Microsoft Active Directory.
If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.
Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topCompliance Control of iOS MDM devices
Compliance Control lets you monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:
- Status (whether the rule is enabled or disabled).
- Non-compliance criteria (for example, absence of the specified apps or the operating system version).
- Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, wipe corporate data or send an email message to the user).
To create a rule for checking devices for compliance with a policy:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select iOS and go to the Security controls section.
- On the Compliance Control card, click Settings.
The Compliance Control window opens.
- Enable the settings using the Compliance Control toggle switch.
- Click Add.
The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.
Step 1. Criterion for non-compliance
Click Add criterion to specify the non-compliance criterion to trigger the rule.
The following criteria are available:
- List of installed apps
The list of apps on the device contains forbidden apps or does not contain required apps.
For this criterion, select a condition (Contains or Does not contain) and specify the Bundle ID of the app. How to get the bundle ID of an app
- Operating system version
The version of the operating system on the device is outside the allowed range.
For this criterion, select a condition (Equal to, Not equal to, Earlier than, Earlier than or equal to, Later than, or Later than or equal to) and specify the iOS version.
Note that the Equal to and Not equal to operators check for a full match of the operating system version with the specified value. For instance, if you specify iOS 15 in the rule, but the device is running iOS 15.2, the Equal to criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Earlier than and Later than operators.
- Supervision status
The supervision status of the device is not the one required.
For this criterion, select the device operating mode (Supervised or Basic control).
- Device type
The device type is not the one required.
For this criterion, select a device type (iPhone or iPad).
- Device model
The device model is not the one required.
For this criterion, select a condition (Equal to or Not equal to) and specify models that will be checked or excluded from the check, respectively.
To specify a model, in the Model identifier field, select the required model from the list or enter a value manually. The list contains mobile device codes and their matching product names. For example, if you want to add all iPhone 14 models, type "iPhone 14". In this case, you can select any of the available models: "iPhone 14", "iPhone 14 Plus", "iPhone 14 Pro", "iPhone 14 Pro Max".
In some cases, the same product name may correspond to several mobile device codes (for example, the "iPhone 7" product name corresponds to two mobile device codes, "iPhone 9.1" and "iPhone 9.3"). Be sure that you select all of the mobile device codes that correspond to the required models.
If you enter a value that is not on the list, nothing will be found. However, you can click Add: "<value>" under the field to add the entered value to the criterion.
If you specify the criteria that contradict each other (for example, Device type is set to iPhone but the list of values of Device model, with the Equal to operator selected, contains an iPad model), an error message is displayed. You cannot save a rule with such criteria.
- Roaming
The device roaming status is not the one required.
For this criterion, select a condition (Device is roaming or Device is not roaming).
- Password on device
A password is not set or not compliant with the settings specified in the Screen unlock settings card.
For this criterion, select a condition (Not set, Set but not compliant, or Set and compliant).
- Free storage on device
The amount of free space on the device is less than the specified threshold.
For this criterion, specify the threshold amount of free space (Less than or equal to), and then select the measurement unit (MB or GB).
- Device is not encrypted
The device is not encrypted.
Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this setting in the device properties: go to Assets (Devices) → Mobile → Devices, and then select the required device).
- Actions with SIM card
The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.
For this criterion, select a condition (The SIM card must not be replaced or removed or The SIM card must not be replaced or removed; additional SIM cards must not be inserted).
On eSIM compatible devices, the non-compliance detection cannot be removed by inserting the previously removed eSIM. This is because the device operating system recognizes each added eSIM as a new one. In this case, delete the compliance control rule from the policy.
- Device has not been synchronized for a long time
The last synchronization of the device with iOS MDM Server is checked.
For this criterion, specify the maximum time after the last sync in the Period without synchronization field, and then select the measurement unit (Hours or Days).
We do not recommend that you specify a value less than the value of the Synchronization period (min) setting specified in the iOS MDM Server settings.
Step 2.Responses for non-compliance with security requirements
Add the responses to be performed on the device if the specified non-compliance criterion is detected.
Choose one of the following options:
- Add instant response. The response is applied instantly after the non-compliance criterion is detected.
- Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.
Responses are performed during the compliance rule check, which happens every 40 minutes, and persist until the next synchronization with the iOS MDM Server. To prevent repeating responses from a single non-compliance instance, set the Synchronization period (min) value to 30 minutes in the iOS MDM Server settings.
If you specify responses that contradict each other, an error message is displayed. You cannot save such a rule.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.
The following responses are available:
- Send a message to the user
The user is informed about the non-compliance by email.
For this response, specify user email addresses in the Email and Alternate email address fields. If necessary, you can also edit the email subject and default text.
Make sure the Email notifications are configured in the Administration Server properties. For detailed information on configuring notifications delivery, refer to the Kaspersky Security Center Help.
- Wipe corporate data
All installed configuration profiles, provisioning profiles, the device management profile, and apps for which the Remove when device management profile is deleted check box has been selected are removed from the device. This response is performed by sending the Wipe corporate data command.
- Modify profile
For this response, specify one of the actions:
- Install profile. The configuration profile is installed on device. This action is performed by sending the Install configuration profile command. For this response, you also need to specify the ID of the profile to be installed.
Before the profile is installed, it must be added to the list of configuration profiles in the Configuration profiles section of the iOS MDM Server settings.
- Delete specified profile. The configuration profile is deleted from the device. This response is performed by sending the Delete configuration profile command. For this action, you also need to specify the ID of the profile to be deleted.
- Delete all profiles. All previously installed configuration profiles are deleted from the device.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted configuration profiles one by one, by sending the respective command to the device.
- Install profile. The configuration profile is installed on device. This action is performed by sending the Install configuration profile command. For this response, you also need to specify the ID of the profile to be installed.
- Update operating system
For this response, specify the OS version and one of the actions:
- Download and install. The device operating system is downloaded and installed.
If a non-existent operating system version is specified in the Operating system version criterion, the device will upgrade to the latest downloaded operating system.
- Download only. The device operating system is downloaded.
- Install only. The previously downloaded operating system is installed.
This response is only applicable to supervised devices.
- Download and install. The device operating system is downloaded and installed.
- Modify Bluetooth settings
For this response, specify whether you want to enable or disable Bluetooth on the device.
This response is only applicable to supervised devices.
- Reset to factory settings
All data is deleted from the device and the settings are rolled back to their default values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall the device management profile on it.
- Modify apps
For this response, specify one of the actions:
- Delete specified app. The specified app is removed from the device.
You can delete only a managed app. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.
For this action, specify the Bundle ID of the app to be deleted. How to get the bundle ID of an app
- Delete all apps. All managed apps are deleted from the device.
You can delete only managed apps. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.
When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted apps one by one, by sending the respective command to the device.
For this action, specify the Bundle ID of the apps to be deleted. How to get the bundle ID of an app
- Delete specified app. The specified app is removed from the device.
- Delete profile of specified type
For this response, specify the Profile type to be deleted from the device (for example, Web Clips or Calendar subscriptions).
As soon as the non-compliance criteria selected for the rule are no longer detected on the device, the deleted profiles are automatically restored.
- Modify roaming settings
For this response, specify whether you want to enable or disable data roaming on the device.
- Send a message to the user
Click Add rule to finish the Add rule wizard. The new rule and its details appear in the list of Compliance Control rules. To temporarily disable a rule, use the toggle switch next to the selected rule.
To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and choose one of the following actions:
- Wipe corporate data
- Reset to factory settings
These settings require integration with Microsoft Active Directory.
If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.
Click Save to save the changes you have made.
Page topApp Control
This section contains instructions on how to configure user access to apps on a mobile device.
App Control on Android devices
The App Control component lets you manage apps on Android devices and configure use of these apps to keep the devices secure.
You can restrict user activity on a device on which forbidden apps are installed or required apps are not installed (for example, by locking the device). You can impose restrictions using the Compliance Control component. To do so, in the rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.
Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or later disable this service in the device settings. If the user does this, App Control will not run.
On corporate devices, you have extended control over the device. App Control operates without notifying the device user:
- Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
- Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Remove forbidden apps automatically check box in the policy settings.
To configure app startup settings on the mobile device:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select Android and go to the Security controls section.
- On the App Control card, click Settings.
The App Control window opens.
- Enable the settings using the App Control toggle switch.
- Configure the settings on the following tabs:
- If you want to configure general rules of app management, go to the App use tab.
- If you want to set actions to be performed for selected apps, go to the App management tab.
- Click OK.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
Page topApp Control on iOS MDM devices
These settings apply to supervised devices.
Kaspersky Security Center lets you manage apps on iOS MDM devices to keep these devices secure. You can create a list of apps allowed to be installed on devices and a list of apps prohibited from being displayed and launched on devices.
To configure the list of apps allowed or prohibited to be installed on devices:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select iOS and go to the Security controls section.
- On the App Control card, click Settings.
The App Control window opens.
- Enable the settings using the App Control toggle switch.
- In the Operating mode field, select one of the following options:
- Use all apps except forbidden ones
All apps will be displayed and available to run on the device except the ones from the list.
- Use only allowed apps
This option is selected by default. If you select this option, the user will be able to open only the following apps on the device:
- Apps in the list
- System apps
All other apps will be hidden.
- Use all apps except forbidden ones
- Click Add to add apps to the list.
- In the window that opens, specify the app's bundle ID in the corresponding field. Specify the
com.apple.webappvalue to allow or restrict all Web Clips. How to get the bundle ID of an appIf necessary, you can specify several bundle IDs by clicking the Add bundle ID button.
- Click Save.
- Click OK.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with the iOS MDM Server.
As a result, once the policy is applied, the specified settings for apps are configured on devices.
Page topMobile device protection levels
Mobile device protection levels defined by Kaspersky Security Center
Web Console lets you quickly assess the current protection level of managed mobile devices in the Assets (Devices) → Mobile → Devices section.
A device can have one of the following protection levels: OK, Warning, or Critical.
The protection levels are assigned and sent to Kaspersky Security Center, in accordance with the following requirements:
- One reason for assigning a protection level is detected on the device — the device gets the status displayed in the list of managed devices.
- Multiple reasons for assigning protection levels are detected on the device — Kaspersky Mobile Devices Protection and Management assigns the most critical status.
- No reasons for assigning a protection level are detected on the device — Kaspersky Mobile Devices Protection and Management does not send a status to Kaspersky Security Center, and the status is set as OK.
Protection levels and their meanings
Protection level
Meaning
OKAn administrator's intervention is not required.
WarningEvents have been logged that are related to potential or actual threats to the security of managed devices.
CriticalSerious problems have been encountered. An administrator's intervention is required to solve them.
The administrator's goal is to ensure that the OK protection level exists on all devices.
Mobile device protection levels defined by Kaspersky Mobile Devices Protection and Management
Kaspersky Mobile Devices Protection and Management defines the protection level of mobile devices based on policy settings and then sends the protection levels to Kaspersky Security Center during synchronization. The administrator can change the protection level in the policy, depending on the severity level of the condition (see the Default values, reasons, and conditions for assigning a protection level on Android devices table). In this case, the value set by the administrator overrides the default value defined by Kaspersky Mobile Devices Protection and Management.
Default values, reasons, and conditions for assigning a protection level on Android devices
Condition |
Reason for protection level |
Default value |
|---|---|---|
Real-time protection is not running
|
One of the following reasons:
|
Critical |
Web Protection and Web Control are not running |
One of the following reasons:
|
Warning |
App Control is not running |
The Accessibility permission has not been granted. |
Warning |
Device lock is not available |
One of the following reasons:
|
Warning |
Device location is not available |
One of the following reasons:
|
Warning |
Versions of the Kaspersky Security Network Statement do not match |
The version of the Kaspersky Security Network Statement that the user accepted in the policy and the version of the Kaspersky Security Network Statement on the device do not match. |
Warning |
Versions of the Marketing Statement do not match |
The version of the Statement regarding data processing for marketing purposes that the user accepted in the policy and the version of the Statement regarding data processing for marketing purposes on the device do not match. |
OK |
Software inventory on Android devices
You can take an inventory of apps on Android devices connected to the Administration Server. Kaspersky Endpoint Security for Android receives information about all apps installed on mobile devices. Information obtained while taking inventory is displayed in the device properties in the Events section. In this section, you can view detailed information on each installed app.
To enable software inventory:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select Android and go to the Security controls section.
- On the App Control card, click Settings.
The App Control window opens.
- In the Report on installed apps section, select the Send data on installed apps check box.
- If you want to receive data about system apps, select the Send data on built-in apps check box.
- If you want to receive data about service apps, which do not have an interface and cannot be opened by the user, select the Send data on service apps check box.
- Click OK.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed or removed from the device.
Page top