Management of mobile devices

This section contains information about how to remotely manage mobile devices in Kaspersky Security Center Web Console.

Managing Android devices

Kaspersky Security Center Web Console lets you manage Android devices in the following ways:

• Centrally manage devices by using commands.
• View information about the settings for management of Android devices.
• Install apps by using mobile app packages.
• Disconnect Android devices from management.

Corporate devices

This section contains information about managing the settings of corporate Android devices. For information about installing Kaspersky Endpoint Security for Android on corporate devices, see here.

Restricting Android features on devices

Expand all | Collapse all

These settings apply to corporate devices.

You can restrict Android operating system features on corporate devices. For example, you can restrict factory reset, changing credentials, use of Google Play and Google Chrome, file transfer over USB, changing location settings, and management of system updates. You can also restrict operating system features on personal devices and devices with a corporate container.

To restrict Android features:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Restrictions section.
4. On the Device feature restrictions card, click Settings.

   The Device feature restrictions window opens.

5. Enable the settings using the Device feature restrictions toggle switch.
6. Enable device feature restrictions using toggle switches on the corresponding tabs and select the required restrictions.
7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Restrict device features

On the General tab, you can enable or disable the following features.

• Features in the Data loss protection section:
  • Prohibit reset to factory settings

    Selecting or clearing this check box specifies whether the device user is allowed to perform a factory reset from device settings.

    This check box is cleared by default.

  • Prohibit screen capture

    Selecting or clearing this check box specifies whether the device user is allowed to take screenshots and record and share the device screen. It also specifies whether the contents of the device screen are allowed to be captured for artificial intelligence purposes.

    This check box is cleared by default.

  • Prohibit safe boot

    Selecting or clearing this check box specifies whether the device user is allowed to boot the device in safe mode.

    The restriction is supported on devices with Android 6 or later.

    This check box is cleared by default.

• Features in the Calls and SMS section:
  • Prohibit outgoing phone calls

    Selecting or clearing this check box specifies whether the device user is allowed to make outgoing phone calls on this device.

    This check box is cleared by default.

  • Prohibit sending and receiving SMS messages

    Selecting or clearing this check box specifies whether the device user is allowed to send and receive SMS messages on this device.

    This check box is cleared by default.

• Features in the Location services section:
  • Prohibit use of location

    Prevents turning location services on and off.

    If the check box is selected, the device user cannot turn location services on or off. Search in Anti-Theft mode becomes unavailable.

    If the check box is cleared, the device user can turn location services on or off.

    This check box is cleared by default.

    Various combinations of values for Prohibit use of location and Prohibit modifying location settings produce different results for the location services feature and configuration.

    Prohibit use of location	Prohibit modifying location settings	Feature restriction result
    Enabled	Enabled	Location services are disabled and cannot be enabled by the device user.
    Enabled	Disabled	Location services are disabled and can be enabled by the device user. Disabling the Prohibit modifying location settings restriction makes it possible for the user to disable location services on the device, which may make some features unavailable.
    Disabled	Enabled	Location services are enabled and cannot be disabled by the device user.
    Disabled	Disabled	Location services are enabled and can be disabled by the device user. Disabling the Prohibit modifying location settings restriction makes it possible for the user to disable location services on the device, which may make some features unavailable.

  • Prohibit sharing location

    If this option is enabled, the user cannot share the device location via apps that provide a location-sharing feature.

    By default, the option is disabled.

  • Prohibit modifying location settings

    Prevents changing location settings.

    If the check box is selected, the device user cannot change location settings or disable location services.

    If the check box is cleared, the device user can change location settings.

    The restriction is supported on devices with Android 9 or later.

    This check box is cleared by default.

    Various combinations of values for Prohibit use of location and Prohibit modifying location settings produce different results for the location services feature and configuration.

    Prohibit use of location	Prohibit modifying location settings	Feature restriction result
    Enabled	Enabled	Location services are disabled and cannot be enabled by the device user.
    Enabled	Disabled	Location services are disabled and can be enabled by the device user. Disabling the Prohibit modifying location settings restriction makes it possible for the user to disable location services on the device, which may make some features unavailable.
    Disabled	Enabled	Location services are enabled and cannot be disabled by the device user.
    Disabled	Disabled	Location services are enabled and can be disabled by the device user. Disabling the Prohibit modifying location settings restriction makes it possible for the user to disable location services on the device, which may make some features unavailable.

• Features in the Keyguard section:
  • Prohibit keyguard features

    Selecting or clearing the check box specifies whether a user's device can be unlocked with a swipe.

    This setting has no effect if a password, PIN code, or pattern is currently set as an unlock method on the device.

    This check box is cleared by default.

  • Prohibit disabling keyguard notifications

    Selecting or clearing the check box specifies whether notifications are prohibited when the device screen is locked.

    This check box is cleared by default.

  • Prohibit using keyguard camera

    Selecting or clearing the check box specifies whether the device user is prohibited to use the camera when the device is locked.

    This check box is cleared by default.

  • Prohibit using keyguard trust agents

    Selecting or clearing this check box specifies whether trusted apps are prohibited when the device screen is locked. Trusted apps are apps that allow the device user to unlock the device without a password, PIN code, or fingerprint.

    This check box is cleared by default.

• Features in the Users and accounts section:
  • Prohibit adding Google accounts

    Selecting or clearing the check box specifies whether the device user is allowed to add and remove Google accounts.

    This check box is cleared by default.

  • Prohibit adding users

    Selecting or clearing the check box specifies whether the device user is allowed to add new users.

    This check box is selected by default. If a corporate device was connected to Kaspersky Security Center via a QR code, the restriction is enabled and can't be disabled.

    The restriction can be disabled only on devices that meet the following requirements:

    • The corporate device was connected to Kaspersky Security Center via the adb.exe installation package.
    • The device must support multiple users.
  • Prohibit switching user

    If this option is enabled, the user cannot switch the current user of the device.

    By default, the option is disabled.

  • Prohibit removing users

    Selecting or clearing the check box specifies whether the device user is allowed to remove users.

    This check box is selected by default. If a corporate device was connected to Kaspersky Security Center via a QR code, the restriction can't be disabled.

    The restriction can be disabled only on devices that meet the following requirements:

    • The corporate device was connected to Kaspersky Security Center via the adb.exe installation package.
    • The device must support multiple users.
  • Prohibit changing credentials

    Selecting or clearing this check box specifies whether the device user is allowed to change user credentials in the operating system.

    This check box is cleared by default.

Restrict app features

On the Apps tab, you can enable or disable the following features.

• Features in the General section:
  • Prohibit installation of apps

    Selecting or clearing the check box specifies whether the device user is allowed to install apps on the device.

    This check box is cleared by default.

  • Prohibit installation of apps from unknown sources

    Selecting or clearing the check box specifies whether the device user is allowed to install apps from unknown sources.

    This check box is cleared by default.

  • Prohibit modification of apps in Settings

    Prevents modifying apps in Settings.

    If the check box is selected, the device user is not allowed to perform the following actions:

    • Uninstall apps
    • Disable apps
    • Clear app caches
    • Clear app data
    • Force stop apps
    • Clear app defaults

    If the check box is cleared, the device user is allowed to modify apps in Settings.

    This check box is cleared by default.

  • Prohibit disabling app verification

    Selecting or clearing the check box specifies whether the device user is allowed to disable app verification.

    This check box is cleared by default.

  • Prohibit uninstallation of apps

    Selecting or clearing the check box specifies whether a device user is allowed to uninstall apps from this device.

    This check box is cleared by default.

• Features in the Google apps section:
  • Prohibit Google Play

    Selecting or clearing the check box specifies whether the device user is allowed to use Google Play.

    This check box is cleared by default.

  • Prohibit Google Chrome

    Prevents use of Google Chrome.

    If the check box is selected, the device user cannot start Google Chrome or configure it in system settings.

    If the check box is cleared, the device user is allowed to use Google Chrome on the device.

    The check box is cleared by default.

  • Prohibit Google Assistant

    Selecting or clearing the check box specifies whether the device user is allowed to use Google Assistant on the device.

    This check box is cleared by default.

• Features in the Camera section:
  • Prohibit use of camera

    Selecting or clearing the check box specifies whether the device user is allowed to use all cameras on the device.

    If the check box is selected, the solution usually blocks the camera from being opened. However, for Asus and OnePlus devices, the icon for the camera app is completely hidden when the check box is selected.

    This check box is cleared by default.

  • Prohibit camera toggle

    Prevents the device user from toggling the camera.

    If the check box is selected, the device user cannot block the camera access via the system toggle.

    If the check box is cleared, the device user is allowed to use the camera toggle.

    The restriction is supported on devices with Android 12 or later.

    This check box is cleared by default.

    On some Xiaomi and HUAWEI devices running Android 12, this restriction does not work. This issue is caused by the specific features of MIUI firmware on Xiaomi devices and EMUI firmware on HUAWEI devices.

• Granting runtime permissions for apps

  This setting allows you to select an action to be performed when apps installed on corporate devices are running and request additional permissions. This does not apply to permissions granted in Settings (e.g. Access All Files) on the device.

  • Allow users to configure permissions

    When a permission is requested, the user decides whether to grant the specified permission to the app.

    This option is selected by default.

  • Grant permissions automatically

    All apps installed on corporate devices are granted permissions without user interaction.

  • Deny permissions automatically

    All apps installed on corporate devices are denied permissions without user interaction.

    Users can adjust app permissions in device settings before these permissions are denied automatically.

  On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select Grant permissions automatically, the app will prompt the user for these permissions:

  • Location permissions
  • Permissions for camera
  • Permissions to record audio
  • Permission for activity recognition
  • Permissions to monitor SMS and MMS incoming messages

  • Permissions to access body sensor data

Restrict storage features

On the Storage tab, in the General section, you can enable or disable the following features.

• Prohibit debugging features

  Prevents use of debugging features.

  If the check box is selected, the device user cannot use USB debugging features and developer mode.

  If the check box is cleared, the device user is allowed to enable and access debugging features and developer mode.

  This check box is cleared by default.

• Prohibit mounting physical external media

  Selecting or clearing the check box specifies whether the device user is allowed to mount physical external media, such as SD cards and OTG adapters.

  This check box is cleared by default.

• Prohibit file transfer over USB

  Selecting or clearing this check box specifies whether the device user is allowed to transfer files over USB.

  This check box is cleared by default.

• Prohibit backup service

  Selecting or clearing the check box specifies whether the device user is allowed to enable or disable the backup service.

  The restriction is supported on devices with Android 8 or later.

  This check box is cleared by default.

Restrict network features

On the Network tab, you can enable or disable the following features.

• Features in the General section:
  • Prohibit airplane mode

    Selecting or clearing the check box specifies whether the device user is allowed to enable airplane mode on the device.

    This restriction is supported on devices with Android 9 or later.

    This check box is cleared by default.

  • Prohibit use of Android Beam via NFC

    Selecting or clearing the check box specifies whether beaming out data from apps via NFC is allowed on the device. However, the device user can enable or disable NFC.

    This check box is cleared by default.

  • Prohibit use of tethering

    Selecting or clearing the check box specifies whether the device user is allowed to configure tethering and hotspots.

    This check box is cleared by default.

  • Prohibit modifying VPN settings

    Prevents changing VPN settings.

    If the check box is selected, the device user cannot configure a VPN in Settings and VPNs are prohibited from starting.

    If the check box is cleared, the device user is allowed to modify a VPN in Settings.

    This check box is cleared by default.

  • Prohibit resetting network settings

    Selecting or clearing the check box specifies whether the device user is allowed to reset network settings in Settings.

    This restriction is supported on devices with Android 6 or later.

    This check box is cleared by default.

• Features in the Wi-Fi section:
  • Prohibit use of Wi-Fi

    Selecting or clearing the check box specifies whether the device user is allowed to use Wi-Fi and configure it in Settings.

    This check box is cleared by default.

  • Prohibit enabling/disabling Wi-Fi

    If this option is enabled, the user cannot enable or disable Wi-Fi on the device. Also, Wi-Fi cannot be disabled via airplane mode.

    By default, the option is disabled.

  • Prohibit modifying Wi-Fi settings

    Selecting or clearing the check box specifies whether the device user is allowed to configure Wi-Fi access points via Settings. The restriction does not affect Wi-Fi tethering settings.

    This check box is cleared by default.

  • Prohibit Wi-Fi Direct

    If this option is enabled, the user cannot use the Wi-Fi Direct feature on the device.

    By default, the option is disabled.

  • Prohibit sharing pre-configured Wi-Fi networks

    If this option is enabled, the user cannot share Wi-Fi networks that are configured in the policy settings. Other Wi-Fi networks on the device are not affected.

    By default, the option is disabled.

  • Prohibit adding Wi-Fi networks

    If this option is enabled, the user cannot manually add new Wi-Fi networks on the device.

    By default, the option is disabled.

  • Prohibit changing pre-configured Wi-Fi networks

    Selecting or clearing the check box specifies whether the device user is allowed to change Wi-Fi configurations added by the administrator in the Wi-Fi section.

    This check box is cleared by default.

• Features in the Bluetooth section:
  • Prohibit use of Bluetooth

    Prevents use of Bluetooth.

    If the check box is selected, the device user cannot turn on and configure Bluetooth via Settings.

    If the check box is cleared, the device user is allowed to use Bluetooth.

    The restriction is supported on devices with Android 8 or later.

    This check box is cleared by default.

  • Prohibit modifying Bluetooth settings

    Selecting or clearing the check box specifies whether the device user is allowed to configure Bluetooth via Settings.

    This check box is cleared by default.

  • Prohibit outgoing data sharing over Bluetooth

    Selecting or clearing the check box specifies whether outgoing Bluetooth data sharing is allowed on the device.

    The restriction is supported on devices with Android 8.0 or later.

    This check box is cleared by default.

• Features in the Mobile networks section:
  • Prohibit modifying mobile network settings

    Selecting or clearing the check box specifies whether the device user is allowed to change mobile network settings.

    This check box is cleared by default.

  • Prohibit use of cellular data while roaming

    Selecting or clearing the check box specifies whether the device user is allowed to use cellular data while roaming.

    If the check box is selected, the device can't update anti-malware databases and synchronize with the Administration Server while roaming.

    To allow anti-malware database updates while roaming, this check box must be cleared and the Allow database update while roaming check box in the Database update settings of the policy must be selected.

    To allow device synchronization with the Administration Server while roaming, both this check box and the Do not synchronize while roaming check box in the Scheduled synchronization settings of the policy must be cleared.

    This restriction is supported on devices with Android 7 or later.

    This check box is cleared by default.

Additional restrictions

On the Additional settings tab, you can enable or disable the following features.

• Features in the Language, date, and time section:
  • Prohibit changing language

    Selecting or clearing the check box specifies whether the device user is allowed to change the device language.

    This restriction is supported on devices with Android 9 or later.

    This check box is cleared by default.

    On some corporate devices (for example, Xiaomi, TECNO, and Realme) running Android 9 or later, when you select the Prohibit changing language check box, the user still can change the language, and no warning message appears.

  • Prohibit changing date, time, and time zone

    Selecting or clearing the check box specifies whether the device user is allowed to change date, time, and time zone in Settings.

    This restriction is supported on devices with Android 9 or later.

    This check box is cleared by default.

• Features in the Display section:
  • Prohibit changing wallpaper

    Selecting or clearing the check box specifies whether the device user is allowed to change the wallpaper on the mobile device.

    This restriction is supported on devices with Android 7 or later.

    This check box is cleared by default.

  • Prohibit adjusting brightness

    Selecting or clearing the check box specifies whether the device user is allowed to adjust the brightness on the mobile device.

    This restriction is supported on devices with Android 9 or later.

    This check box is cleared by default.

  • Prohibit status bar

    Prevents the status bar from being displayed.

    If the check box is selected, the status bar is not displayed on the device. Notifications and quick settings accessible via the status bar are also blocked.

    If the check box is cleared, the status bar can be displayed on the device.

    The restriction is supported on devices with Android 6 or later.

    This check box is cleared by default.

  • Prohibit ambient display

    If this option is enabled, the user cannot use the Ambient Display feature on the device.

    By default, the option is disabled.

• Features in the Screen on section:
  • Force screen on when plugged in to AC charger

    Selecting or clearing the check box specifies whether the device screen will be on while the device is charging using an AC charger.

    The restriction is supported on devices with Android 6 or later.

    This check box is cleared by default.

  • Force screen on when plugged in to USB charger

    Selecting or clearing the check box specifies whether the device screen will be on while the device is charging using a USB charger.

    The restriction is supported on devices with Android 6 or later.

    This check box is cleared by default.

  • Force screen on when charging wirelessly

    Selecting or clearing this check box specifies whether the device screen will be on while the device is charging using a wireless charger.

    The restriction is supported on devices with Android 6 or later.

    This check box is cleared by default.

• Features in the Microphone section:
  • Prohibit unmuting microphone

    If this option is enabled, the device microphone is muted.

    If this option is disabled, the user can unmute the microphone and adjust its volume.

    By default, the option is disabled.

  • Prohibit microphone toggle

    If this option is enabled, the user cannot disable access to the microphone via the system toggle on the device. If access to the microphone on the device is disabled when this option is enabled, it is automatically re-enabled.

    By default, the option is disabled.

    On some Xiaomi and HUAWEI devices running Android 12, this restriction does not work. This issue is caused by the specific features of MIUI firmware on Xiaomi devices and EMUI firmware on HUAWEI devices.

• Features in the Volume section:
  • Prohibit adjusting volume

    Restricts volume adjustment and muting the device.

    If the check box is selected, the device user can't adjust the volume and the device is muted.

    If the check box is cleared, the device user can adjust the volume and the device is unmuted.

    Anti-Theft can disregard this restriction to play a sound on the device. The restriction is disabled to allow the sound to play, and then it is re-enabled.

    This check box is cleared by default.

Restrict system updates

Management of update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may not work correct.

On the OS update tab, you can configure the following settings.

• In the Update mode section:
  • Set system update policy

    Type of system update policy.

    If the check box is selected, one of the following system update policies is set:

    • Install updates automatically. Installs system updates immediately without user interaction. This option is selected by default.
    • Install updates during daily window. Installs system updates during a daily maintenance window without user interaction.

      You also need to set the start and end of the daily maintenance window in the Start time and End time fields respectively.

    • Postpone updates for 30 days. Postpones the installation of system updates for 30 days.

      After the specified period, the operating system prompts the device user to install the updates. The period is reset and starts again if a new system update is available.

    If the check box is cleared, a system update policy is not set.

    This check box is selected by default.

    Management of update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may not work correct.

• In the Freeze periods section:
  • System update freeze periods

    This block lets you set one or more freeze periods of up to 90 days during which system updates will not be installed on the device. When the device is in a freeze period, it behaves as follows:

    • The device does not receive any notifications about pending system updates.
    • System updates are not installed.
    • The device user cannot check for system updates manually.

      To add a freeze period, click Add period and enter the start and end of the freeze period in the Start date and End date fields respectively.

    Each freeze period can be at most 90 days long, and the interval between consecutive freeze periods must be at least 60 days.

    The restriction is supported on devices with Android 9 or later.

    Management of update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may not work correct.

Configuring kiosk mode for Android devices

These settings apply to corporate devices.

Expand all | Collapse all

Kiosk mode is a Kaspersky Endpoint Security for Android feature that lets you limit the apps available to a device user to a single app or a set of multiple apps. You can also efficiently manage some device settings.

Kiosk mode does not affect the work of the Kaspersky Endpoint Security for Android app. It runs in the background, shows notifications, and can be updated.

Types of kiosk modes

The following types of kiosk mode are available in Kaspersky Endpoint Security:

• Single-app mode

  Kiosk mode with only a single app. In this mode, a device user can open only the one app that is allowed on the device and specified in the kiosk mode settings. If the app that you want to add to kiosk mode is not installed on the device, kiosk mode activates after the app is installed.

  On Android 9 or later, the app launches directly in kiosk mode.

  On Android 8 or earlier, the specified app must support kiosk mode functionality and call the startLockTask() method itself to launch the app.

• Multi-app mode

  Kiosk mode with multiple apps. In this mode, a device user can open only the set of apps that are allowed on the device and specified in the kiosk mode settings.

Before you configure kiosk mode

Before you configure kiosk mode, do the following:

• Before specifying the apps that are allowed to be run on the device in kiosk mode, you first need to select the Install action for these apps on the App management tab of the App Control card. Then, they will appear in the App package list of the kiosk mode.
• Before activating kiosk mode, we recommend that you prohibit starting Google Assistant by enabling the corresponding restriction in Assets (Devices) → Policies & profiles → Application settings → Android → Restrictions → Device feature restrictions → Apps → Prohibit Google Assistant. Otherwise, Google Assistant starts in kiosk mode and allows non-trusted apps to be opened.

Open the kiosk mode settings

To open the kiosk mode settings:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Restrictions section.
4. On the Kiosk mode card, click Settings.

The Kiosk mode window opens.

Configure single-app mode

To configure single-app mode:

1. Enable the settings using the Kiosk mode toggle switch.
2. In the Operating mode drop-down list, select Single-app mode.
3. In the App package drop-down list, select an app package with the app that is allowed to be run on the device.
4. Specify any required restrictions. For available restrictions, see the "Kiosk mode restrictions" section below.
5. Select the Allow navigation to trusted apps check box if you want to add other apps that a device user can navigate to. For more details, see the "Add additional apps" section below.
6. Click OK.
7. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configure multi-app mode

To configure multi-app mode:

1. Enable the settings using the Kiosk mode toggle switch.
2. In the Operating mode drop-down list, select Multi-app mode.
3. Click Add package and select the apps that are allowed to be run on the device.
4. Specify any required restrictions. For available restrictions, see the "Kiosk mode restrictions" section below.
5. Select the Allow navigation to trusted apps check box if you want to add other apps that a device user can navigate to. For more details, see the "Add additional apps" section below.
6. Click OK.
7. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Kiosk mode restrictions

You can set the following restrictions in kiosk mode:

• Prohibit Overview button

  Selecting or clearing this check box specifies whether the Overview button is hidden. This restriction is supported on devices with Android 9 or later.

  The check box is selected by default.

• Prohibit Home button

  Selecting or clearing this check box specifies whether the Home button is hidden. This restriction is supported on devices with Android 9 or later.

  The check box is selected by default.

• Prohibit status bar

  Selecting or clearing this check box specifies whether the status bar displays notifications, indicators such as connectivity and battery, and the sound and vibrate options. This restriction is supported on devices with Android 9 or later.

  The check box is selected by default.

• Prohibit system notifications

  Selecting or clearing this check box specifies whether system notifications are hidden. This restriction is supported on devices with Android 9 or later.

  The check box is selected by default.

Add additional apps

Besides locking the device to a single app or set of apps, you can also specify additional apps, that the main app can use. These additional apps allow the apps added to kiosk mode to provide their full functionality. For example, the user can view a document or access a website opened from the main app. By default, these additional apps are hidden on a device and a user cannot launch them manually.

To add additional apps:

1. In the Additional apps section, select the Allow navigation to trusted apps check box.
2. Click Add package and specify the desired app package name.

   How to get the package name of an app

   To get the name of an app package:

   1. Open Google Play.
   2. Find the app and open its page.

   The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

   To get the name of an app package that has been added to Kaspersky Security Center:

   1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
   2. Click Android apps.

      In the list of apps that opens, app identifiers are displayed in the Package name column.

3. Click OK.
4. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Connecting to a NDES/SCEP server

Expand all | Collapse all

These settings apply to corporate devices.

You can connect to an NDES/SCEP server to obtain a certificate from a certificate authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). To do this, you need to add a connection to the certificate authority and a certificate profile.

To add a connection to the certificate authority and a certificate profile:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Device configuration section.
4. On the SCEP and NDES card, click Settings.

   The SCEP and NDES window opens.

5. Enable the settings using the SCEP and NDES toggle switch.

   The Add connection to certificate authority window opens.

6. Add a connection to the certificate authority:
   1. In the Connection name field, enter the name of the connection to the certificate authority.
   2. In the Protocol type drop-down list, select the protocol version.
   3. In the Server URL field, enter the URL of a NDES or SCEP server.

      The format of the NDES server URL is http://<ServerName>/certsrv/mscep/mscep.dll.

   4. In the Challenge phrase type drop-down list, select one of the following options to configure the authentication challenge:
      • None

        Challenge response is disabled. No authentication data is required.

      • Static

        Challenge response is enabled. You must enter the authentication phrase in the Static challenge phrase field.

   5. If you selected the Static option, in the Static challenge phrase field, enter the authentication phrase.
   6. Click Add.

   The connection to the certificate authority is added. You can add multiple connections to certificate authorities.

7. Select the Certificate profile tab and click Add.

   The Add profile window opens.

8. Add a certificate profile:
   1. In the General settings section, in the Profile name field, enter the unique certificate profile name.
   2. In the Certificate authority (CA) drop-down list select the certificate authority that you added on the Certificate authority tab.
   3. In the Subject Name field specify the subject of the certificate. Subject name is a unique identifier that includes information about what is being certified, such as common name, organization, organizational unit, and country code. You can either enter a value or select a macro by clicking the button.
   4. If you want to add an alternative name that represents the certificate subject name, click Add Subject Alternative Name and configure the following settings:
      1. In the Type of Subject Alternative Name drop-down list select the subject alternative name type.
      2. In the Subject Alternative Name field enter the alternative name. You can either enter a value or select a macro by clicking the button.

      You can add multiple subject alternative names.

   5. In the Key section, in the Key size (bit) drop-down list, select the certificate's private key length.
   6. In the Private key type drop-down list select the certificate's private key type:
   7. If you want the certificate to be automatically reissued to the device before it expires, in the Certificate section, select the Renew certificate automatically check box. This check box is cleared by default.
   8. If you selected the Renew certificate automatically check box, enter the number of days before the expiration date when the certificate is reissued in the Renew certificate before it expires in (days) field.
   9. Click Add.

   The certificate profile is added. You can add multiple certificate profiles.

9. Click OK.
10. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

You can edit or remove the added connections to certificate authorities and certificate profiles by clicking Edit and Delete at the top of the list.

If you delete a connection to a certificate authority, all certificate profiles that use it are also removed.

Enabling certificate-based authentication of devices

To enable certificate-based authentication of a device:

1. Open the command line on a device where the Administration Server is installed.
2. Go to the directory containing the klscflag utility.

   By default, the utility is located in /opt/kaspersky/ksc64/sbin.

3. Run the following command under an account with root privileges to configure certificate-based authentication of devices on the Administration Server:

   ./klscflag -fset -pv ".core/.independent" -s KLLIM -n LP_MobileMustUseTwoWayAuthOnPort13292 -t d -v 1

4. Restart the Administration Server service.

After you start the Administration Server service, certificate-based authentication of the device using a shared certificate will be required.

The first connection of the device to the Administration Server does not require a certificate.

By default, certificate-based authentication of devices is disabled.

Creating a mobile application package for Android devices

To create a mobile app package:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
2. Click Android apps, and then click Add.

   The Add app window opens.

3. Specify the app name in the App name field. This name will be used to identify the app in policy settings.
4. Click Select and select an APK file on your computer.
5. Click Save to save the changes you have made.

The newly created app package is displayed in the list of apps on the Android apps tab.

If you select a large APK file, the app may take some time to upload. Do not close the Apps section until the app is uploaded.

In the Apps section, you can also add iOS apps.

Viewing information about an Android device

To view information about an Android device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.

   The list of managed mobile devices opens.

2. To filter Android devices, click the OS column heading and select Android.

   The list of Android devices is displayed.

   Depending on the database you use, searches may be case-sensitive.

3. Select the mobile device you want to view information about.

   A window with the properties of the Android device opens.

The mobile device properties window displays information about the connected Android device.

If an old version of Kaspersky Endpoint Security for Android (10.52.1.3 or earlier) is installed on the devices the Operating mode value is set to Unknown.

Disconnecting an Android device from management

To disconnect an Android device from management, the user has to remove Kaspersky Endpoint Security for Android from the mobile device. After the user has removed Kaspersky Endpoint Security for Android, the administrator can remove the mobile device from the list of managed devices in Web Console.

If Kaspersky Endpoint Security for Android has not been removed from the mobile device, that mobile device reappears in the list of managed devices after synchronization with the Administration Server.

To remove an Android device from the list of managed devices:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.

   The list of managed mobile devices opens.

2. To filter Android devices, click the OS column heading and select Android.

   The list of Android devices is displayed.

3. Select the mobile device you want to disconnect.
4. Click Delete.

The mobile device is removed from the list of managed devices.

Managing iOS MDM devices

This section describes advanced features for management of iOS MDM devices in Kaspersky Security Center Web Console.

Adding a configuration profile

To create a configuration profile, you can use Apple Configurator 2, which is available on the Apple website. Apple Configurator 2 works only on devices running macOS. If you do not have such devices at your disposal, you can use iPhone Configuration Utility. However, Apple no longer supports iPhone Configuration Utility.

To add a configuration profile to an iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Configuration profiles tab.
4. To add a new configuration profile, click Add.
5. In the window that opens, select the configuration profile that you want to add.

   The configuration profile name should not be longer than 100 characters. If you enter a longer name, only part of it will be displayed.

The new configuration profile will be displayed in the list of configuration profiles.

You can install the profile that you have created on iOS MDM devices.

Installing a configuration profile on a device

To install a configuration profile on an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to install configuration profiles on.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Install configuration profile command.
5. In the Configuration profiles section, select the configuration profiles that you want to install on the devices.
6. Click Send.

The command is sent to the devices you selected.

To view the list of configuration profiles installed on a device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, click the device whose properties you want to view.

   The device properties window opens.

3. Select the Configuration profiles tab.

The list of configuration profiles installed on the device is displayed.

Removing a configuration profile from a device

To remove a configuration profile from an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to remove configuration profiles from.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Delete configuration profile command.
5. In the Configuration profiles section, select the configuration profiles that you want to remove from the devices.
6. Click Send.

The command is sent to the devices you selected.

The profile may be displayed in the list of configuration profiles installed on the device for several minutes after it has been deleted.

To view the list of configuration profiles installed on a device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, click the device whose properties you want to view.

   The device properties window opens.

3. Select the Configuration profiles tab.

The list of configuration profiles installed on the device is displayed.

Configuring managed apps

Expand all | Collapse all

Before installing an app on an iOS MDM device, you must add that app to the Administration Server. An app is considered managed if it has been installed on a device through Kaspersky Mobile Devices Protection and Management. A managed app can be managed remotely by means of Kaspersky Mobile Devices Protection and Management.

To add a managed app to an iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
2. Click iOS apps, and then click Add.

   The Add app window opens.

3. Specify the app name in the App name field. This name will be used to identify the app in policy settings.
4. In the Installation method field, select one of the following methods to add the app:
   • Installation package
   • Link to manifest file

     A manifest file is a PLIST file, which is required to install an app on an iOS device. These files are dictionaries containing app installation settings (for example, the location of the installation package). When you use a manifest file to add an app, you have to fill in these settings manually. When you add an app from the App Store or an IPA file, the manifest file is generated automatically.

     To get a manifest file for an app, we recommend first adding the app to the iOS MDM Server using an IPA file. In this case, the iOS MDM Server automatically generates a manifest file, which you can download and modify later.

   • App Store
5. Do one of the following:
   • If you selected Installation package, click Select, and upload an IPA file from your computer.
   • If you selected Link to manifest file, specify a link to a manifest file that can be used to download the app.
   • If you selected App Store, specify a link or ID of the app to be added from the App Store.
6. If necessary, configure the following settings:
   • Select the Remove when device management profile is deleted check box if you want the app to be removed from the user's mobile device along with the device management profile. By default, this check box is selected.
   • Select the Block backup of app data to iCloud check box if you want to block backup of the app data to iCloud.
7. If you want to add a custom configuration for the app, in the App configuration section, click Select and select a configuration file in PLIST format on your computer.

   To generate a configuration file, you can use a configuration generator (for example, https://appconfig.jamfresearch.com/generator) or refer to the official documentation on the app to be configured.

   Example of a basic configuration for the Microsoft Outlook app

   Microsoft Outlook app configuration

   Configuration key	Description	Type	Value	Default value
   com.microsoft.outlook.EmailProfile.EmailAccountName	Username	String	The username that will be used to pull the username from Microsoft Active Directory. It might be different from the user's email address. For example, User.
   com.microsoft.outlook.EmailProfile.EmailAddress	Email address	String	The email address that will be used to pull the user's email address from Microsoft Active Directory. For example, user@companyname.com.
   com.microsoft.outlook.EmailProfile.EmailUPN	User Principal Name or username for the email profile that is used to authenticate the account	String	The name of the user in email address format. For example, userupn@companyname.com.
   com.microsoft.outlook.EmailProfile.ServerAuthentication	Authentication method	String	Username and Password – Prompts the device user for their password. Certificates – Certificate-based authentication.	Username and Password
   com.microsoft.outlook.EmailProfile.ServerHostName	ActiveSync FQDN	String	The Exchange ActiveSync email server URL. You don't need to use HTTP:// or HTTPS:// in front of the URL. For example, mail.companyname.com.
   com.microsoft.outlook.EmailProfile.AccountDomain	Email domain	String	The account domain of the user. For example, companyname.
   com.microsoft.outlook.EmailProfile.AccountType	Authentication type	String	ModernAuth – Uses a token-based identity management method. Specify ModernAuth as the Account Type for Exchange Online. BasicAuth – Prompts the device user for their password. Specify BasicAuth as the Account Type for Exchange On-Premises.	BasicAuth
   IntuneMAMRequireAccounts	Is sign-in required	String	Specifies whether account sign-in is required. You can select one of the following values: Enabled - The app requires the user to sign-in to the managed user account defined by the IntuneMAMUPN key to receive Org data. Disabled - No account sign-in is required
   IntuneMAMUPN	UPN Address	String	The User Principal Name of the account allowed to sign into the app. For example, userupn@companyname.com.

   Example of a configuration file for the Microsoft Outlook app

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

   <key>com.microsoft.outlook.EmailProfile.AccountType</key>

   <string>BasicAuth</string>

   <key>com.microsoft.outlook.EmailProfile.EmailAccountName</key>

   <string>My Work Email</string>

   <key>com.microsoft.outlook.EmailProfile.ServerHostName</key>

   <string>exchange.server.com</string>

   <key>com.microsoft.outlook.EmailProfile.EmailAddress</key>

   <string>%email%</string>

   <key>com.microsoft.outlook.EmailProfile.EmailUPN</key>

   <string>%full_name%</string>

   <key>com.microsoft.outlook.EmailProfile.AccountDomain</key>

   <string>my-domain</string>

   <key>com.microsoft.outlook.EmailProfile.ServerAuthentication</key>

   <string>Username and Password</string>

   <key>IntuneMAMAllowedAccountsOnly</key>

   <string>Enabled</string>

   <key>IntuneMAMUPN</key>

   <string>%full_name%</string>

   </dict>

   </plist>

   You can use macros in the corresponding fields of the configuration file to replace values. Available macros

   Macros which can be used in configuration files

   Macro	Description
   %full_name%	Full user name
   %email%	User's main email address
   %email1%	User's first backup email address
   %email2%	User's second backup email address
   %mobile_phone%	User's mobile phone number
   %phone_number%	User's main phone number
   %phone_number1%	User's first backup phone number
   %phone_number2%	User's second backup phone number
   %short_name%	User name
   %domain_name%	Name of user's domain
   %job_title%	User's job title
   %department%	Department name
   %company%	Company name

8. Click Save to save the changes you have made.

The newly created app is displayed in the table of apps on the iOS apps tab.

If you select a large IPA file, the app may take some time to upload. Do not close the Apps section until the app is uploaded.

You can view and edit app properties by clicking the app in the list or remove the app using the Delete button.

Installing an app on a mobile device

To install an app on a mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to install apps on.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Install app command.
5. In the Apps field, select the apps that you want to install on the devices.
6. Click Send.

The command is sent to the devices you selected.

Removing an app from a device

To remove an app from a mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to remove apps from.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Delete app command.
5. In the Apps section, select the apps that you want to remove from the devices.
6. Click Send.

The command is sent to the devices you selected.

Configuring roaming on an iOS MDM mobile device

To configure roaming:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select the devices that you want to configure roaming settings for.
3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Change roaming settings command.
5. In the Action section, do one of the following:
   • If you want to enable data roaming, select Enable data roaming.
   • If you want to disable data roaming, select Disable data roaming.
6. Click Send.

The command is sent to the devices you selected.

Viewing information about an iOS MDM device

To view information about an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.

   The list of managed mobile devices opens.

2. To filter iOS MDM devices, click the Operating mode column heading and select the operating mode of the iOS MDM device you want to view information about.

   The list of iOS MDM devices is displayed.

   Depending on the database you use, searches may be case-sensitive.

3. Select the mobile device you want to view information about.

   A window with the properties of the iOS MDM device opens.

The General tab of the properties window displays information about the connected iOS MDM device.

The Certificates tab of the properties window displays information about the certificates installed on the selected iOS MDM device.

The Apps tab of the properties window displays information about the apps installed on the selected iOS MDM device.

The Configuration profiles tab of the properties window displays information about the configuration profiles installed on the selected iOS MDM device.

Disconnecting an iOS MDM device from management

If you want to stop managing an iOS MDM device, you can disconnect it from management in Kaspersky Security Center.

As an alternative, you or the device owner can remove the device management profile from the device. However, after that you must still disconnect the device from management, as described in this section. Otherwise, you will not be able to start managing this device again.

To disconnect an iOS MDM device from the iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.

   The list of managed mobile devices opens.

2. To filter iOS MDM devices, click the Operating mode column heading and select the operating mode of the iOS MDM device you want to disconnect.

   The list of iOS MDM devices operating in the selected mode is displayed.

3. Select the mobile device you want to disconnect.
4. Click Delete.

In the list, the iOS MDM device is marked for removal. Within one minute, the device is removed from the database of the iOS MDM Server, after which it is automatically removed from the list of managed devices.

After the iOS MDM device is disconnected from management, all installed configuration profiles, the device management profile, and apps for which the Remove when device management profile is deleted option has been enabled in the iOS MDM Server settings, will be removed from the device. The iOS MDM policy will also be deleted.

Configuring kiosk mode for iOS MDM devices

These settings apply to supervised devices.

Expand all | Collapse all

Kiosk mode is an iOS feature that lets you limit the apps available to a device user to a single app. In this mode, a device user can open only the one app that is allowed on the device and specified in the kiosk mode settings.

Open the kiosk mode settings

To open the kiosk mode settings:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Restrictions section.
4. On the Kiosk mode card, click Settings.

The Kiosk mode window opens.

Configure kiosk mode

To enable kiosk mode:

1. Enable the settings using the Kiosk mode toggle switch to activate kiosk mode on a supervised device.
2. In the Bundle ID field, enter the unique identifier of an app selected for kiosk mode (for example, com.apple.calculator).

   How to get the bundle ID of an app

   To get the bundle ID of a built-in iPhone or iPad app,

   Follow the instructions in the Apple documentation.

   To get the bundle ID of any iPhone or iPad app:

   1. Open the App Store.
   2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

   3. Copy this identifier (without the letters "id").
   4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

   5. Open the downloaded file and find the "bundleId" fragment in it.

   The text that directly follows this fragment is the bundle ID of the required app.

   To get the bundle ID of an app that has been added to Kaspersky Security Center:

   1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
   2. Click iOS apps.

      In the list of apps that opens, app identifiers are displayed in the Bundle ID column.

   To select a different app, you need to disable kiosk mode, save the changes to the policy, and enable kiosk mode for a new app.

   The app that is selected for kiosk mode must be installed on the device. Otherwise, the device will be locked until kiosk mode is disabled.

   The use of the selected app must also be allowed in the policy settings. If the use of the app is prohibited, kiosk mode will not be enabled until the selected app is removed from the list of forbidden apps.

   In some cases, kiosk mode can still be enabled even when the use of the selected app is prohibited in the policy settings.

3. Specify the settings that will be enabled on the device in kiosk mode in the corresponding section. For available settings, see the "Kiosk mode settings" section below.
4. Specify the settings that the user can edit on the device in kiosk mode in the corresponding section.
5. Click OK.
6. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, kiosk mode is enabled. The selected app is forced to open on a supervised device, and the use of other apps is prohibited. The selected app reopens immediately after the device is restarted.

To edit the kiosk mode settings, you need to disable kiosk mode, save changes to the policy, and then enable kiosk mode again with the new settings.

To disable kiosk mode:

1. Disable the settings using the Kiosk mode toggle switch to deactivate kiosk mode on a supervised device.
2. Click OK.
3. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, kiosk mode is disabled and the use of all apps is allowed on the supervised device.

Now, you can enable kiosk mode again with the new settings.

Kiosk mode settings

• Auto-Lock

  If the check box is selected, Auto-Lock is enabled. The screen is automatically locked on the device.

  If the check box is cleared, Auto-Lock is disabled.

  This check box is selected by default.

• Touch (not recommended to disable)

  If the check box is selected, all touch input capabilities are enabled.

  If the check box is cleared, all touch input capabilities are disabled.

  This check box is selected by default.

• AssistiveTouch

  If the check box is selected, AssistiveTouch is enabled. The device screen is adapted to the user's unique physical needs.

  If the check box is cleared, AssistiveTouch is disabled.

  This check box is cleared by default.

• Voice Control

  If the check box is selected, Voice Control is enabled. The user can navigate and interact with the device using voice commands.

  If the check box is cleared, Voice Control is disabled.

  This check box is cleared by default.

• VoiceOver

  If the check box is selected, VoiceOver is enabled. Audible descriptions of what appears on the screen are given.

  If the check box is cleared, VoiceOver is disabled.

  This check box is cleared by default.

• Speak Selection

  If the check box is selected, Speak Selection is enabled. The text selected on the screen is spoken.

  If the check box is cleared, Speak Selection is disabled.

  This check box is cleared by default.

• Volume Buttons

  If the check box is selected, the volume buttons are enabled. The user can adjust the volume on the device.

  If the check box is cleared, the volume buttons are disabled.

  This check box is selected by default.

• Mono Audio

  If the check box is selected, Mono Audio is enabled. The left and right headphone channels are combined to play the same content.

  If the check box is cleared, Mono Audio is disabled.

  This check box is cleared by default.

• Zoom

  If the check box is selected, Zoom is enabled. The user can zoom in and out on the content on the screen.

  If the check box is cleared, Zoom is disabled.

  This check box is selected by default.

• Auto-Rotate Screen

  If the check box is selected, Auto-Rotate Screen is enabled. Screen orientation automatically changes when the device is rotated.

  If the check box is cleared, Auto-Rotate Screen is disabled.

  This check box is selected by default.

• Invert Colors

  If the check box is selected, inverting colors on the screen is enabled. The displayed colors are changed to their opposite colors.

  If the check box is cleared, inverting colors on the screen is disabled.

  This check box is cleared by default.

• Ring/Silent Switch

  If the check box is selected, Ring/Silent Switch is enabled. The user can switch between Ring and Silent modes to mute or unmute sounds and alerts.

  If the check box is cleared, Ring/Silent Switch is disabled.

  This check box is selected by default.

• Sleep/Wake Button

  If the check box is selected, the Sleep/Wake button is enabled. The user can put the device to sleep or wake the device.

  If the check box is cleared, the Sleep/Wake button is disabled.

  This check box is selected by default.