Management of mobile device settings

This section contains information about how to remotely manage the settings of mobile devices in Kaspersky Security Center Web Console.

Configuring connection to a Wi-Fi network

This section provides instructions on how to configure automatic connection to a corporate Wi-Fi network on Android and iOS MDM devices.

Connecting Android devices to a Wi-Fi network

Expand all | Collapse all

For an Android device to automatically connect to an available Wi-Fi network and protect data during the connection, you must configure the connection settings.

To connect a mobile device to a Wi-Fi network:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Device configuration section.
4. On the Wi-Fi card, click Settings.

   The Wi-Fi window opens.

5. Enable the settings using the Wi-Fi toggle switch.
6. Click Add.

   The Add Wi-Fi network window opens.

7. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
8. Select the Connect automatically check box if you want Android devices to automatically connect to the Wi-Fi network.
9. Select the Hidden network check box if you want the Wi-Fi network to be hidden in the list of available networks on the device.

   In this case, to connect to the network the user needs to manually enter the service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.

10. In the Protection section, select the type of Wi-Fi network security (open network or secure network protected with the WEP, WPA2 PSK, or 802.1.x EAP protocol).

    The 802.1.x EAP security protocol is supported only in Kaspersky Endpoint Security for Android 10.48.1.1 or later. The WEP protocol is supported only on Android 9 or earlier.

11. If you selected the 802.1.x EAP security protocol, specify the following network protection settings:
    • EAP method

      Specifies an Extensible Authentication Protocol (EAP) method for network authentication. Possible values:

      • TLS (default)
      • PEAP
      • TTLS
    • Method for uploading root certificate

      Specifies the way you want to upload a root certificate. Possible values:

      • From the list of root certificates – Lets you select any available certificate from the drop-down list.
      • From file – Lets you upload a certificate file from your computer.
    • Root certificate

      Specifies the root certificate to be used by the Wi-Fi network.

    • User certificate

      Specifies the user certificate to be used by the Wi-Fi network if the TLS EAP method is selected.

      The following values are available in the drop-down list:

      • Not selected – The user certificate is not specified.
      • User certificates – The VPN certificates that were added in the Certificates section and installed on the user device. If you choose this option, but no VPN certificate is installed on the device, the user certificate is not used for this Wi-Fi network.
      • SCEP profiles – SCEP certificate profiles configured in the SCEP and NDES settings and used to obtain certificates.
    • Domain name

      Specifies the constraint for the server domain name.

      If set, this Fully Qualified Domain Name (FQDN) is used as a suffix match requirement for the root certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met.

      You can specify multiple match strings using semicolons to separate the strings. A match with any of the values is considered a sufficient match for the certificate (i.e., the OR operator is used).

      If you specify *, any root certificate is considered valid. This value is specified by default.

    • Two-factor authentication type

      Specifies a two-factor authentication type. Possible values:

      • Not selected (default)
      • MSCHAP
      • MSCHAPV2
      • GTC
    • User ID

      Specifies a user ID to be used to connect to the Wi-Fi network.

    • Anonymous ID

      Specifies an anonymous identity that is different from the user identity and is used if the PEAP or TTLS method of network authentication is selected.

    • Password

      Specifies a password for accessing the wireless network. The password will be sent in a QR code.

      Do not send a password for a confidential Wi-Fi network that should not be publicly available. The password is transmitted unencrypted along with other data to configure the device.

12. In the Password field, set a network access password if you selected a secure network at step 9.
13. On the Additional settings tab, select the Use a proxy server check box if you want to use a proxy server to connect to the Wi-Fi network.
14. If you selected Use a proxy server, in the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number, if necessary.

    On devices running Android 8 or later, proxy server settings for Wi-Fi cannot be redefined with a policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.

    If you are not using a proxy server to connect to a Wi-Fi network, there are no limitations on using policies to manage a Wi-Fi network connection.

15. In the Do not use proxy server for the specified addresses field, add web addresses that can be accessed without the use of the proxy server.

    For example, you can enter the address example.com. In this case, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

    On devices running Android 8 or later, excluding web addresses from the proxy server does not work.

16. Click Add.

    The added Wi-Fi network is displayed in the list of Wi-Fi networks.

    This list contains the names of suggested wireless networks.

    On personal devices running Android 10 or later, the operating system prompts the user to connect to such networks. Suggested networks don't appear in the saved networks list on these devices.

    On corporate devices and personal devices running Android 9 or earlier, after synchronizing the device with the Administration Server, the device user can select a suggested wireless network in the saved networks list and connect to it without having to specify any network settings.

    You can modify or delete Wi-Fi networks in the list of networks using the Edit and Delete buttons at the top of the list.

17. Click OK.
18. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

On devices running Android 10 or later, if a user refuses to connect to the suggested Wi-Fi network, the app's permission to change Wi-Fi state is revoked. The user must grant this permission manually.

Connecting iOS MDM devices to a Wi-Fi network

For an iOS MDM device to automatically connect to an available Wi-Fi network and protect data during the connection, you must configure the connection settings.

To configure the connection of an iOS MDM device to a Wi-Fi network:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Wi-Fi card, click Settings.

   The Wi-Fi window opens.

5. Enable the settings using the Wi-Fi toggle switch.
6. Click Add.

   The Add Wi-Fi network window opens.

7. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
8. If you want iOS MDM devices to automatically connect to the Wi-Fi network, select the Connect automatically check box.

   If you disable automatic connection to an existing Wi-Fi network in the policy settings, you will not be able to enable automatic connection to this network again. This is due to an issue known to Apple.

9. If you don't want iOS MDM devices to connect to Wi-Fi networks requiring preliminary authentication (captive networks), select the Bypass captive portal check box.

   To use a captive network, you must subscribe, accept an agreement, or make a payment. Captive networks may be deployed in cafes and hotels, for example.

10. If you want the Wi-Fi network to be hidden in the list of available networks on the iOS MDM device, select the Hidden network check box.

    In this case, to connect to the network the user needs to manually enter the service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.

11. If you want iOS MDM devices to use static MAC addresses when they connect to the Wi-Fi network, select the Disable MAC address randomization check box.
12. In the Protection section, select the type of Wi-Fi network security (open network or secure network protected with the WEP, WPA, WPA2, or WPA3 protocol).

    On devices running iOS 15 or earlier, selecting WPA, WPA2, or WPA3 is identical and lets you connect to any network protected using WPA.

    • Open network. User authentication is not required.
    • WEP. The network is protected using Wireless Encryption Protocol (WEP).

      WEP protection is available on devices running iOS 5 or later.

    • WPA. The network is protected using the WPA (Wi-Fi Protected Access) or WPA2 protocol.
    • WPA2. The network is protected using the WPA2 or WPA3 protocol.
    • WPA3. The network is protected using the WPA3 protocol.
    • Personal network (any). The network is protected using the WEP, WPA, WPA2, or WPA3 encryption protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication.
    • WEP (corporate network). The network is protected using the WEP protocol with the use of a dynamic key.
    • WPA (corporate network). The network is protected using the WPA or WPA2 encryption protocol with the use of the 802.1X protocol.
    • WPA2 (corporate network). The network is protected using the WPA2 or WPA3 encryption protocol with the use of one key shared by all users (802.1X).
    • WPA3 (corporate network). The network is protected using the WPA3 encryption protocol with the use of one key shared by all users (802.1X).
    • Corporate network (any). The network is protected using the WEP, WPA, WPA2, or WPA3 protocol depending on the type of Wi-Fi router. Authentication is performed using a single encryption key shared by all users.

    If you have selected any of the corporate network options, in the EAP protocol section you can select the types of EAP protocols (Extensible Authentication Protocol) for user identification on the Wi-Fi network.

    In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the iOS MDM device user on trusted servers.

13. In the Authentication section, configure the settings of the account for user authentication upon connection of the iOS MDM device to the Wi-Fi network:
    1. In the User name field, enter the account name for user authentication upon connection to the Wi-Fi network.
    2. In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name.

       The user ID is designed to make the authentication process more secure, since the user name is not displayed openly, but rather transmitted via an encrypted TLS tunnel.

    3. In the Password field, enter the password of the account for authentication on the Wi-Fi network.
    4. If you want the user to enter the password manually upon every connection to the Wi-Fi network, select the Prompt for password at each connection check box.
    5. In the Authentication certificate drop-down list, select a certificate for user authentication on the Wi-Fi network.
    6. In the Minimum TLS version drop-down list, select the minimum allowed TLS version.
    7. In the Maximum TLS version drop-down list, select the maximum allowed TLS version.
14. If necessary, on the Additional settings tab, configure the settings for connecting to the Wi-Fi network via a proxy server:
    1. Select the Use a proxy server check box.
    2. Configure a connection to a proxy server:
       1. If you want to configure the connection automatically:
          • Select Automatic.
          • In the PAC file URL field, specify the URL of the proxy PAC file.
          • To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
       2. If you want to configure the connection manually:
          • Select Manual.
          • In the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number.
          • In the User name field, select a macro that will be used as a user name for the connection to the proxy server.
          • In the Password field, specify the password for the connection to the proxy server.
15. Click Add.

    The new Wi-Fi network is displayed in the list.

16. Click OK.
17. Click Save to save the changes you have made.

As a result, a Wi-Fi network connection will be configured on the user's iOS MDM device once the policy is applied. The user's mobile device will automatically connect to available Wi-Fi networks. Data security during a Wi-Fi network connection is ensured by the selected authentication method.

Configuring email

This section contains information on configuring mailboxes on mobile devices.

Configuring a mailbox on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

To enable an iOS MDM device user to work with email, add the user's email account to the list of accounts on the iOS MDM device.

By default, the email account is added with the following settings:

• Email protocol – IMAP.
• The user can move email messages between the user's accounts and synchronize account addresses.
• The user can use any email client (other than Mail) to use email.
• The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding an account.

To add an email account of the iOS MDM device user:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Email card, click Settings.

   The Email window opens.

5. Enable the settings using the Email toggle switch.
6. Click Add.

   The Add email account window opens.

7. Specify the email account settings:
   • On the General settings tab, configure the following settings:
     1. In the User name field, specify the name of the iOS MDM device user. You can either enter a value or select a macro by clicking the button.
     2. In the Email address field, specify the email address of the iOS MDM device user. You can either enter a value or select a macro by clicking the button.
     3. In the Account description field, enter a description of the user's email account.
     4. In the Email protocol field, select one of the following protocols:
        • POP
        • IMAP
     5. If you selected IMAP, specify the IMAP path prefix in the IMAP path prefix field.

        The IMAP path prefix must be entered using uppercase letters (for example: GMAIL for Google Mail).

     6. In the Incoming mail server settings and Outgoing mail server settings sections, configure the server connection settings:
        • In the Server address field, specify names of hosts or IP addresses of incoming and outgoing mail servers.
        • In the Server port fields, specify the port numbers of incoming and outgoing mail servers.

        To configure optional settings for the incoming and outgoing mail servers, click More settings and do the following:

        • In the User name field, specify the name of the user's account for authorization on the incoming and outgoing mail servers. You can either enter a value or select a macro by clicking the button.
        • In the Authentication type field, select the type of authentication of the user's email account on the incoming and outgoing mail servers.
        • In the Password field, specify the account password for authenticating on incoming and outgoing mail servers protected using the selected authentication method.
        • If you want to use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box.
        • If you want to use the same password for user authentication on the incoming and outgoing mail servers, select the Use the same password for incoming and outgoing mail servers check box.
   • On the Advanced settings tab, configure the additional settings of the email account:
     1. In the Restrictions section, select or clear the following check boxes, if necessary:
        • Allow syncing recent addresses

          Moving email messages between accounts.

          If the check box is selected, the user can move email messages from one account to another.

          If the check box is cleared, the user is prohibited from moving email messages from one account to another.

          This check box is selected by default.

          If you want to prohibit saving, moving, and sharing attachments from a corporate mailbox, clear the Allow movement of messages between accounts (including work and personal accounts) check box and select the Prohibit non-managed apps from using documents from managed apps and Prohibit managed apps from using documents from non-managed apps check boxes.

        • Allow movement of messages between accounts (including work and personal accounts)

          Synchronization of email addresses between accounts.

          If the check box is selected, when creating messages the user can use another email account's address history.

          If this check box is cleared, used email addresses are not synchronized. When creating a message, the user of an iOS MDM device cannot use another email account's address history.

          This check box is selected by default.

        • Allow Mail Drop

          Use of the Mail Drop service to forward large attachments.

          If the check box is selected, the user can use Mail Drop.

          If the check box is cleared, the user cannot use Mail Drop.

          This check box is cleared by default.

        • Allow using only the Mail app

          Use of only the standard iOS mail client for processing messages.

          If the check box is selected, the user can use email only in the standard iOS email client.

          If the check box is cleared, the user can use email both in the standard iOS email client and in other apps.

          This check box is cleared by default.

     2. In the Signature and Encryption sections, configure the settings for signing and encrypting outgoing mail using the S/MIME protocol in the Mail app.

        S/MIME is a protocol for transmitting digitally signed encrypted messages. S/MIME provides cryptographic security capabilities such as authentication, message integrity control, and non-repudiation of origin (using digital signatures). The protocol also helps improve the confidentiality and security of data in email messages by using encryption.

        • Sign messages

          Digital signature of outgoing messages in the Mail app.

          If the check box is selected, outgoing messages are signed with a digital signature using the S/MIME protocol. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A recipient certificate (public key) must be selected for a message signature.

          This check box is cleared by default.

        • Signing certificate for outgoing messages

          Certificate for signing outgoing messages with a digital signature using the S/MIME protocol. The digital signature guarantees that the message was sent by the iOS MDM device user. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.

          This drop-down list is available only if the Sign messages check box is selected.

        • Encrypt messages by default

          Encryption of outgoing messages in the Mail app.

          If the check box is selected, outgoing messages are encrypted by default using the S/MIME protocol. A recipient certificate (public key) must be selected for sending encrypted messages. If a recipient certificate is not installed, messages cannot be encrypted. Encrypted messages can be viewed only by users whose devices have a certificate installed.

          This check box is cleared by default.

        • Encryption certificate

          Encryption certificate for encrypting outgoing messages using the S/MIME protocol. Encryption keeps messages confidential during transmission and storage. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.

          This drop-down list is available only if the Encrypt messages by default check box is selected.

        • Show toggle button for encrypting selected messages

          Display of the icon in the Mail app in the To field for sending encrypted messages.

          If this check box is selected, the mobile device user can encrypt individual messages by clicking the icon.

          If the check box is cleared, the icon for encrypting messages is not displayed. In this case, the Encrypt messages by default check box determines whether outgoing mail is encrypted.

     • If necessary, in the Per App VPN section, configure Per App VPN.
8. Click Save.

   The new email account appears in the list.

   You can modify or delete email accounts in the list using the Edit and Delete buttons at the top of the list.

9. Click OK.
10. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, email accounts from the list are added on the user's mobile device.

We recommend closing and opening the Settings app on the iOS MDM device after you configure a mailbox.

Configuring an Exchange mailbox on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

To allow an iOS MDM device user to use corporate email, calendar, contacts, notes, and tasks, add the user's Exchange ActiveSync account on the Microsoft Exchange server.

By default, an account with the following settings is added on the Microsoft Exchange server:

• Email is synchronized once per week.
• The user can move messages between the user's accounts and synchronize account addresses.
• The user can use any email clients (other than Mail) to use email.
• The SSL connection is not used during transmission of messages.

You can edit the specified settings when adding the Exchange ActiveSync account.

To add an Exchange ActiveSync account of an iOS MDM device user:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Exchange ActiveSync card, click Settings.

   The Exchange ActiveSync window opens.

5. Enable the settings using the Exchange ActiveSync toggle switch.
6. Click Add.

   The Add Exchange ActiveSync account window opens.

7. Specify the Exchange ActiveSync settings:
   • On the General settings tab, specify the user's data:
     • In the Account name field, enter the account name for authorization on the Microsoft Exchange server. You can either enter a value or select a macro by clicking the button.
     • In the Exchange ActiveSync server address field, enter the DNS name or IP address of the Microsoft Exchange server.
     • Settings in the User credentials section:
       • In the User domain field, enter the name of the iOS MDM device user's domain. You can either enter a value or select a macro by clicking the button.
       • In the User name field, enter the name of the iOS MDM device user. You can either enter a value or select a macro by clicking the button.

         If you leave this field blank, Kaspersky Mobile Devices Protection and Management prompts the user to enter the user name when applying the policy on the iOS MDM device.

       • In the Email address field, specify the email address of the iOS MDM device user. You can either enter a value or select a macro by clicking the button.
     • Settings in the Authentication section:
       • In the Password field, enter the password of the Exchange ActiveSync account for authorization on the Microsoft Exchange server.
       • In the Authentication certificate drop-down list, select the certificate used for authenticating the iOS MDM device user on the Microsoft Exchange server. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.
   • On the Additional settings tab, configure the additional settings of the Exchange ActiveSync account:
     • In the Email synchronization section, in the Synchronization period drop-down list, select the time interval for which email is automatically synchronized and stored on the iOS MDM device. The longer the email synchronization period, the more free space required in the memory of the mobile device. Messages that have not been synchronized are not available without an internet connection. The default value is 1 week.
     • In the Restrictions section, select or clear the following check boxes, if necessary:
       • Allow movement of messages between accounts (including work and personal accounts)

         Moving email messages between accounts.

         If the check box is selected, the user can move email messages from one account to another.

         If the check box is cleared, the user is prohibited from moving email messages from one account to another.

         This check box is selected by default.

         If you want to prohibit saving, moving, and sharing attachments from a corporate mailbox, clear the Allow movement of messages between accounts (including work and personal accounts) check box and select the Prohibit non-managed apps from using documents from managed apps and Prohibit managed apps from using documents from non-managed apps check boxes.

       • Allow syncing recent addresses

         Synchronization of email addresses between accounts.

         If the check box is selected, when creating messages the user can use another email account's address history.

         If this check box is cleared, used email addresses are not synchronized. When creating a message, the user of an iOS MDM device cannot use another email account's address history.

         This check box is selected by default.

       • Allow using only the Mail app

         Use of only the standard iOS mail client for processing messages.

         If the check box is selected, the user can use email only in the standard iOS email client.

         If the check box is cleared, the user can use email both in the standard iOS email client and in other apps.

         This check box is cleared by default.

       • Use SSL connection

         Select this check box to use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data.

         This check box is selected by default.

     • In the Signature and encryption section, configure the settings for signing and encrypting outgoing mail using the S/MIME protocol in the Mail app. S/MIME is a protocol for transmitting digitally signed encrypted messages. S/MIME provides cryptographic security capabilities such as authentication, message integrity control, and non-repudiation of origin (using digital signatures). The protocol also uses encryption to help improve the level of confidentiality and security of data in email messages.
       • Sign messages

         Digital signature of outgoing messages in the Mail app.

         If the check box is selected, outgoing messages are signed with a digital signature using the S/MIME protocol. A digital signature confirms the authenticity of the sender and indicates that the contents of the message have not been modified during transmission to the recipient. A recipient certificate (public key) must be selected for a message signature.

         This check box is cleared by default.

       • Signing certificate for outgoing messages

         Certificate for signing outgoing messages with a digital signature using the S/MIME protocol. The digital signature guarantees that the message was sent by the iOS MDM device user. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.

         This drop-down list is available only if the Sign messages check box is selected.

       • Encrypt messages by default

         Encryption of outgoing messages in the Mail app.

         If the check box is selected, outgoing messages are encrypted by default using the S/MIME protocol. A recipient certificate (public key) must be selected for sending encrypted messages. If a recipient certificate is not installed, messages cannot be encrypted. Encrypted messages can be viewed only by users whose devices have a certificate installed.

         This check box is cleared by default.

       • Encryption certificate

         Encryption certificate for encrypting outgoing messages using the S/MIME protocol. Encryption keeps messages confidential during transmission and storage. You can add certificates in the Certificate management settings of the policy or in the Certificates section of Web Console.

         This drop-down list is available only if the Encrypt messages by default check box is selected.

       • Show toggle button for encrypting selected messages

         Display of the icon in the Mail app in the To field for sending encrypted messages.

         If this check box is selected, the mobile device user can encrypt individual messages by clicking the icon.

         If the check box is cleared, the icon for encrypting messages is not displayed. In this case, the Encrypt messages by default check box determines whether outgoing mail is encrypted.

8. Click Add.

   The new Exchange ActiveSync account appears in the list.

   You can modify or delete Exchange ActiveSync accounts in the list using the Edit and Delete buttons at the top of the list.

9. Click OK.
10. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Exchange ActiveSync accounts from the compiled list are added on the user's mobile device.

Configuring an Exchange mailbox on Android devices

To work with corporate mail, contacts, and the calendar on the mobile device, you can configure the Exchange mailbox settings for the standard Samsung Email app.

An Exchange mailbox can be configured only for Samsung devices running Android 9 or earlier.

To configure an Exchange mailbox on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the Exchange ActiveSync card, click Settings.

   The Exchange ActiveSync window opens.

5. Enable the settings using the Exchange ActiveSync toggle switch.
6. In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
7. In the Domain name field, enter the name of the mobile device user's domain on the corporate network.
8. In the Synchronization interval drop-down list, select the interval for mobile device synchronization with the Microsoft Exchange server.
9. To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box. The SSL protocol uses encryption and certificate-based authentication for secure data transfer. This check box is selected by default.
10. To use digital certificates to protect data transfer between the user's mobile device and the Microsoft Exchange server, select the Verify server certificate check box. The server certificate is verified to have been issued from the trusted root certificate. This check box is selected by default.
11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring protection levels in Kaspersky Security Center

These settings apply to Android devices.

Expand all | Collapse all

To configure rules for assigning protection levels in Kaspersky Security Center:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the KES for Android settings section.
4. On the Severity settings for device protection level card, click Settings.

   The Severity settings for device protection level window opens.

5. Enable the settings using the Severity settings for device protection level toggle switch.
6. Select the OK, Warning, or Critical protection level for each of the following conditions:
   • Real-time protection is not running

     Drop-down list where you can select the protection level of a mobile device on which real-time protection is not running.

     Real-time protection lets you detect threats in files being opened, as well as scan new apps and stop device infections in real time.

     Real-time protection may fail to run for the following reasons:

     • The user declined to use Kaspersky Security Network on the mobile device in the Anti-Malware settings of Kaspersky Endpoint Security for Android.
     • The user did not grant the app access to manage all files.

     If real-time protection is not running, you can also configure restrictions on operation of the mobile device in the Compliance Control settings of the policy.

   • Web Protection and Web Control are not running

     Drop-down list where you can select the protection level of a mobile device on which Web Protection and Web Control are not running.

     Web Protection lets you scan websites and block malicious and phishing websites.

     Web Control lets you configure user access to specific websites and categories of websites.

     Web Protection and Web Control may fail to run for the following reasons:

     • The user disabled Web Protection on the mobile device in the Kaspersky Endpoint Security for Android settings.
     • The user did not enable Kaspersky Endpoint Security for Android as an Accessibility feature.
     • The Ignore battery optimization permission has not been granted.
     • The Web Protection Statement has not been accepted.

     If Web Protection and Web Control are not running, you can also configure restrictions on the operation of the mobile device in the Compliance Control settings of the policy.

   • App Control is not running

     Drop-down list where you can select the protection level of a mobile device on which App Control is not running.

     App Control lets you block apps from running on mobile devices if those apps do not meet the corporate security requirements.

     App Control may not run if the user did not enable the app as an Accessibility feature on devices running Android 5 or later.

     If App Control is not running, you can also configure restrictions on the operation of the mobile device in the Compliance Control settings of the policy.

   • Device lock is not available

     Drop-down list where you can select the protection level of a mobile device on which device lock is not available.

     The device may be locked in the following cases:

     • The Anti-Theft command is received.
     • The SIM card is replaced or the device is turned on without a SIM card.
     • An attempt is made to remove Kaspersky Endpoint Security for Android while app removal protection is enabled.

     Device lock may be unavailable for the following reasons:

     • The user did not set the app as a device administrator.
     • The user did not enable the app as an Accessibility service on devices running Android 7 or later.
     • The user did not enable the app to overlay other windows on devices running Android 7 or later.
   • Device location is not available

     Drop-down list where you can select the protection level of a mobile device whose location cannot be determined.

     The location is determined after the Locate device command is received.

     Locating the device may be unavailable for the following reasons:

     • The user did not grant the device locate permission to the app.
     • The user turned off the GPS module in the device settings.
   • Versions of the Kaspersky Security Network Statement do not match

     Drop-down list where you can select the protection level of a mobile device if the version of the Kaspersky Security Network Statement accepted by the administrator does not match the version accepted by the device user. Statistics not listed in the version of the Statement accepted by the user are not sent to Kaspersky Security Network.

   • Versions of the Marketing Statement do not match

     Drop-down list where you can select the protection level of a mobile device if the version of the Statement regarding data processing for marketing purposes accepted by the administrator does not match the version accepted by the device user. Data is not transferred to third-party services.

     The list of third-party services can be found in the Statement regarding data processing for marketing purposes.

7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

For more information about default values, reasons, and conditions for assigning protection levels, please refer to the Mobile device protection levels section.

Managing app configurations

This section provides instructions on how to manage settings and edit configurations of the apps installed on your users' devices.

Managing Google Chrome settings

Expand all | Collapse all

These settings apply to corporate devices and devices with a corporate container.

To configure Google Chrome settings:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the App configuration section.
4. On the Google Chrome settings card, click Settings.

   The Google Chrome settings window opens.

5. Enable the settings using the Google Chrome settings toggle switch.

   The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

6. Configure the required settings.
7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Manage content settings

On the Content tab, you can manage the following settings:

• In the Cookies section:
  • Default mode

    Default cookie settings.

    Available options:

    • Allow all websites to save local data (default)
    • Prohibit all websites from saving local data
    • Configure settings for selected websites
    • Do not configure cookie settings
  • Exceptions

    Exceptions from the websites that are prohibited from or allowed to save local data.

    For more information on URL patterns, see the Chrome enterprise documentation.

  • Websites

    The websites that are prohibited from or allowed to save local data.

    For more information on URL patterns, see the Chrome enterprise documentation.

• In the JavaScript section:
  • Default mode

    Default JavaScript settings.

    Available options:

    • Allow JavaScript on all websites (default)
    • Prohibit JavaScript on all websites
  • Exceptions

    Exceptions from the websites that are prohibited from or allowed to use JavaScript.

    For more information on URL patterns, see the Chrome enterprise documentation.

• In the Pop-ups section:
  • Default mode

    Default pop-up setting.

    Available options:

    • Allow pop-ups on all websites. Lets all sites open pop-up windows. This value is selected by default.
    • Prohibit pop-ups on all websites. Prohibits all sites from opening pop-up windows.

    Only pop-ups included into the Google abusive pop-ups database will be blocked.

  • Exceptions

    Exceptions from the websites that are prohibited from or allowed to display pop-up windows.

• In the Location tracking section:
  • Default mode

    The default geographic location settings.

    Available options:

    • Allow all websites to track user's location
    • Prohibit all websites from tracking user's location
    • Ask whenever website wants to track user's location (default)

Manage proxy settings

On the Proxy tab, you can manage the following settings:

• Default mode

  Proxy settings for Google Chrome and ARC-apps.

  Available options:

  • Never use proxy. Prohibits use of proxies and all other proxy settings are ignored.
  • Detect proxy settings automatically. Detects proxy settings automatically and all other options are ignored.
  • Use PAC file. Uses the proxy PAC file specified in the PAC file URL field.
  • Use fixed proxy servers. Uses the data specified in the Proxy server URL field and Exceptions list.
  • Use system proxy settings. Uses the system proxy settings. This option is selected by default.
• PAC file URL

  A URL to a proxy PAC file.

• Proxy server URL

  A URL of the proxy server.

• Exceptions

  A list of hosts for which the proxy will be bypassed.

Manage search settings

On the Search tab, you can manage the following settings:

• In the Touch to Search section:
  • Enable Touch to Search

    Selecting or clearing this check box specifies whether the device user is allowed to use Touch to Search and turn the feature on or off.

    This check box is selected by default.

• In the Search provider section:
  • Operating mode

    This option lets you determine whether to configure a search provider that will be used on user devices.

    If you select Enable default search provider, you can specify search provider settings.

  • Search provider name

    The default search provider name.

  • Search URL

    The URL of the search engine used during default searches.

  • Suggest URL

    The URL of the search engine to provide search suggestions.

  • Icon URL

    The URL of the default search provider's favicon.

  • Encodings

    Character encodings supported by the search provider. The supported encodings are:

    • UTF-8
    • UTF-16
    • GB2312
    • ISO-8859-1
  • Alternate URLs

    A list of alternate URLs to retrieve search terms from the search engine.

  • Image search URL

    The URL of the search engine used for image search.

  • New tab URL

    The URL of the search engine used to provide a New Tab page.

  • Parameters for search URL that uses POST

    URL parameters when searching a URL with the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:

    q={searchTerms},ie=utf-8,oe=utf-8

  • Parameters for suggest URL that uses POST

    URL parameters for search suggestions using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{searchTerms}', it is replaced with real search terms. For example:

    q={searchTerms},ie=utf-8,oe=utf-8

  • Parameters for image URL that uses POST

    URL parameters for image search using the POST method. The parameters are comma-separated key-value pairs. If a value is a template parameter, for example, '{imageThumbnail}', it is replaced with the real image thumbnail. For example:

    content={imageThumbnail},url={imageURL},sbisrc={SearchSource}

Manage security settings

On the Security tab, you can manage the following settings:

• In the Google Safe Browsing and SafeSearch section:
  • Safe Browsing operating mode

    Google Safe Browsing protection level.

    Available options:

    • No protection. Disables Google Safe Browsing completely.
    • Standard protection. Makes Google Safe Browsing always enabled in standard protection mode. This option is selected by default.
    • Enhanced protection. Makes Google Safe Browsing always enabled in enhanced protection mode, but device user browsing experience data will be sent to Google.
  • Force SafeSearch

    Selecting or clearing this check box specifies whether Google Search queries will be performed via Google SafeSearch.

    This check box is cleared by default.

  • Disable proceeding from the Safe Browsing warning page

    Selecting or clearing this check box specifies whether the device user is allowed to proceed to the flagged site on Google Safe Browsing warnings, such as malware and phishing. The restriction does not apply to issues related to an SSL certificate, such as invalid or expired certificates.

    This check box is cleared by default.

• In the Blocked websites section:
  • Block access to these websites

    A list of forbidden URLs. You can also set URL patterns, for example: [*.]example.com.

  • Exceptions

    A list of URLs that are exceptions to the list specified in Block access to these websites. You can also set URL patterns, for example: [*.]example.com.

• In the Passwords and autofill section:
  • Enable saving passwords

    Selecting or clearing the check box specifies whether Google Chrome will remember the passwords the device user enters and also offer them the next time the device user signs in.

    This check box is selected by default.

  • Enable autofill for addresses

    Autofill settings for addresses.

    If the check box is selected, the device user is allowed to manage autofill for addresses in the user interface.

    If the check box is cleared, autofill never suggests or fills in address information, nor does it save additional address information that the device user submits while browsing the web.

    This check box is selected by default.

  • Enable autofill for bank cards

    Autofill settings for bank cards.

    If the check box is selected, the device user is allowed to manage autofill suggestions for bank cards in the user interface.

    If the check box is cleared, autofill never suggests or fills in bank card information, nor does it save additional bank card information that the device user submits while browsing the web.

    This check box is selected by default.

• In the Network section:
  • Minimum TLS version

    Minimum allowed TLS version.

    Available options:

    • TLS 1.0 (default)
    • TLS 1.1
    • TLS 1.2
  • Enable network prediction

    Selecting or clearing this check box specifies whether Google Chrome will predict such network actions as DNS prefetching, TCP and SSL preconnection and prerendering of webpages.

    If the check box is cleared, network prediction is disabled, but the device user can enable it.

    This check box is selected by default.

Manage additional settings

On the Additional settings tab, you can manage the following settings:

• In the Bookmarks section:
  • Managed bookmarks

    An admin-managed list of bookmarks. The list is a dictionary with name and url keys. In other words, the key holds a bookmark's name and target. You can also set up a subfolder with a children key, which also has a list of bookmarks.

    By default, the folder name for managed bookmarks is "Managed bookmarks". You can change it by adding a new sub-dictionary. To do this, specify the toplevel_name key with the required folder name as its value.

    If you enter an incomplete URL as a bookmark's target, Google Chrome will substitute it with a URL as if it was submitted through the address bar. For example, kaspersky.com becomes https://www.kaspersky.com.

    For example:

    "ManagedBookmarks": [{

    //Changes the default folder name

    "toplevel_name": "My managed bookmarks folder"

    },

    {

    //Adds a bookmark to the managed bookmarks folder

    "name": "Kaspersky",

    "url": "kaspersky.com"

    },

    {

    "name": "Kaspersky products",

    "children": [{

    "name": "Kaspersky Endpoint Security",

    "url": "kaspersky.com/enterprise-security/endpoint"

    },

    {

    "name": "Kaspersky Security for Mail Server",

    "url": "kaspersky.com/enterprise-security/mail-server-security"

    }

    ]

    }

    ]

  • Enable bookmark editing

    Selecting or clearing this check box specifies whether the device user is allowed to add, remove, or modify bookmarks.

    This check box is selected by default.

• In the History and Incognito mode section:
  • Availability of Incognito mode

    Specifies whether the device user can enable Incognito mode in Google Chrome.

    Available options:

    • Incognito mode is available (default)
    • Incognito mode is disabled
  • Disable saving browser history

    Selecting or clearing this check box specifies whether browsing history is saved and tab syncing is on.

    This check box is cleared by default.

• In the Other section:
  • Restricted Mode for YouTube

    Minimum required Restricted Mode level for YouTube.

    Available options:

    • Do not enforce Restricted Mode. Specifies that Google Chrome does not force Restricted Mode. However, external policies might still enforce Restricted Mode. This option is selected by default.
    • Enforce at least Moderate Restricted Mode. Lets a device user enable the Moderate Restricted Mode on YouTube.
    • Enforce Strict Restricted Mode. Makes Strict Restricted Mode on YouTube always active.
  • Google Translate operating mode

    Translation functionality.

    Available options:

    • Always offer translation. Shows the integrated translation notification and a translate option at the top of the screen.
    • Never offer translation. Disables all built-in translation functionality.
    • Prompt the user for action. Lets the user decide whether to use translation functionality. This option is selected by default.
  • Enable alternate error pages

    Selecting the check box specifies whether Google Chrome is allowed to use built-in error pages, such as "Page not found".

    This check box is cleared by default.

  • Enable printing

    Selecting or clearing this check box specifies whether the device user is allowed to print in Google Chrome.

    This check box is selected by default.

  • Enable search suggestions

    Selecting or clearing this check box specifies whether search suggestions are enabled in Google Chrome's address bar.

    This check box is selected by default.

Managing Exchange ActiveSync for Gmail

Expand all | Collapse all

These settings apply to corporate devices and devices with a corporate container.

The Exchange ActiveSync settings let you manage Exchange ActiveSync for the Gmail app.

To configure Exchange ActiveSync settings:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the App configuration section.
4. On the Exchange ActiveSync card, click Settings.

   The Exchange ActiveSync window opens.

5. Enable the settings using the Exchange ActiveSync toggle switch.
6. Specify the Exchange ActiveSync settings:
   • On the General settings tab, specify the following settings:
     • Exchange ActiveSync server address

       The Exchange ActiveSync email server URL. You don't need to use http:// or https:// in front of the URL.

     • Settings in the User credentials section:
       • Device ID

         A string used by a Kaspersky Security Center proxy or a third-party gateway to identify the device and connect it to Exchange ActiveSync. You can either enter a value or select a macro by clicking the button.

       • User name

         The user name that will be used to pull the user name from Microsoft Active Directory. It might be different from the user's email address. You can either enter a value or select a macro by clicking the button.

       • Email address

         The email address that will be used to pull the user's email address from Microsoft Active Directory. You can either enter a value or select a macro by clicking the button.

     • Settings in the Authentication section:
       • Authentication type

         The authentication type used to verify a device user's email credential. Possible values:

         • Modern token-based authentication. Uses a token-based identity management method. This value is selected by default.
         • Basic authentication. Prompts the device user for their password and stores it for future use.
       • Authentication certificate

         The authentication certificate used to verify user identity, simplify user authentication, and ensure data security.

         The following values are available in the drop-down list:

         • Not selected. The authentication certificate is not specified.
         • User certificates. The list of Mail certificates configured in the Assets (Devices) → Mobile → Certificates section.
         • SCEP profiles. The list of SCEP certificate profiles configured in the SCEP and NDES card of the Device configuration section of the policy and used to obtain certificates.
   • On the Additional settings tab, specify the following settings:
     • Settings in the Email synchronization section:
       • Synchronization period

         The default time interval for synchronization of mail items between Exchange ActiveSync servers and Gmail. Possible values:

         • 1 day
         • 3 days
         • 1 week (default)
         • 2 weeks
         • 1 month
     • Settings in the Restrictions section:
       • Use SSL connection

         Selecting or clearing this check box specifies whether communication to the server port specified in the Exchange ActiveSync server address field will use the SSL protocol.

         This check box is selected by default.

       • Disable SSL certificate verification

         Selecting or clearing this check box specifies whether validation checks on SSL certificates used on Exchange ActiveSync servers will be performed. Performing a check is useful if certificates are self-signed.

         This check box is cleared by default.

       • Allow unmanaged accounts

         Selecting or clearing the check box specifies whether the device user is allowed to add other accounts to the Gmail app.

         This check box is selected by default.

     • Settings in the Signature section:
       • Default email signature

         The default email signature that is automatically added at the bottom of emails.

7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring other apps

Expand all | Collapse all

These settings apply to corporate devices and devices with a corporate container.

The Configure other apps settings let you configure installed apps that support configurations.

To add app configurations:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the App configuration section.
4. On the Configure other apps card, click Settings.

   The Configure other apps window opens.

5. Enable the settings using the Configure other apps toggle switch.
6. Click Add.

   The Add app configuration window opens.

7. In the Method for adding configuration drop-down list, select how to add configuration:
   • App package uploaded by administrator

     When adding an app configuration by using an APK file from your computer, you must select a file saved on your computer.

     After that, you can view the description for each setting of the configuration. These descriptions are part of the configuration file.

     Configuration keys uploaded from the app package cannot be deleted. If you want to add a new setting to the uploaded configuration, click the Add setting button.

   • Kaspersky Security Center installation package

     When adding an app configuration using an installation package from Kaspersky Security Center, you need to select the app from a list of mobile app packages.

     After that, you can view the description for each setting of the configuration. These descriptions are part of the configuration file.

     Settings of configurations added using installation packages cannot be deleted.

   • Manual configuration

     When this method is selected, click the Add setting button to add a new setting to the configuration.

8. In the Configuration data section, specify the following settings:
   • App name

     Name of the app to which the configuration is to be applied.

     When importing a configuration from an APK file or an installation package, the value is inserted automatically.

   • Package name

     Name of the package to which the configuration is to be applied.

     How to get the package name of an app

     To get the name of an app package:

     1. Open Google Play.
     2. Find the app and open its page.

     The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

     To get the name of an app package that has been added to Kaspersky Security Center:

     1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
     2. Click Android apps.

        In the list of apps that opens, app identifiers are displayed in the Package name column.

     When importing a configuration from an APK file or an installation package, the value is inserted automatically.

     You can add only one configuration for each package name.

   • Version

     Version of the app, that the created configuration will be based on.

     When importing a configuration from an APK file or installation package, the value is inserted automatically.

   • Comment

     An optional comment.

   An example of configured basic parameters for the Microsoft Outlook app.

   Microsoft Outlook app configuration

   Configuration key	Description	Type	Value	Default value
   com.microsoft.outlook.EmailProfile.EmailAccountName	Username	String	The username that will be used to pull the username from Microsoft Active Directory. It might be different from the user's email address. You can either enter a value or select a macro by clicking the button. For example, User.
   com.microsoft.outlook.EmailProfile.EmailAddress	Email address	String	The email address that will be used to pull the user's email address from Microsoft Active Directory. You can either enter a value or select a macro by clicking the button. For example, user@companyname.com.
   com.microsoft.outlook.EmailProfile.EmailUPN	User Principal Name or username for the email profile that is used to authenticate the account	String	The name of the user in email address format. For example, userupn@companyname.com.
   com.microsoft.outlook.EmailProfile.ServerAuthentication	Authentication method	String	Username and Password – Prompts the device user for their password. Certificates – Certificate-based authentication.	Username and Password
   com.microsoft.outlook.EmailProfile.ServerHostName	ActiveSync FQDN	String	The Exchange ActiveSync email server URL. You don't need to use http:// or https:// in front of the URL. For example, mail.companyname.com.
   com.microsoft.outlook.EmailProfile.AccountDomain	Email domain	String	The account domain of the user. You can either enter a value or select a macro by clicking the button. For example, companyname.
   com.microsoft.outlook.EmailProfile.AccountType	Authentication type	String	ModernAuth – Uses a token-based identity management method. Specify ModernAuth as the Account Type for Exchange Online. BasicAuth – Prompts the device user for their password. Specify BasicAuth as the Account Type for Exchange On-Premises.	BasicAuth

9. Click the Add setting button to add a block of the app configuration settings. You can add several blocks of settings.

   Specify the following parameters for each block of settings of the configuration:

   • Key

     Cannot be left blank. The value of this parameter is filled in manually.

   • Type

     Cannot be left blank. The value of this parameter is selected from a drop-down list.

     The following types are available:

     • String. A sequence of characters, digits, or symbols, always treated as text.
     • Bool. True or false.
     • Integer. A numeric data type for numbers without fractions.
     • Bundle. A set of fields of any type, except for Bundle or BundleArray.
     • BundleArray. A set of Bundles.
   • Value

     An optional parameter, whose value depends on the setting type.

   For some types of settings, additional parameters can be configured. For example:

   • You can add macros for a String.
   • You can add a field to a Bundle.
   • You can add a Bundle to a BundleArray.

   It is also possible to edit a setting to be added to a BundleArray by clicking the Configure Bundle button and configuring the setting's parameters.

   For information about configuring rules, please refer to the official documentation for the app to be configured.

10. Click Add.

    The configuration appears in the list of app configurations.

    You can modify or delete app configurations in the list using the Edit and Delete buttons at the top of the list.

11. Click OK.
12. Click Save to save the changes you have made.

The app configuration is applied.

Some apps may not notify Kaspersky Endpoint Security for Android that the app configuration has been applied.

When configuring some apps, certificates installed on devices via Kaspersky Security Center can be used. In this case, you must specify a certificate alias in the app configuration:

• VpnCert for VPN certificates.
• MailCert for mail certificates.
• SCEP_profile_name for certificates received using SCEP.

Managing app permissions

Expand all | Collapse all

These settings apply to corporate devices and devices with a corporate container.

App permission management settings let you configure rules for granting runtime permissions to installed apps.

To add app permissions:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the App configuration section.
4. On the App permission management card, click Settings.

   The App permission management window opens.

5. Enable the settings using the App permission management toggle switch.
6. Click Add.

   The Add app with permission granting rules window opens.

7. In the Method for adding configuration section, select how to add a configuration with permission granting rules:
   • App package uploaded by administrator

     When adding a configuration by uploading an app package, you need to select an APK file saved on your computer.

     After that, you can view a list of runtime permissions and select an action to be performed for each permission.

   • Kaspersky Security Center installation package

     When adding a configuration using an installation package added to Kaspersky Security Center, you need to select the app from the list of mobile app packages.

     After that, you can view a list of runtime permissions and select the action to be performed for each permission.

   • Manual configuration

     When adding a configuration manually, you must click the Add rule button to select a permission and a corresponding action from the drop-down lists.

8. In the App data section, specify the following settings:
   • App name

     Name of the app for which permissions are to be configured.

     When importing a configuration from an APK file or an installation package, the value is inserted automatically.

   • Package name

     Name of the package for which permissions are to be configured.

     How to get the package name of an app

     To get the name of an app package:

     1. Open Google Play.
     2. Find the app and open its page.

     The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

     To get the name of an app package that has been added to Kaspersky Security Center:

     1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
     2. Click Android apps.

        In the list of apps that opens, app identifiers are displayed in the Package name column.

     When importing a configuration from an APK file or an installation package, the value is inserted automatically.

   • Comment

     An optional comment.

9. Click the Add rule button to add and configure a new rule. You can add several permissions.

   Select one of the following permissions.

   • Permission for call handover
   • Location permissions
   • Permission to use saved geographic locations
   • Permission for activity recognition
   • Permission for answerphone voice mails
   • Permission to answer phone calls
   • Permissions for Bluetooth
   • Permissions to access body sensors data
   • Permission for phone calls
   • Permissions for camera
   • Permission to access account list
   • Permissions to access nearby devices via Wi-Fi
   • Permission to send notifications
   • Permission to manage outgoing calls
   • Permission to read calendar data
   • Permission to read call log
   • Permission to read contact list
   • Permissions to read external storage
   • Permission to read device's phone numbers
   • Permission to read phone state
   • Permissions to monitor SMS and MMS incoming messages
   • Permission to receive WAP push messages
   • Permission to record audio
   • Permission to send SMS
   • Permission to use SIP telephony
   • Permission to access devices that use UWB
   • Permission to write data to calendar
   • Permission to write and read data of call log
   • Permission to write contacts
   • Permission to write data to external storage

   To configure granting rules for app runtime permissions, you need to select one of the following actions for each permission:

   • Allow users to configure permissions

     When a permission is requested, the user decides whether to grant the specified permission to the app.

     This option is selected by default.

   • Grant permissions automatically

     The app is granted the permission without user interaction.

     On devices with a corporate container running Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select this option, the app will prompt the user for these permissions:

     • Location permissions
     • Permissions for camera
     • Permissions to record audio
     • Permission for activity recognition
     • Permissions to monitor SMS and MMS incoming messages
     • Permissions to access body sensor data
   • Deny permissions automatically

     The app is denied the permission without user interaction.

   You can save only one granting rule for each app permission.

10. Click Add.

    The configuration appears in the Apps with configured permission granting rules list.

    You can modify or delete configurations in the list using the Edit and Delete buttons at the top of the list.

11. Click OK.
12. Click Save to save the changes you have made.

The configuration with permission granting rules is applied. Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Permission granting rules configured for specific apps have precedence over the general policy for granting permissions. For example, if you first select the Deny permissions automatically option in the Corporate container on devices section, and then select the Grant permissions automatically option for a specific app in the App permission management section, the permission for this app will be granted automatically.

Creating a report on installed mobile apps

Expand all | Collapse all

The Report on installed mobile apps lets you get detailed information about the apps installed on users' Android devices.

To allow the report to display information, the Send data on installed apps check box must be selected in App Control settings and the An app was installed or removed (list of installed apps) informational event type must be stored in the Administration Server database.

To enable sending data:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Security controls section.
4. On the App Control card, click Settings.

   The App Control window opens.

5. In the Report on installed apps section, select the Send data on installed apps check box.
6. If you want to receive data about system apps, select the Send data on built-in apps check box.
7. If you want to receive data about service apps, which do not have an interface and cannot be opened by the user, select the Send data on service apps check box.
8. Click OK.
9. Click Save to save the changes you have made.
10. Click the name of the policy and select Event configuration.
11. Go to the Info section.
12. Click the An app was installed or removed (list of installed apps) event to open its properties.
13. In the event properties window, turn on the Store in the Administration Server database for (days) toggle switch and set the storage period. By default, the storage period is 30 days.

    After the storage period expires, the Administration Server deletes outdated information from the database. For more information about events, please refer to the Kaspersky Security Center Help.

14. Click OK.
15. Click Save to save the changes you have made.

Sending data is enabled.

To configure a report on installed mobile apps:

1. In the main window of Kaspersky Security Center Web Console, select Monitoring & reporting → Reports.
2. Click the Report on installed mobile apps report template to open its properties.
3. In the window that opens, click Edit.
4. Edit the report template properties:
   • On the General tab, specify the following parameters:
     • Report template name
     • Maximum number of entries to display

       If this option is enabled, the number of entries displayed in the table with detailed report data does not exceed the specified value.

       Report entries are first sorted according to the rules specified in the Fields > Details fields section of the report template properties, and then only the first of the resulting entries are kept. The heading of the table with detailed report data shows the displayed number of entries and the total available number of entries that match other report template settings.

       If this option is disabled, the table with detailed report data displays all available entries. We do not recommend that you disable this option. Limiting the number of displayed report entries reduces the load on the database management system (DBMS) and reduces the time required for generating and exporting the report. Some reports contain an excessive number of entries. If this is the case, you may find it difficult to read and analyze them all. Also, your device may run out of memory while generating such a report. Consequently, you will not be able to view the report.

       By default, this option is enabled. The default value is 1000.

     • Group

       The set of client devices the report is created for.

     • Include data from secondary and virtual Administration Servers

       If this option is enabled, the report includes the information from the secondary and virtual Administration Servers that are subordinate to the Administration Server for which the report template is created.

       Disable this option if you want to view data only from the current Administration Server.

       By default, this option is enabled.

     • Up to nesting level

       The report includes data from secondary and virtual Administration Servers that are located under the current Administration Server on a nesting level that is less than or equal to the specified value.

       The default value is 1. You may want to change this value if you have to get information from secondary Administration Servers located at lower levels in the tree.

     • Data wait interval (min)

       Before generating the report, the Administration Server for which the report template is created waits for data from secondary Administration Servers during the specified number of minutes. If no data is received from a secondary Administration Server at the end of this period, the report runs anyway. Instead of up-to-date data, the report shows data taken from the cache (if the Cache data from secondary Administration Servers option is enabled), or N/A (not available) otherwise.

       The default value is 5 (minutes).

     • Cache data from secondary Administration Servers

       Secondary Administration Servers regularly transfer data to the Administration Server for which the report template is created. The transferred data is stored in the cache on that Administration Server.

       If the current Administration Server cannot receive data from a secondary Administration Server while generating the report, the report shows data taken from the cache. The date when the data was transferred to the cache is also displayed.

       Enabling this option lets you view information from secondary Administration Servers even if up-to-date data cannot be retrieved. However, the displayed data may be obsolete.

       By default, this option is disabled.

     • Transfer detailed information from secondary Administration Servers

       In the generated report, the table with detailed report data includes data from secondary Administration Servers of the Administration Server for which the report template is created.

       Enabling this option slows report generation and increases traffic between Administration Servers. However, it lets you view all data in one report.

       Instead of enabling this option, you may want to analyze detailed report data to detect a faulty secondary Administration Server, and then generate the same report only for that faulty Administration Server.

       By default, this option is disabled.

   • On the Fields tab, select the fields that will be displayed in the report and the order of these fields, and configure whether the report must be sorted and filtered by each of the fields.
5. Click Save to save the changes you have made.

The updated report template appears in the list of report templates.

To create and view a report on installed mobile apps:

1. In the main window of Kaspersky Security Center Web Console, select Monitoring & reporting → Reports.
2. Click a report with the Report on installed mobile apps type.

A report using the selected template is generated and displayed.

For more information about using reports, managing custom report templates, using report templates to generate new reports, and creating report delivery tasks, please refer to the Kaspersky Security Center Help.

Installing root certificates on Android devices

A root certificate is a public key certificate issued by a trusted certificate authority (CA). Root certificates are used to verify custom certificates and guarantee their identity.

Kaspersky Security Center Web Console lets you add root certificates to be installed to a trusted certificate store on Android devices.

These certificates are installed on user devices as follows:

• On corporate devices, the certificates are installed automatically.

  If you delete a root certificate in the policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.

• On personal devices:
  • If a corporate container was not created, the device user is prompted to install each certificate manually in a personal space by following the instructions in the notification.
  • If a corporate container was created, the certificates are installed automatically to the container. If the Duplicate installation of root certificates in user's personal space check box is selected in the corporate container settings, the certificates can also be installed in a personal space. The device user is prompted to do this manually by following the instructions in the notification.

    If you delete a root certificate in the policy settings, it will also be automatically deleted on the device during the next synchronization with the Administration Server.

    For instructions on how to install certificates in a personal space, please refer to Installing root certificates on the device.

To add a root certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Device configuration section.
4. On the Root certificates card, click Settings.

   The Root certificates window opens.

5. Enable the settings using the Root certificates toggle switch.
6. Click Add.

   The file explorer opens.

7. Select a certificate file (a CER, PEM, KEY, or CRT file) and click Open.

   The certificate file must be no larger than 10 MB.

   The certificate will appear in the list of root certificates.

8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

Configuring notifications for Kaspersky Endpoint Security for Android

If you don't want the mobile device user to be distracted by Kaspersky Endpoint Security for Android notifications, you can disable certain notifications.

Kaspersky Endpoint Security for Android uses the following tools to display the status of device protection:

• Protection status notification. This notification is pinned to the notification bar. A protection status notification cannot be removed. The notification displays the device protection status (for example, ) and the number of issues, if any. You can tap the device protection status and see security issues in the app.
• App notifications. These notifications inform the device user about the application (for example, the detection of a threat).
• Pop-up messages. Pop-up messages require action from the device user (for example, action to take when a threat is detected).

All Kaspersky Endpoint Security for Android notifications are enabled by default.

On Android 13, the device user must grant the permission to send notifications during or after the Initial Configuration Wizard.

The user can disable all notifications from Kaspersky Endpoint Security for Android in the settings on the notification bar. If notifications are disabled, the user is not monitoring operation of the app and may ignore important information (for example, information about failures during device synchronization with Kaspersky Security Center). In this case, to find out the app operating status, the user must open Kaspersky Endpoint Security for Android.

To configure displaying notifications about the operation of Kaspersky Endpoint Security for Android:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the KES for Android settings section.
4. On the Notifications card, click Settings.

   The Notifications window opens.

5. Enable the settings using the Notifications toggle switch.
6. If you want to hide all notifications and pop-up messages, in the Background notifications section, select the Disable notifications when Kaspersky Endpoint Security is in the background check box.

   Kaspersky Endpoint Security for Android will display only the protection status notification. The notification displays the device protection status (for example, ) and the number of issues.

   In-app notifications (for example, when the user updates anti-malware databases manually) will still be displayed.

   We recommend that you enable notifications and pop-up messages. If you disable notifications and pop-up messages when the app is in the background, the app will not warn users about threats in real time. In this case, mobile device users will not see the device protection status unless they open the app.

7. In the Notifications about device security issues section, select the Kaspersky Endpoint Security for Android issues that you want to display on the user's mobile device.

   Displaying certain Kaspersky Endpoint Security for Android issues is mandatory. These issues are always displayed on the device (for example, issues about license expiration).

8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The notifications that you disable will not be displayed on the user's mobile device.

Connecting iOS MDM devices to AirPlay

Configure the connection to AirPlay devices to stream music, photos, and videos from an iOS MDM device to AirPlay devices. To be able to use AirPlay, the mobile device and AirPlay devices must be connected to the same wireless network. AirPlay devices include Apple TV devices (second generation or later), AirPort Express devices, speakers, TVs, and radios with AirPlay support.

Automatic connection to AirPlay devices is available for devices operating in basic control mode and for supervised devices.

To configure the connection of an iOS MDM device to AirPlay devices:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the AirPlay card, click Settings.

   The AirPlay window opens.

5. Enable the settings using the AirPlay toggle switch.
6. In the Passwords section, click Add password.
7. In the Device field, enter the name of the AirPlay device on the wireless network.
8. In the Password field, enter the password to the AirPlay device.
9. If you want iOS MDM devices to connect only to specific AirPlay devices, create a list of allowed devices in the Allowed devices section. To do this, click Add device and specify the MAC addresses of AirPlay devices.

   Both the Wi-Fi and Ethernet address for each device must be added.

   Access to AirPlay devices that are not in the list of allowed devices is blocked. If the list of allowed devices is empty, Kaspersky Mobile Devices Protection and Management allows access to all AirPlay devices.

10. Click OK.
11. Click Save to save the changes you have made.

As a result, once the policy is applied, the user's mobile device will automatically connect to AirPlay devices to stream media.

Connecting iOS MDM devices to AirPrint

To enable printing documents from an iOS MDM device wirelessly using AirPrint, configure automatic connection to AirPrint printers. The mobile device and printer must be connected to the same wireless network. Shared access for all users must be configured on the AirPrint printer.

To configure the connection of an iOS MDM device to an AirPrint printer:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the AirPrint card, click Settings.

   The AirPrint window opens.

5. Enable the settings using the AirPrint toggle switch.
6. Click Add.

   The Add printer window opens.

7. In the IP address or FQDN field, enter the IP address or a fully qualified domain name (FQDN) of the AirPrint printer.
8. In the Port field, enter the listening port of the AirPrint destination.
9. In the Resource path field, enter the path to the AirPrint printer.

   The path to the printer corresponds to the rp (resource path) key of the Bonjour protocol. For example:

   • printers/Canon_MG5300_series
   • ipp/print
   • Epson_IPP_Printer
10. If you want to protect the connection to the AirPrint printer using the TLS protocol, select the Use TLS check box.
11. Click Add.

    The newly added AirPrint printer appears in the list.

12. Click OK.
13. Click Save to save the changes you have made.

As a result, once the policy is applied, the mobile device user can wirelessly print documents on the AirPrint printer.

Configuring the Access Point Name (APN)

This section provides instructions on how to connect a mobile device to cellular data services on a mobile network.

Configuring APN on Android devices (only Samsung)

APN can be configured only for Samsung devices.

A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile operator. Incorrect access point settings may result in additional mobile charges.

To configure the Access Point Name (APN) settings on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the APN settings card, click Settings.

   The APN settings window opens.

5. Enable the settings using the APN settings toggle switch.

   The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

6. Specify the following access point settings for connecting the user to the data service:
   • In the APN type drop-down list, select the type of access point (APN) for data transmission on a GPRS/3G/4G mobile network:
     • Internet. Connection of the user's mobile device to the internet.
     • MMS. Exchange of MMS multimedia messages.
     • Internet and MMS. Connection to the internet and exchange of multimedia messages. This is the default value.
   • In the APN name field, specify the name of the access point.
   • In the MCC field, enter the mobile country code (MCC).
   • In the MNC field, enter the mobile network code (MNC).
7. If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS server settings in the MMS server section:
   • In the MMS server name field, specify the full domain name of the mobile carrier's server used for MMS exchange (for example, mms.mobile.com).
   • In the MMS proxy server address field, specify the network name or IP address of the proxy server.
   • In the MMS proxy server port field, specify the port number of the mobile carrier's server used for MMS exchange.
8. In the Authentication section, specify the authentication settings:
   • In the Authentication type drop-down list, select the type of authentication of the mobile device user that will be used on the mobile carrier's server for network access. By default, user authentication is not required. The following types are available:
     • None. User authentication is not required to access the mobile network.
     • PAP (Password Authentication Protocol). An authentication protocol that uses passwords as plain non-encrypted text.
     • CHAP (Challenge Handshake Authentication Protocol). A request-response authentication protocol that uses standard MD5 hashing to encrypt the response.
     • Concurrently. Combined use of CHAP and PAP protocols.
   • In the User name field, enter the user name for authorization on the mobile network.
   • In the Password field, enter the password for user authorization on the mobile network.
9. In the Network section, specify the following network settings:
   • In the Network name field, enter the name of the network.
   • In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed.
10. In the Proxy server section, specify the following proxy server settings:
    • Select the Use a proxy server check box to enable the use of a proxy server. This check box is cleared by default.
    • In the Proxy server address field, specify the network name or IP address of the mobile carrier's proxy server for network access. This field is available only if the Use a proxy server check box is selected.
    • In the Proxy server port field, specify the port number of the mobile carrier's proxy server for network access. This field is available only if the Use a proxy server check box is selected.
11. Click OK.
12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring APN on iOS MDM devices

The Access Point Name (APN) has to be configured in order to enable the mobile network data transmission service on the user's iOS MDM device.

To configure an access point on a user's iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the APN settings card, click Settings.

   The APN settings window opens.

5. Enable the settings using the APN settings toggle switch.

   The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

6. In the APN type drop-down list, select the type of access point for data transfer on a GPRS/3G/4G mobile network:
   • Built-in APN. Configure cellular communication settings for data transfer via a mobile network operator that supports operation with a built-in Apple SIM. For more details about devices with a built-in Apple SIM, visit the Apple Support website.
   • APN. Configure cellular communication settings for data transfer via the mobile network operator of the inserted SIM card.
   • Built-in APN and APN. Configure cellular communication settings for data transfer via the mobile network operators of the inserted SIM card and the built-in Apple SIM. For more details about devices with a built-in Apple SIM and a SIM card slot, visit the Apple Support website.
7. If you selected APN, in the APN section click Add.

   The Add APN window opens.

8. Configure the following settings:
   1. In the APN name field, specify the name of the access point.
   2. In the Authentication type drop-down list, select the type of user authentication on the mobile operator's server for network access (internet and MMS).
   3. In the User name field, enter the user name for authorization on the mobile network.
   4. In the Password field, enter the password for user authorization on the mobile network.
   5. In the Proxy server address field, enter the name of the host or the IP address of the proxy server.
   6. In the Proxy server port field, enter the number of the proxy server port.
   7. In the Allowed protocol drop-down list, select the internet protocol.
   8. In the Allowed protocol for roaming drop-down list, select the internet protocol that will be used during international roaming.
   9. In the Allowed protocol for domestic roaming drop-down list, select the internet protocol that will be used during domestic roaming.
   10. If you want devices on IPv6-only networks to be able to access IPv4-only internet services, select the Use the 464XLAT technology check box.
   11. Click OK.
9. If you selected Built-in APN, configure the following settings:
   1. In the Built-in APN name field, specify the name of the access point.
   2. In the Authentication type drop-down list, select the type of user authentication on the mobile operator's server for network access (internet and MMS).
   3. In the User name field, enter the user name for authorization on the mobile network.
   4. In the Password field, enter the password for user authorization on the mobile network.
   5. In the Allowed protocol drop-down list, select the internet protocol.
10. Click OK.
11. Click Save to save the changes you have made.

As a result, the access point name (APN) is configured on the user's mobile device after the policy is applied.

Corporate container

This section contains information about working with a corporate container.

About corporate containers

Android Enterprise is a platform for managing the corporate mobile infrastructure and provides company employees with a safe work environment in which they can use mobile devices. For details on using Android Enterprise, see the Google support website.

You can create a corporate container that uses an Android Work Profile on a user's personal mobile device. A corporate container is a safe environment in which the administrator can manage apps and user accounts without restricting the user's use of their own data. When a corporate container is created on the user's mobile device, the following corporate apps are automatically installed in it: Google Play, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Apps installed in the corporate container as well as notifications from these apps are marked with a briefcase icon. You have to create a separate Google corporate account for the Google Play app. Apps installed in a corporate container appear in the common list of apps.

Configuring a corporate container

Expand all | Collapse all

To configure the settings of a corporate container:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Corporate container section.
4. On the Corporate container on devices card, click Settings.

   The Corporate container on devices window opens.

5. Enable the settings using the Corporate container on devices toggle switch.
6. Specify the corporate container settings:
   • On the General tab, you can specify the settings for data sharing, contacts, and more.
     • Settings in the Data access and sharing section:
       • Prohibit personal apps from sharing data with corporate container apps

         Restricts sharing files, pictures, or other data from personal apps with corporate container apps.

         If the check box is selected, personal apps can't share data with corporate container apps.

         If the check box is cleared, personal apps can share data with corporate container apps.

         This check box is selected by default.

       • Prohibit corporate container apps from sharing data with personal apps

         Restricts sharing files, pictures, or other data from corporate container apps with personal apps.

         If the check box is selected, the apps in the corporate container can't share data with personal apps.

         If the check box is cleared, the apps in the corporate container can share data with personal apps.

         This check box is selected by default.

       • Prohibit corporate container apps from accessing personal files

         Restricts access of corporate container apps to personal files.

         If the check box is selected, the user can't access personal files when using corporate container apps.

         If the check box is cleared, the user can access personal files when using corporate container apps. Note that the access must be also supported by the apps that are being used.

         This check box is selected by default.

       • Prohibit personal apps from accessing files in corporate container

         Restricts access of personal apps to files in the corporate container.

         If the check box is selected, the user can't access files in the corporate container when using personal apps.

         If the check box is cleared, the user can access files in the corporate container when using personal apps. Note that the access must be supported by the apps that are being used.

         This check box is selected by default.

       • Prohibit use of clipboard between personal apps and corporate container

         Selecting or clearing this check box specifies whether the device user is allowed to copy data via the clipboard between personal apps and the corporate container.

         This check box is selected by default.

       • Prohibit activation of USB debugging

         Restricts the use of USB debugging on the user's mobile device in the corporate container. In USB debugging mode, the user can download an app via a workstation, for example.

         If the check box is selected, USB debugging mode is not available to the user. The user is unable to configure the mobile device via USB after connecting the device to a workstation.

         If the check box is cleared, the user can enable USB debugging mode, connect the mobile device to a workstation via USB, and configure the device.

         This check box is selected by default.

       • Prohibit users from adding and removing accounts in corporate container

         If the check box is selected, the user is prohibited to add and remove accounts in the corporate container via the Settings or Google apps. This includes restricting the ability to sign in to Google apps for the first time. However, the user can sign in, add, and remove accounts via some other third-party apps in the corporate container.

         Accounts that were added before the restriction is set will not be removed and sign in to these accounts is not restricted.

         This check box is selected by default.

       • Prohibit screen sharing, recording, and screenshots in corporate container apps

         Selecting or clearing this check box specifies whether the device user is allowed to take screenshots of, record and share the device screen in corporate container apps. It also specifies whether the contents of the device screen are allowed to be captured for artificial intelligence purposes.

         This check box is selected by default.

     • Settings in the Contacts section:
       • Prohibit showing contact name from corporate container for incoming personal calls

         Selecting or clearing this check box specifies whether a contact name from the corporate container will be shown for personal incoming calls.

         This check box is selected by default.

       • Prohibit personal apps from accessing corporate container contacts

         Selecting or clearing this check box specifies whether personal contact management apps are allowed to access corporate container contacts.

         This check box is selected by default.

   • On the Apps tab, specify the following settings:
     • Settings in the General section:
       • Enable App Control in corporate container only

         Controls the startup of apps in the corporate container on the user's mobile device. You can create lists of allowed, forbidden, and recommended apps as well as allowed and forbidden app categories in the App Control section.

         If this check box is selected, then depending on the App Control settings, Kaspersky Endpoint Security blocks or allows startup of apps only in the corporate container. Moreover, App Control does not work in the user's personal space.

         This check box is selected by default.

       • Enable Web Protection and Web Control in corporate container only

         Restricts user access to websites in the corporate container on the device. You can specify website access settings in the Web Control settings.

         If this check box is selected, Web Protection and Web Control block or allow access to websites only in the corporate container. Moreover, Web Protection and Web Control do not work in the user's personal space.

         If this check box is cleared, then depending on the Web Protection and Web Control settings, Kaspersky Endpoint Security blocks or allows access to websites in the user's personal space and the corporate container.

         This check box is selected by default.

       • Prohibit installation of apps from unknown sources in corporate container

         Restricts installation of apps in the corporate container from all sources other than Google Play Enterprise.

         If the check box is selected, the user can install apps only from Google Play. Users use their own Google corporate accounts to install apps.

         If the check box is cleared, the user can install apps in any available way. Only apps forbidden in the App Control settings can't be installed.

         This check box is cleared by default.

       • Prohibit removing apps from corporate container

         Selecting or clearing this check box specifies whether the user is prohibited from removing apps from the corporate container.

         This check box is cleared by default.

       • Prohibit displaying notifications from corporate container apps when screen is locked

         Restricts displaying the contents of notifications from corporate container apps on the lock screen of the device.

         If the check box is selected, the contents of notifications from corporate container apps can't be viewed on the device lock screen. To view these notifications, the user has to unlock the device or corporate container.

         If the check box is cleared, notifications from corporate container apps are displayed on the device lock screen.

         This check box is selected by default.

       • Prohibit use of camera for corporate container apps

         Selecting or clearing this check box specifies whether corporate container apps can access the device camera.

         This check box is selected by default.

     • In the Granting runtime permissions for corporate container apps section you can select an action to be performed when corporate container apps are running and request additional permissions. This does not apply to permissions granted in the device settings (for example, Access All Files).
       • Allow users to configure permissions

         When a permission is requested, the user decides whether to grant the specified permission to the app.

         This option is selected by default.

       • Grant permissions automatically

         All corporate container apps are granted permissions without user interaction.

         On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select this option, the app will prompt the user for these permissions:

         • Location permissions
         • Permissions for camera
         • Permissions to record audio
         • Permission for activity recognition
         • Permissions to monitor SMS and MMS incoming messages
         • Permissions to access body sensor data
       • Deny permissions automatically

         All corporate container apps are denied permissions without user interaction.

         Users can adjust app permissions in the device settings before these permissions are denied automatically.

     • In the Adding widgets of corporate container apps to device home screen section you can choose whether the device user is allowed to add widgets of corporate container apps to the device home screen.
       • Prohibit for all apps

         The device user is prohibited from adding widgets of apps installed in the corporate container.

         This option is selected by default.

       • Allow for all apps

         The device user is allowed to add widgets of all apps installed in the corporate container.

       • Allow only for the listed apps

         The device user is allowed to add widgets of listed apps installed in the corporate container.

         To add an app to the list, click Add and enter an app package name.

         How to get the package name of an app

         To get the name of an app package:

         1. Open Google Play.
         2. Find the app and open its page.

         The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

         To get the name of an app package that has been added to Kaspersky Security Center:

         1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
         2. Click Android apps.

            In the list of apps that opens, app identifiers are displayed in the Package name column.

   • On the Certificates tab, you can configure the following settings:
     • Duplicate installation of VPN certificates in user's personal space

       Selecting or clearing the check box specifies whether the VPN certificate added in the Mobile → Certificates section of the Kaspersky Security Center Web Console and installed in the corporate container will also be installed in the user's personal space.

       By default, VPN certificates received from Kaspersky Security Center are installed in the corporate container. This setting is applied when a new VPN certificate is issued.

       This check box is cleared by default.

     • Duplicate installation of root certificates in user's personal space

       Selecting or clearing the check box specifies whether the root certificates added in the Root certificates settings and installed in the corporate container will also be installed in the user's personal space.

       This check box is cleared by default.

   • On the Password tab, specify the corporate container password settings:
     • Require setting a password for corporate container

       Lets you specify the requirements for the corporate container password according to company security requirements.

       If the check box is selected, password requirements are available for configuration. When the policy is applied, the user receives a notification prompting them to set up a corporate container password according to company requirements.

       If the check box is cleared, password settings cannot be edited.

       This check box is cleared by default.

     • Minimum password length

       The minimum number of characters in the user password. Possible values: 4 to 16 characters.

       The user's password is 4 characters long by default.

       The following applies only to the user's personal space and the corporate container:

       • In the user's personal space, Kaspersky Endpoint Security converts the password strength requirements into one of values available in the system: medium or high on devices running Android 10 or later.
       • In the corporate container, Kaspersky Endpoint Security converts the password strength requirements into one of the values available in the system: medium or high on devices running Android 12 or later.

       The values are determined using the following rules:

       • If the required password length is 1 to 4 characters, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered sequences (e.g. 1234), or alphabetic/alphanumeric. The PIN or password must be at least 4 characters long.
       • If the required password length is 5 or more characters, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). A PIN must be at least 8 digits long. A password must be at least 6 characters long.
     • Minimum password complexity requirements

       Specifies the minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

       • Numeric

         The user can set a password that includes numbers or set any stronger password (for instance, an alphabetic or alphanumeric password).

         This option is selected by default.

       • Alphabetic

         The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, an alphanumeric password).

       • Alphanumeric

         The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

       • No requirements

         The user can set any password.

       • Complex

         The user must set a complex password according to the specified password properties:

         • Minimum number of letters
         • Minimum number of digits
         • Minimum number of special characters (for example, !@#$%)
         • Minimum number of uppercase letters
         • Minimum number of lowercase letters
         • Minimum number of non-alphabetic characters (for example, 1^*9)
       • Complex numeric

         The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

     • Maximum number of failed password attempts before corporate container is deleted

       Specifies the maximum number of user attempts to enter the password to unlock the corporate container. When the policy is applied, the corporate container will be deleted from the device after the maximum number of failed attempts is exceeded.

       Possible values are 4 to 16.

       The default value is not set. This means that the attempts are not limited.

     • Maximum password lifetime (days)

       Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

       The default value is 0. This means that the password won't expire.

     • Number of days to send a notification before a required password change

       Specifies the number of days to notify the user before the password expires.

       The default value is 0. This means that the user won't be notified about an expiring password.

     • Number of recent passwords that cannot be set as a new password

       Specifies the maximum number of previous user passwords that can't be used as a new password. This setting applies only when the user sets a new password on the device.

       The default value is 0. This means that the new user password can match any previous password except the current one.

     • Period of inactivity before corporate container is locked (sec)

       Specifies the period of inactivity before the device locks.

       The default value is 0. This means that the device won't lock after a certain period.

     • Period after biometric unlock before password must be entered (min)

       Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

       The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

     • Allow biometric unlock methods

       If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

       This check box is selected by default.

     • Allow fingerprint unlock

       Specifies whether fingerprints can be used to unlock the screen.

       This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

       If the check box is selected, the use of fingerprints on the mobile device is allowed.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the device settings, the option to use fingerprints will be unavailable.

       This check box is available only if the Allow biometric unlock methods check box is selected.

       This check box is selected by default.

       On some Xiaomi devices with a corporate container, the corporate container may be unlocked by a fingerprint only if you set the Period of inactivity before corporate container is locked (sec) value after setting a fingerprint as the screen unlock method.

     • Allow face unlock

       If the check box is selected, the use of face scanning is allowed on the mobile device.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.

       This check box is available only if the Allow biometric unlock methods check box is selected.

       This check box is selected by default.

     • Allow iris scanning

       If the check box is selected, the use of iris scanning is allowed on the mobile device.

       If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

       This check box is available only if the Allow biometric unlock methods check box is selected.

       This check box is selected by default.

   • On the Passcode tab, specify the one-time passcode settings. The user will be prompted to enter the one-time passcode to unlock their corporate container if it is locked.
     • Passcode length

       The number of digits in the passcode. Possible values: 4, 8, 12, or 16 characters.

       The passcode length is 4 characters by default.

7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The user's mobile device is divided into a corporate container and a personal space.

Unlocking the corporate container

The corporate container can be locked if the device does not meet the Compliance Control security requirements.

To unlock the corporate container, the user of the mobile device must enter a one-time corporate container passcode on the locked screen. The passcode is generated by Kaspersky Security Center and is unique for each mobile device. When the corporate container is unlocked, the corporate container password is set to the default value (1234).

As an administrator, you can view the passcode in the policy settings that are applied to the mobile device. The length of the passcode can be changed (4, 8, 12, or 16 digits) in the Corporate container on devices settings of the policy.

To unlock a corporate container using a one-time passcode:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. Click the mobile device for which you want to get a one-time passcode.
3. Select Applications → Kaspersky Mobile Devices Protection and Management.

   The Kaspersky Mobile Devices Protection and Management properties window opens.

4. Select the Application settings tab.

   The unique passcode for the selected device is shown in the One-time code field of the One-time corporate container passcode section.

5. Use any available method (such as email) to communicate the one-time passcode to the user.

   The user then must enter the received one-time passcode on their device.

The corporate container of the user's mobile device is unlocked.

After the corporate container on a device is locked, the history of corporate container passwords is cleared. This means that the user can specify a recent password, regardless of the corporate container password settings.

Adding an LDAP account

These settings apply to supervised devices and devices operating in basic control mode.

To enable an iOS MDM device user to access corporate contacts on the LDAP server, add an LDAP account.

To add an LDAP account of an iOS MDM device user:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the LDAP card, click Settings.

   The LDAP window opens.

5. Enable the settings using the LDAP toggle switch.
6. Click Add.

   The Add LDAP account window opens.

7. On the General settings tab. specify the following LDAP settings:
   • In the Server section, specify the server settings:
     • In the Description field, enter a description of the user's LDAP account. You can either enter a value or select a macro by clicking the button.
     • In the Server address field, enter the name of the LDAP server domain.
   • In the Authentication section, specify the user's credentials:
     • In the Account name field, enter the account name for authorization on the LDAP server. You can either enter a value or select a macro by clicking the button.
     • In the Password field, enter the password of the LDAP account for authorization on the LDAP server.
     • To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of messages, select the Use SSL connection check box.
   • If necessary, in the Per App VPN section, configure Per App VPN.
8. On the Search settings tab, compile a list of search queries for the iOS MDM device user to access corporate data on the LDAP server:
   1. Click the Add setting button to add a block of the search query settings.
   2. In the Name field, enter the name of a search query.
   3. In the Search scope drop-down list, select the nesting level of the folder for searching corporate data on the LDAP server:
      • Root folder of the LDAP server. Search in the base folder of the LDAP server.
      • First level subfolders. Search in folders in the first nesting level, counting from the base folder.
      • All subfolders. Search in folders in all nesting levels, counting from the base folder.
   4. In the Search base field, enter the path to the folder on the LDAP server where the search begins (for example: "ou=people", "o=example corp").
   5. Repeat steps a-d for all search queries that you want to add to the iOS MDM device.
9. Click Add.

   The new LDAP account appears in the list.

   You can modify or delete LDAP accounts in the list using the Edit and Delete buttons at the top of the list.

10. Click OK.
11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, LDAP accounts from the compiled list is added on the user's mobile device. The user can access corporate contacts in the standard iOS apps: Contacts, Messages, and Mail.

Adding a contacts account

These settings apply to supervised devices and devices operating in basic control mode.

To let the iOS MDM device user synchronize data with the CardDAV server, add a CardDAV account. Synchronization with the CardDAV server lets the user access the contact details from any device.

To add a CardDAV account of an iOS MDM device user:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Contacts card, click Settings.

   The Contacts window opens.

5. Enable the settings using the Contacts toggle switch.
6. Click Add.

   The Add CardDAV account window opens.

7. In the Server section, in the Description field, enter a description of the user's CardDAV account.
8. In the Server address and Server port fields, enter the host name or the IP address of the CardDAV server and the number of the CardDAV server port.
9. In the Contact URL field, specify the URL of the CardDAV account of the iOS MDM device user on the CardDAV server (for example: http://example.com/carddav/users/mycompany/user).

   The URL must begin with http:// or https://.

10. In the Authentication section, in the Account name field, enter the account name for authorization on the CardDAV server.
11. In the Password field, enter the CardDAV account password for authorization on the CardDAV server.
12. If you want to use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data between the CardDAV server and the mobile device, select the Use SSL connection check box.
13. If necessary, in the Per App VPN section, configure Per App VPN.
14. Click Add.

    The new CardDAV account appears in the list.

    You can modify or delete CardDAV accounts in the list using the Edit and Delete buttons at the top of the list.

15. Click OK.
16. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, CardDAV accounts from the compiled list will be added on the user's mobile device.

If you experience problems when adding or updating accounts, check whether the settings you configured are correct.

Adding a calendar account

To let an iOS MDM device user access their calendar events on a CalDAV server, add a CalDAV account. Synchronization with the CalDAV server lets the user create and receive invitations, receive event updates, and synchronize tasks with the Reminders app.

To add an iOS MDM device user's CalDAV account:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Calendar card, click Settings.

   The Calendar window opens.

5. Enable the settings using the Calendar toggle switch.
6. Click Add.

   The Add CalDAV account window opens.

7. In the Server section, in the Description field, enter a description of the user's CalDAV account.
8. In the Server address and Server port fields, enter the host name or the IP address of a CalDAV server and the number of the CalDAV server port.
9. In the Calendar URL field, specify the URL of the CalDAV account of the iOS MDM device user on the CalDAV server (for example, http://example.com/caldav/users/mycompany/user).

   The URL must begin with http:// or https://.

10. In the Authentication section, in the Account name field, enter the account name for authorization on the CalDAV server.
11. In the Password field, set the CalDAV account password for authorization on the CalDAV server.
12. If you want to use the SSL (Secure Sockets Layer) data transport protocol to secure transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
13. If necessary, in the Per App VPN section, configure Per App VPN.
14. Click Add.

    The new CalDAV account appears in the list.

    You can modify or delete CalDAV accounts in the list using the Edit and Delete buttons at the top of the list.

15. Click OK.
16. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, CalDAV accounts from the compiled list is added on the user's mobile device.

If you experience problems when adding or updating accounts, check whether the settings you configured are correct.

Configuring a calendar subscription

These settings apply to supervised devices and devices operating in basic control mode.

To let the iOS MDM device user add events of shared calendars (such as a corporate calendar) to the user's calendar, add a subscription to these calendars. Shared calendars are calendars of other users who have a CalDAV account, iCal calendars, and other published calendars.

To add a calendar subscription:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Calendar subscriptions card, click Settings.

   The Calendar subscriptions window opens.

5. Enable the settings using the Calendar subscriptions toggle switch.
6. Click Add.

   The Add calendar subscription window opens.

7. In the Description field, enter a description of the calendar subscription.
8. In the Server address field, specify the URL of a third-party calendar.

   In this field, you can enter the mail URL of the CalDAV account of a user whose calendar you are subscribing to. You can also specify the URL of an iCal calendar or a different published calendar.

9. In the User name field, enter the user account name for authentication on the server of the third-party calendar.
10. In the Password field, enter the calendar subscription password for authentication on the server of the third-party calendar.
11. If you want to use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box.
12. If necessary, in the Per App VPN section, configure Per App VPN.
13. Click Add.

    The new calendar subscription appears in the list.

    You can modify or delete calendar subscriptions in the list using the Edit and Delete buttons at the top of the list.

14. Click OK.
15. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, events from the shared calendar in the list will be added to the calendar on the user's mobile device.

Configuring SSO

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

The SSO settings let you configure account settings for using Single Sign-On technology. Single Sign-On (SSO) is an authentication method that allows a user to sign in to multiple services with a single ID. The Kerberos protocol is used for user authentication.

To configure the use of SSO on iOS MDM devices:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the SSO card, click Settings.

   The SSO window opens.

5. Enable the settings using the SSO toggle switch.
6. Specify the following settings:
   • In the Account name field, specify the name of the user's Single Sign-On account for Kerberos server authorization. You can either enter a value or select a macro by clicking the button.
   • In the Authentication section, specify the authentication settings:
     • Kerberos user name

       Main name of the account of an iOS MDM device user on the Kerberos server. The Kerberos user name is case-sensitive and must be specified in the format <primary>/<instance>, where:

       1. <primary> is the user name.

       2. <instance> is a description of the primary name, such as "admin". The instance may be omitted.

       Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM or mycompany@EXAMPLE.COM, you must enter mycompany/admin or mycompany respectively,

       You can either enter a value or select a macro by clicking the button.

       Do not use the at sign (@) in this field. Otherwise the SSO profile will not be applied on the device.

     • Kerberos scope

       Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.

       The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.

       Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.

     • Authentication certificate

       The certificate used for user authentication.

   • In the URL prefixes section, specify the addresses of websites on which Kaspersky Mobile Devices Protection and Management allows using SSO:
     • Limit account to the listed URLs

       Use of Single Sign-On for automatic sign-in only to websites added to the list of allowed web addresses. You can create a list of allowed web addresses by clicking the Add URL button next to the check box.

       If the check box is selected, the user can use Single Sign-On for authorization on websites that have been added to the list of allowed web addresses.

       If the check box is cleared or the list is empty, the user can use Single Sign-On for all websites within the Kerberos scope.

       Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.

       The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.

       Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.

       This check box is cleared by default.

     • Add URL

       Clicking the button adds the URL prefix field for specifying a new website in the list of web addresses for which automatic Single Sign-On is allowed.

       The button is available if the Limit account to the listed URLs check box is selected.

       The web address must begin with http:// or https://. Automatic Single Sign-On is performed only when the URL fully matches the URL template. For example, the web address https://example.com/ does not match the web address https://example.com:443/.

       To allow Single Sign-On access only to websites that use the HTTP protocol, enter the value http://. To allow access only to websites that use the secure HTTPS protocol, enter https://.

       If the web address does not end with the "/" symbol, Kaspersky Mobile Devices Protection and Management adds this symbol automatically.

       If the list of allowed web addresses is empty, the user can use Single Sign-On to automatically sign in to all websites within the Kerberos scope.

       Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.

       The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.

       Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.

   • In the Bundle IDs section, specify the IDs of apps in which Kaspersky Mobile Devices Protection and Management allows using SSO:
     • Limit account to the listed apps

       Using Single Sign-On for automatic sign-in to apps added to the list of bundle identifiers. You can create a list of bundle IDs by clicking the Add app button next to the check box.

       If the check box is selected, the user can use Single Sign-On only for authorization in apps that have been added to the list of bundle IDs.

       If the check box is cleared or the list is empty, the user can use Single Sign-On for all apps within the Kerberos scope.

       Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.

       The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.

       Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.

       This check box is cleared by default.

     • Add app

       Clicking the button adds the Bundle ID field for specifying a new bundle ID in the list of apps for which automatic Single Sign-On is allowed.

       The button is available if the Limit account to the listed apps check box is selected.

       Automatic Single Sign-On is performed only when the added ID fully matches the bundle ID. For example: com.mycompany.myapp.

       To grant access to several apps using Single Sign-On, use the "*" symbol after the "." character. For example: com.mycompany.*. Access will be allowed to all apps whose bundle ID begins with the specified prefix.

       If the list of bundle IDs is empty, the user can use Single Sign-On to automatically sign in to all apps within the Kerberos scope.

       Name of the network to which Kerberos servers and iOS MDM devices belong. The scope must be entered using uppercase letters.

       The network name must match the domain name. For example, if the names match, the name of the scope for the example.com domain is EXAMPLE.COM.

       Example: if the Kerberos user name is mycompany/admin@EXAMPLE.COM, you must enter EXAMPLE.COM.

7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, SSO is configured on the iOS MDM device.

Managing Web Clips

A Web Clip is an app that opens a website from the home screen of a mobile device. By clicking Web Clip icons on the home screen of the device, the user can quickly open websites (such as the corporate website). Web Clips may also pop-up if the user taps and holds the Kaspersky Endpoint Security for Android app icon.

You can add or delete Web Clips on user devices and specify icons displayed on the screen. Web Clips can be added on both Android and iOS MDM devices.

Managing Web Clips on Android devices

To manage Web Clips on a user's Android device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Device configuration section.
4. On the Web Clips card, click Settings.

   The Web Clips window opens.

5. Enable the settings using the Web Clips toggle switch.
6. Click Add.

   The Add Web Clip window opens.

7. In the Web Clip name field, enter the name of the Web Clip to be displayed on the home screen of the Android device.
8. In the Website URL field, enter the web address of the website that will open when the user taps the Web Clip icon. The address should begin with http:// or https://.

   If the entered website is forbidden or is not on the list of allowed websites in the Web Control settings of the policy, users will not be able to access this website via the Web Clip.

9. Click Select to specify the image for the Web Clip icon. The PNG, JPEG, and ICO file formats are supported. If you do not select an image for the Web Clip, a blank square is displayed as the icon.
10. Click Add.

    The new Web Clip appears in the list.

    You can modify or delete Web Clips in the list using the Edit and Delete buttons at the top of the list.

11. Click OK.
12. Click Save to save the changes you have made.

Once the policy is applied to a device, the Kaspersky Endpoint Security for Android app shows notifications to prompt the user to install the Web Clips you created. After the user installs these Web Clips, the corresponding icons are added on the home screen of the device.

If there is no in-app notifications prompting the user to install Web Clips, make sure the Device has not been synchronized with the Administration Server for a long time check box is selected in the Notifications settings of the KES for Android settings section.

The deleted Web Clips are disabled on the home screen of the Android device. If the user taps the corresponding icon, a notification appears that the Web Clip is no longer available. The user should delete the Web Clip from the home screen by following a vendor-specific procedure.

Managing Web Clips on iOS MDM devices

By default, the following restrictions apply to Web Clips:

• The user cannot manually remove Web Clips from the mobile device.
• The corner rounding, shadow, and gloss visual effects are applied to the Web Clip icon on the screen.
• Websites that open when the user taps a Web Clip icon do not open in full-screen mode.

To manage Web Clips on a user's iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Web Clips card, click Settings.

   The Web Clips window opens.

5. Enable the settings using the Web Clips toggle switch.
6. Click Add.

   The Add Web Clip window opens.

7. In the Web Clip name field, enter the name of the Web Clip to be displayed on the home screen of the iOS MDM device.
8. In the Website URL field, enter the web address of the website that will open when the user taps the Web Clip icon. The address should begin with http:// or https://.

   If the entered website is forbidden or is not on the list of allowed websites in the Web Control settings of the policy, users will not be able to access this website via the Web Clip.

9. Click Select to specify the image for the Web Clip icon.

   The image must meet the following requirements:

   • Image size no greater than 400 х 400 pixels.
   • File format: PNG, JPEG, or ICO.
   • File size no larger than 1 MB.

   If you do not select an image for the Web Clip, a blank square is displayed as the icon.

   If the selected image has a transparent background, the background will be black on the device.

10. In the Options section, specify the following additional settings:
    1. If you want to allow the user to remove the Web Clip from the iOS MDM device, select the Allow removal of Web Clip check box.
    2. If you want the Web Clip icon to be displayed without special visual effects (rounding of icon corners and gloss effect), select the Precomposed icon check box.
    3. If you want the website to open in full-screen mode on the iOS MDM device when the user taps the icon, select the Full screen Web Clip check box.

       In full-screen mode, the Safari toolbar is hidden and only the website is shown on the device screen.

11. Click Add.

    The new Web Clip appears in the list.

    You can modify or delete Web Clips in the list using the Edit and Delete buttons at the top of the list.

12. Click OK.
13. Click Save to save the changes you have made.

Once the policy is applied, the Web Clip icons in the list you have created are added on the home screen of the user's mobile device.

The deleted Web Clips are removed from the home screen of the iOS MDM device.

Setting a wallpaper

Expand all | Collapse all

You can set an image as the home screen wallpaper and lock screen wallpaper on users' devices that fall under the same policy.

To set a wallpaper on users' Android devices:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Device configuration section.
4. On the Custom wallpapers card, click Settings.

   The Custom wallpapers window opens.

5. Enable the settings using the Custom wallpapers toggle switch.
6. In the Home screen wallpaper section, in the How to set wallpaper drop-down list, select the method for specifying the wallpaper:
   • Upload file

     For this option, you need to upload a PNG or JPEG image no larger than 1 MB from your computer.

   • Download image from the internet

     For this option, you need to specify a URL beginning with http:// or https://. Use only trusted URLs.

7. Add an image to be used as a wallpaper:
   • If you selected the Upload file option, click Select to upload an image. When the upload is finished, an image preview will be displayed.
   • If you selected the Download image from the internet option, specify the link to the image in the Link to image field. You can click Open preview to view the image in a new browser tab.
8. If you want to use the same image as the lock screen wallpaper, in the Lock screen wallpaper section, select the Use home screen wallpaper for lock screen check box.
9. Click OK.
10. Click Save to save the changes you have made.

The imported image is set as a wallpaper on users' devices.

Adding fonts

These settings apply to supervised devices and devices operating in basic control mode.

To add a font on a user's iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Custom fonts card, click Settings.

   The Custom fonts window opens.

5. Enable the settings using the Custom fonts toggle switch.
6. Click Add.
7. Select the font file saved on your computer. The file must have the .TTF or .OTF extension.

   Fonts with the .TTC or .OTC extension are not supported.

   Fonts are identified using the PostScript name. Do not install fonts with the same PostScript name even if their content is different. Installing fonts with the same PostScript name will result in an error.

8. Click Open.

   The new font appears in the list.

   You can delete fonts in the list using the Delete button at the top of the list.

9. Click OK.
10. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the user will be prompted to install fonts from the list that has been created.