Kaspersky Secure Mobility Management
5.0
English

Contents

Compliance Control

This section contains instructions on how to monitor the compliance of devices with corporate requirements and configure compliance control rules.

In this section

Compliance Control of Android devices

Compliance Control of iOS MDM devices
Page top
[Topic 274746]

Compliance Control of Android devices

You can control Android devices for compliance with corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance Control is based on a list of rules. A compliance rule includes the following components:

  • Device check criterion (for example, absence of blocked apps on the device).
  • Time period allocated for the user to fix the non-compliance (for example, 24 hours).
  • Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, lock the device).

    If the device is in battery saver mode, Kaspersky Endpoint Security for Android may perform this task later than specified.

To create a rule for checking devices for compliance with a policy:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Security controls section.
  4. On the Compliance Control card, click Settings.

    The Compliance Control window opens.

  5. Enable the settings using the Compliance Control toggle switch.
  6. In the When non-compliance is detected section:
    • Select the Notify user check box to inform the user that the device does not comply with the policy.

      If the check box is cleared, the user is not notified of the non-compliance issue, and the response is performed on the device as soon as the time allocated for fixing the non-compliance expires.

    • Select the Notify the administrator through the "Events" section check box to inform the administrator that the device does not comply with the policy.
  7. Click Add.

    The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.

Step 1. Criterion for non-compliance

Click Add criterion to specify the non-compliance criterion to trigger the rule.

The following criteria are available:

  • Real-time protection is disabled

    Kaspersky Endpoint Security for Android is not installed or running on the device.

  • Anti-malware databases on device are out of date

    Anti-malware databases were last updated 3 or more days ago.

  • Forbidden apps are installed

    The list of apps on the device contains apps that are set as forbidden in the App Control settings of the policy.

  • Apps from forbidden categories are installed

    The list of apps on the device contains apps from the categories that are set as forbidden in the App Control settings of the policy.

  • Not all required apps are installed

    The list of apps on the device does not contain an app that is set as required in the App Control settings of the policy.

  • Operating system version is outdated

    The Android version on the device is outside the allowed range.

    For this criterion, specify the minimum and maximum allowed versions of Android in the Minimum version and Maximum version fields. If the maximum allowed version is set to Any, future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.

  • Device has not been synchronized for a long time

    The last synchronization of the device with the Administration Server is checked.

    For this criterion, specify the maximum period after the last synchronization in the Period without synchronization field.

  • Device has been rooted

    The device is hacked (root access is gained on the device).

  • Unlock password is not compliant with security settings specified in policy

    The unlock password on the device is not compliant with the settings defined in the Screen unlock settings card.

  • Installed version of Kaspersky Endpoint Security for Android is outdated

    Kaspersky Endpoint Security for Android installed on the device is obsolete.

    This criterion applies only to an app installed using a Kaspersky Endpoint Security for Android installation package and if the minimum allowed version of Kaspersky Endpoint Security for Android is specified in the App update settings of the policy.

  • SIM card usage is not compliant with security requirements

    The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.

    For this criterion, select the specific condition that must be monitored:

    • The SIM card must not be replaced or removed
    • The SIM card must not be replaced or removed; additional SIM cards must not be inserted
  • Device location

    The device is outside the specified geofence areas.

    Specifying the geofence area will result in increased device power consumption.

    For this criterion, select the specific condition that must be monitored:

    • The device is within a specified geofence (the geofence areas are combined using the OR logical operator).
    • The device is outside specified geofences (the geofence areas are combined using the AND logical operator).

    To add a geofence area:

    1. Click Add geofences.

      The Add geofences window opens.

    2. Specify the Geofence name.
    3. Specify the geofence perimeter by entering a latitude and a longitude for each point.

      For each geofence area, you can manually enter from 3 to 100 coordinate pairs (latitude, longitude) as decimal numbers.

      A geofence perimeter must not contain intersecting lines.

      If needed, you can specify more than 3 points by clicking the Add point button.

      To delete a point, click the X button.

      You can view the specified geofence area in the Yandex.Maps program by clicking View on map.

    4. Click OK to add the specified geofences.
  • Kaspersky Endpoint Security for Android has no access to precise or background location

    Kaspersky Endpoint Security for Android is not allowed to access the precise location of the device or use the device location in the background.

Step 2. Responses for non-compliance with security requirements

Add the responses to be performed on the device if the specified non-compliance criterion is detected.

Choose one of the following options:

  • Add instant response. The response is applied instantly after the non-compliance criterion is detected.
  • Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.

    The following responses are available:

    • Block all apps except system apps

      All apps on the device, except system apps, are blocked from starting.

      As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.

    • Lock device

      The mobile device is locked. To obtain access to data, you must unlock the device by entering the one-time passcode or using the Unlock device command.

    • Wipe corporate data

      The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

      • On a personal device, Knox profile and mail certificate are wiped.
      • On a corporate device, Knox profile and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
      • Additionally, on a device with corporate container, the container (its content, configurations, and restrictions) and the certificates installed in it (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
    • Reset to factory settings

      All data is wiped from the device and settings are rolled back to their factory values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.

      On devices running Android 14 or later, this response is only applicable if the device is operating in corporate device mode.

    • Lock corporate container

      Corporate container on the device is locked. To obtain access to corporate container, you must unlock it.

      The response is only applicable to devices running Android 6 or later.

      After the corporate container on a device is locked, the history of the container passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the corporate container password settings.

    • Wipe data of all apps

      On a corporate device, data of all apps on the device is wiped.

      On a device with corporate container, data of all apps in the container is wiped.

      As a result, apps are rolled back to their default state.

      The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.

    • Wipe data of a specified app

      For this response, you need to specify the package name for the app whose data is to be wiped. How to get the package name of an app

      To get the name of an app package:

      1. Open Google Play.
      2. Find the app and open its page.

      The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

      To get the name of an app package that has been added to Kaspersky Security Center:

      1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileApps.
      2. Click Android apps.

        In the list of apps that opens, app identifiers are displayed in the Package name column.

      As a result, the app is rolled back to its default state.

      The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.

    • Prohibit safe boot

      The user is not allowed to boot the device in safe mode.

      The response is only applicable to corporate devices running Android 6 or later.

    • Prohibit use of camera

      The user is not allowed to use any cameras on the device.

    • Prohibit use of Bluetooth

      The user is not allowed to turn on and configure Bluetooth settings.

      The response is only applicable to personal devices running Android 12 or earlier, corporate devices, or devices with corporate container.

    • Prohibit use of Wi-Fi

      The user is not allowed to use and configure Wi-Fi settings.

      The response is only applicable to personal devices running Android 9 or earlier or corporate devices.

    • Prohibit USB debugging features

      The user is not allowed to use USB debugging features and developer mode on the device.

      The response is only applicable to corporate devices or devices with corporate container.

    • Prohibit airplane mode

      The user is not allowed to enable airplane mode on the device.

      The response is only applicable to corporate devices running Android 9 or later.

Click Add rule to finish the Add rule wizard. The new rule and its details appear in the list of the Compliance Control rules. To temporarily disable a rule, use the toggle switch next to the selected rule.

To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and select one of the following actions:

  • Wipe corporate data
  • Reset to factory settings

    On devices running Android 14 or later, this action is only applicable if the device is operating in corporate device mode.

These settings require integration with Microsoft Active Directory.

If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.

Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top
[Topic 274755]

Compliance Control of iOS MDM devices

Expand all | Collapse all

Compliance Control lets you monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:

  • Status (whether the rule is enabled or disabled).
  • Non-compliance criteria (for example, absence of the specified apps or the operating system version).
  • Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, wipe corporate data or send an email message to the user).

To create a rule for checking devices for compliance with a policy:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Security controls section.
  4. On the Compliance Control card, click Settings.

    The Compliance Control window opens.

  5. Enable the settings using the Compliance Control toggle switch.
  6. Click Add.

    The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.

Step 1. Criterion for non-compliance

Click Add criterion to specify the non-compliance criterion to trigger the rule.

The following criteria are available:

  • List of installed apps

    The list of apps on the device contains forbidden apps or does not contain required apps.

    For this criterion, select a condition (Contains or Does not contain) and specify the Bundle ID of the app. How to get the bundle ID of an app

    To get the bundle ID of a built-in iPhone or iPad app,

    Follow the instructions in the Apple documentation.

    To get the bundle ID of any iPhone or iPad app:

    1. Open the App Store.
    2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

    3. Copy this identifier (without the letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

    5. Open the downloaded file and find the "bundleId" fragment in it.

    The text that directly follows this fragment is the bundle ID of the required app.

    To get the bundle ID of an app that has been added to Kaspersky Security Center:

    1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileApps.
    2. Click iOS apps.

      In the list of apps that opens, app identifiers are displayed in the Bundle ID column.

  • Operating system version

    The version of the operating system on the device is outside the allowed range.

    For this criterion, select a condition (Equal to, Not equal to, Earlier than, Earlier than or equal to, Later than, or Later than or equal to) and specify the iOS version.

    Note that the Equal to and Not equal to operators check for a full match of the operating system version with the specified value. For instance, if you specify iOS 15 in the rule, but the device is running iOS 15.2, the Equal to criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Earlier than and Later than operators.

  • Supervision status

    The supervision status of the device is not the one required.

    For this criterion, select the device operating mode (Supervised or Basic control).

  • Device type

    The device type is not the one required.

    For this criterion, select a device type (iPhone or iPad).

  • Device model

    The device model is not the one required.

    For this criterion, select a condition (Equal to or Not equal to) and specify models that will be checked or excluded from the check, respectively.

    To specify a model, in the Model identifier field, select the required model from the list or enter a value manually. The list contains mobile device codes and their matching product names. For example, if you want to add all iPhone 14 models, type "iPhone 14". In this case, you can select any of the available models: "iPhone 14", "iPhone 14 Plus", "iPhone 14 Pro", "iPhone 14 Pro Max".

    In some cases, the same product name may correspond to several mobile device codes (for example, the "iPhone 7" product name corresponds to two mobile device codes, "iPhone 9.1" and "iPhone 9.3"). Be sure that you select all of the mobile device codes that correspond to the required models.

    If you enter a value that is not on the list, nothing will be found. However, you can click Add: "<value>" under the field to add the entered value to the criterion.

    If you specify the criteria that contradict each other (for example, Device type is set to iPhone but the list of values of Device model, with the Equal to operator selected, contains an iPad model), an error message is displayed. You cannot save a rule with such criteria.

  • Roaming

    The device roaming status is not the one required.

    For this criterion, select a condition (Device is roaming or Device is not roaming).

  • Password on device

    A password is not set or not compliant with the settings specified in the Screen unlock settings card.

    For this criterion, select a condition (Not set, Set but not compliant, or Set and compliant).

  • Free storage on device

    The amount of free space on the device is less than the specified threshold.

    For this criterion, specify the threshold amount of free space (Less than or equal to), and then select the measurement unit (MB or GB).

  • Device is not encrypted

    The device is not encrypted.

    Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this setting in the device properties: go to Assets (Devices)MobileDevices, and then select the required device).

  • Actions with SIM card

    The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.

    For this criterion, select a condition (The SIM card must not be replaced or removed or The SIM card must not be replaced or removed; additional SIM cards must not be inserted).

    On eSIM compatible devices, the non-compliance detection cannot be removed by inserting the previously removed eSIM. This is because the device operating system recognizes each added eSIM as a new one. In this case, delete the compliance control rule from the policy.

  • Device has not been synchronized for a long time

    The last synchronization of the device with iOS MDM Server is checked.

    For this criterion, specify the maximum time after the last sync in the Period without synchronization field, and then select the measurement unit (Hours or Days).

    We do not recommend that you specify a value less than the value of the Synchronization period (min) setting specified in the iOS MDM Server settings.

Step 2.Responses for non-compliance with security requirements

Add the responses to be performed on the device if the specified non-compliance criterion is detected.

Choose one of the following options:

  • Add instant response. The response is applied instantly after the non-compliance criterion is detected.
  • Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.

    Responses are performed during the compliance rule check, which happens every 40 minutes, and persist until the next synchronization with the iOS MDM Server. To prevent repeating responses from a single non-compliance instance, set the Synchronization period (min) value to 30 minutes in the iOS MDM Server settings.

    If you specify responses that contradict each other, an error message is displayed. You cannot save such a rule.

    When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.

    The following responses are available:

    • Send a message to the user

      The user is informed about the non-compliance by email.

      For this response, specify user email addresses in the Email and Alternate email address fields. If necessary, you can also edit the email subject and default text.

      Make sure the Email notifications are configured in the Administration Server properties. For detailed information on configuring notifications delivery, refer to the Kaspersky Security Center Help.

    • Wipe corporate data

      All installed configuration profiles, provisioning profiles, the device management profile, and apps for which the Remove when device management profile is deleted check box has been selected are removed from the device. This response is performed by sending the Wipe corporate data command.

    • Modify profile

      For this response, specify one of the actions:

      • Install profile. The configuration profile is installed on device. This action is performed by sending the Install configuration profile command. For this response, you also need to specify the ID of the profile to be installed.

        Before the profile is installed, it must be added to the list of configuration profiles in the Configuration profiles section of the iOS MDM Server settings.

      • Delete specified profile. The configuration profile is deleted from the device. This response is performed by sending the Delete configuration profile command. For this action, you also need to specify the ID of the profile to be deleted.
      • Delete all profiles. All previously installed configuration profiles are deleted from the device.

        When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted configuration profiles one by one, by sending the respective command to the device.

    • Update operating system

      For this response, specify the OS version and one of the actions:

      • Download and install. The device operating system is downloaded and installed.

        If a non-existent operating system version is specified in the Operating system version criterion, the device will upgrade to the latest downloaded operating system.

      • Download only. The device operating system is downloaded.
      • Install only. The previously downloaded operating system is installed.

      This response is only applicable to supervised devices.

    • Modify Bluetooth settings

      For this response, specify whether you want to enable or disable Bluetooth on the device.

      This response is only applicable to supervised devices.

    • Reset to factory settings

      All data is deleted from the device and the settings are rolled back to their default values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall the device management profile on it.

    • Modify apps

      For this response, specify one of the actions:

      • Delete specified app. The specified app is removed from the device.

        You can delete only a managed app. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.

        When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.

        For this action, specify the Bundle ID of the app to be deleted. How to get the bundle ID of an app

        To get the bundle ID of a built-in iPhone or iPad app,

        Follow the instructions in the Apple documentation.

        To get the bundle ID of any iPhone or iPad app:

        1. Open the App Store.
        2. Find the required app and open its page.

          The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

        3. Copy this identifier (without the letters "id").
        4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

          This downloads a text file.

        5. Open the downloaded file and find the "bundleId" fragment in it.

        The text that directly follows this fragment is the bundle ID of the required app.

        To get the bundle ID of an app that has been added to Kaspersky Security Center:

        1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileApps.
        2. Click iOS apps.

          In the list of apps that opens, app identifiers are displayed in the Bundle ID column.

      • Delete all apps. All managed apps are deleted from the device.

        You can delete only managed apps. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.

        When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted apps one by one, by sending the respective command to the device.

        For this action, specify the Bundle ID of the apps to be deleted. How to get the bundle ID of an app

        To get the bundle ID of a built-in iPhone or iPad app,

        Follow the instructions in the Apple documentation.

        To get the bundle ID of any iPhone or iPad app:

        1. Open the App Store.
        2. Find the required app and open its page.

          The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

        3. Copy this identifier (without the letters "id").
        4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

          This downloads a text file.

        5. Open the downloaded file and find the "bundleId" fragment in it.

        The text that directly follows this fragment is the bundle ID of the required app.

        To get the bundle ID of an app that has been added to Kaspersky Security Center:

        1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileApps.
        2. Click iOS apps.

          In the list of apps that opens, app identifiers are displayed in the Bundle ID column.

    • Delete profile of specified type

      For this response, specify the Profile type to be deleted from the device (for example, Web Clips or Calendar subscriptions).

      As soon as the non-compliance criteria selected for the rule are no longer detected on the device, the deleted profiles are automatically restored.

    • Modify roaming settings

      For this response, specify whether you want to enable or disable data roaming on the device.

Click Add rule to finish the Add rule wizard. The new rule and its details appear in the list of Compliance Control rules. To temporarily disable a rule, use the toggle switch next to the selected rule.

To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and choose one of the following actions:

  • Wipe corporate data
  • Reset to factory settings

    These settings require integration with Microsoft Active Directory.

    If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.

Click Save to save the changes you have made.

Page top
[Topic 274756]