Deploying an Android device management system

Kaspersky Secure Mobility Management lets you manage mobile devices running Android. This section describes the deployment of an Android device management system.

About Android device operating modes

The device operating mode depends on the owner of mobile device (personal or corporate) and corporate security requirements. You can choose the operating mode that is most suitable for your company and use several modes at the same time.

The following device operating modes are available for Android devices:

• Personal device
• Device with corporate container
• Corporate device

Personal device

Personal device is the device operating mode for personal Android devices. This operating mode lets you protect and perform basic management of devices.

Device with corporate container

Device with corporate container is the device operating mode for personal Android devices with an Android Work Profile, which provides an isolated corporate environment on a device.

This operating mode lets you manage apps and user accounts in a safe environment on a device without restricting the use of personal data by the user. When a Work Profile is created on the user's mobile device, the following corporate apps are automatically installed in the container (if applicable): Google Play Market, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Corporate apps installed in the Work Profile and their notifications are marked with a blue briefcase icon. Apps installed in the work profile appear in the common list of apps.

Corporate device

Corporate device is the device operating mode for company-owned Android devices. This operating mode lets you have full control over the entire device and configure an extended set of security settings and features:

• Restrictions on Android features
• Management of Google Chrome settings
• Silent installation of required apps and removal of blocked apps in App Control
• Kiosk mode
• Management of Exchange ActiveSync
• NDES and SCEP integration

Using Firebase Cloud Messaging

To ensure timely delivery of commands to Android devices, Kaspersky Security Center uses the mechanism of push notifications. Push notifications are exchanged between Android devices and Administration Server through Firebase Cloud Messaging (hereinafter referred to as FCM). In Kaspersky Security Center Web Console, you can specify the Firebase Cloud Messaging settings to connect Android devices to the service.

To retrieve the settings of Firebase Cloud Messaging, you must have a Google account.

To enable the use of FCM:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. Open the 3-dot menu () and select Forced Android device synchronization.
3. In the Firebase project number field, specify the FCM Sender ID.
4. In the Private key field, select the private key file.

At the next synchronization with Administration Server, Android devices will be connected to Firebase Cloud Messaging.

When you switch to a different Firebase project, you need to wait 10 minutes for FCM to resume.

FCM service runs in the following address ranges:

• From the Android device's side, access is required to ports 443 (HTTPS), 5228 (HTTPS), 5229 (HTTPS), and 5230 (HTTPS) of the following addresses:
  • google.com
  • fcm.googleapis.com
  • android.apis.google.com
  • All of the IP addresses listed in Google's ASN of 15169
• From the Administration Server side, access is required to port 443 (HTTPS) of the following addresses:
  • fcm.googleapis.com
  • All of the IP addresses listed in Google's ASN of 15169

If the proxy server settings have been specified in the Administration Server properties in Web Console, they will be used for interaction with FCM.

Configuring FCM: getting the Sender ID and private key file

To configure FCM:

1. Register on the Google portal.
2. Go to the Firebase console.
3. Do one of the following:
   • To create a new project, click Create a project and follow the instructions on the screen.
   • Open an existing project.
4. Click the gear icon and choose Project settings.

   The Project settings window opens.

5. Select the Cloud Messaging tab.
6. Retrieve the relevant Sender ID from the Sender ID field in the Firebase Cloud Messaging API (V1) section.
7. Select the Service accounts tab and click Generate new private key.
8. In the window that opens, click Generate key to generate and download a private key file.

Firebase Cloud Messaging is now configured.

Deploying Kaspersky Endpoint Security for Android

This section contains a general overview of Kaspersky Endpoint Security for Android and the methods of installing, updating, and removing the app.

For detailed information on Kaspersky Endpoint Security for Android, refer to the Using the Kaspersky Endpoint Security for Android app section.

About the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app ensures the protection of mobile devices against web threats, viruses, and other programs that pose threats.

The Kaspersky Endpoint Security for Android includes the following features:

• Anti-Malware. This component detects and neutralizes threats on the device by using the anti-malware databases and the Kaspersky Security Network cloud service. Anti-Malware includes the following components:
  • Protection. It detects threats in open files, scans new apps, and prevents device infection in real time.
  • Scan. It is started on demand for the entire file system, only for installed apps, or only for a selected file or folder.
  • Update. It lets you download new anti-malware databases for the app.
• Anti-Theft. This component protects the information on the device against unauthorized access in case the device is lost or stolen. This component lets you send the following commands to the device:
  • Locate device. Get the coordinates of the device's location.
  • Sound alarm. Make the device sound a loud alarm.
  • Wipe corporate data. Erase corporate data to protect sensitive company information.
• Web Protection and Web Control. Web Protection blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal the user's confidential data (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection uses the Kaspersky Security Network cloud service to scan websites before they open. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Control allows website filtering by categories defined in the Kaspersky Security Network cloud service. This lets the administrator restrict user access to certain categories of web pages (for example, Gambling, lotteries, sweepstakes or Internet communication).
• App Control. This component lets you install recommended and required apps to an Android device as well as remove blocked apps that violate corporate security requirements.
• Compliance Control. This component lets you check managed devices for compliance with corporate security requirements and impose restrictions on certain functions of non-compliant devices.

You can configure the components of the Kaspersky Endpoint Security for Android app in Kaspersky Security Center Web Console by defining the corresponding policy settings.

On personal devices and devices with a corporate container running Android 15, users can create their own private space. Kaspersky Endpoint Security for Android cannot scan apps, photos, and other files stored in a private space. Web Protection, Web Control, and App Control do not work for apps installed in a private space. Installation of Kaspersky Endpoint Security for Android in a private space is not supported.

Installing Kaspersky Endpoint Security for Android

Expand all | Collapse all

There are several methods to deploy the Kaspersky Endpoint Security for Android app. You can use the most suitable installation scenario for your company or combine several installation scenarios.

The installation methods include the following:

• Installation via Kaspersky Security Center using one of the installation sources:
  • Kaspersky website (for corporate device operating mode only)

    Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated from the Kaspersky website or using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

  • Installation package (for all operating modes)

    The Kaspersky Endpoint Security for Android installation package will be downloaded from the Kaspersky Security Center server and updated via Kaspersky Security Center using policy settings. You can choose this method if mobile devices in your company have no access to the internet.

    For this installation source, before connecting mobile devices, create the Kaspersky Endpoint Security for Android installation package.

• Manual installation

Creating the Kaspersky Endpoint Security for Android installation package

The Kaspersky Endpoint Security for Android app can be deployed using the installation package.

You can use this installation method if mobile devices in your company have no access to the internet.

For this installation method, you need to create a Kaspersky Endpoint Security for Android installation package before connecting Android devices to Kaspersky Security Center. The installation package will be downloaded from Kaspersky Security Center and updated via Kaspersky Security Center using policy settings.

The Kaspersky Endpoint Security for Android installation package is an archive that contains the files required for installing the Kaspersky Endpoint Security for Android app:

• installer.ini

  Configuration file that contains Administration Server connection settings.

• KES10_<version>.apk

  Android package file of the Kaspersky Endpoint Security for Android app.

• kesa.kpd

  Application description file.

• eula/

  Folder with End User License Agreements in different languages in TXT format.

• kpd.loc/

  INI files specifying paths to End User License Agreements.

To create the Kaspersky Endpoint Security for Android installation package:

1. In the main window of Kaspersky Security Center Web Console, select Operations > Repositories > Installation packages.
2. In the list of installation packages that opens, click Add. The New package wizard starts. Follow the instructions of the wizard as described in the Kaspersky Security Center Help to create an installation package from a file or create a stand-alone installation package.

To configure the Kaspersky Endpoint Security for Android installation package:

1. In the main window of Kaspersky Security Center Web Console, select Operations > Repositories > Installation packages.
2. In the list of installation packages that opens, click the Kaspersky Endpoint Security for Android installation package you want to configure.
3. In the installation package properties window, select the Settings tab.
   1. In the Connection to the Administration Server group of settings, configure the following values:
      • Server address. Specify the address of the server to which the Android devices will connect.
      • SSL port for devices synchronization. Specify the number of the port opened on the Administration Server for connecting mobile devices. Port 13292 is used by default.
   2. For stand-alone installation packages, in the Subgroup name field of the Subgroup in Unassigned devices group of settings, specify the name of the group to which Android devices will be added after the first synchronization with the Administration Server. KES10 is used by default.
   3. In the Actions during installation on device group of settings, click the Prompt user for email address check box if you want Kaspersky Endpoint Security for Android to ask users to provide their corporate email address when the app is started for the first time.

      User email address is used to form the name of the mobile device when it is added to the administration group.

4. Click Save.

The Kaspersky Endpoint Security for Android installation package is configured.

Manual installation of Kaspersky Endpoint Security for Android

You can manually install Kaspersky Endpoint Security for Android from the Kaspersky website, HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

Installing the app

To install the app from an app store, follow the standard installation procedure for the Android platform.

To install Kaspersky Endpoint Security for Android from the Kaspersky website:

1. Go to the Kaspersky website.
2. Find Kaspersky Security for Mobile on the website.
3. Tap Show Downloads.
4. Select a version of the app and tap Download.
5. Open the downloaded APK file and follow the instructions on the screen.

   You may need to allow your browser to install apps from sources other than Google Play in the Apps → Special app access → Install unknown apps section in device settings. The location of these settings may differ on devices from different vendors.

The app will be installed on the device.

Configuring the app

After installing Kaspersky Endpoint Security for Android, you must manually configure the app. The configuration procedure depends on whether the administrator sent you a server address or a link for downloading the app.

To configure Kaspersky Endpoint Security for Android using a link for downloading the app:

1. Open Kaspersky Endpoint Security for Android.
2. Read the End User License Agreement. If you accept the End User License agreement, select the corresponding check box and tap Continue.
3. Tap Continue and grant the app the required permissions.
4. In the Server field, specify the link that you received from the administrator.
5. Tap Continue.

Kaspersky Endpoint Security for Android is configured.

To configure Kaspersky Endpoint Security for Android using a server address:

1. Open Kaspersky Endpoint Security for Android.
2. Read the End User License Agreement. If you accept the End User License agreement, select the corresponding check box and tap Continue.
3. Tap Continue and grant the app the required permissions.
4. In the Server field, specify the Administration Server address provided by the administrator.
5. Tap Continue.
6. Tap Enable to enable the app as the device administrator.
7. Tap Allow and grant the app the required permissions.

Kaspersky Endpoint Security for Android is configured.

Internet access must be enabled on the mobile device for synchronization with the Administration Server.

Installing Kaspersky Endpoint Security for Android on corporate devices in a closed network

When deploying Kaspersky Endpoint Security for Android in corporate device operating mode via QR code on devices with pre-installed Google Mobile Services (GMS), their Wi-Fi connectivity to certain Google endpoints is checked. If a Wi-Fi network has no access to the internet, the connectivity check fails and the deployment finishes with an error.

To avoid the connectivity check, you can deploy the Kaspersky Endpoint Security for Android app on corporate devices in a closed network by using a Proxy Auto-Configuration (PAC) file.

To use a PAC file to deploy the Kaspersky Endpoint Security for Android app:

1. Create a PAC file (for example, proxy.pac) with the following contents:

   function FindProxyForURL(url, host) {
   return "DIRECT";
   }

2. Publish the created PAC file on a resource that will be available in the closed network (for example, on an IIS Web server).

   Save a link to the PAC file (for example, https://intranet.mycompany.com/files/proxy.pac).

3. Make sure the APK file of the Kaspersky Endpoint Security for Android app being deployed is available within the closed network. To do this, use one of the methods below:
   • Download the app installation package from the Kaspersky Security Center server. If the server is accessible, the installation packages will be available there.
   • Download the APK installation file from the Kaspersky website and upload it to the closed network.

     Choose the general version of the app as the source.

4. Send the app installation link and QR code to the user by following the instructions of Mobile device connection wizard.

   On the Operating systems step of the wizard, in the Installation settings section, you will be asked to specify the network for downloading the Kaspersky Endpoint Security for Android app. At this step, configure the use of the previously created PAC file for network connection by linking it to the Wi-Fi network settings on a device. To do this, use one of the methods below:

   • In the Installation network settings section, choose Prompt the user to select a Wi-Fi network on device. While deploying the app, the user will need to specify the link to the PAC file (step 2) in the network settings when choosing a Wi-Fi network on the device. After the connection is established, the user will be able to continue the device setup and activate the app by following the instructions of the app's Initial Configuration Wizard.
   • In the Installation network settings section, choose Only use the specified Wi-Fi network (Android 9 or later), click the Select network button, and then insert the link to the previously created PAC file (step 2) in the PAC file URL field.

   If the APK installation file has been downloaded from the Kaspersky website (step 3), you need to replace the link in the QR code with the address of the closed network link.

   When deploying the app via an installation package downloaded from Kaspersky Security Center, after the device is reset to factory settings and the QR code is scanned, a Blocked by Play Protect message may appear on the device. The issue is caused by the installation package's signing certificate being different from the one specified in Google Play. The user should continue the installation by choosing Install anyway. If OK is selected, the installation process will be interrupted and the device will be reset to factory settings.

The Kaspersky Endpoint Security for Android app is installed on a device in corporate device operating mode in a closed network.

Permissions for Kaspersky Endpoint Security for Android

For all features of apps, Kaspersky Endpoint Security for Android prompts the user for the required permissions. Kaspersky Endpoint Security for Android prompts for the mandatory permissions while the Setup Wizard is completed, as well as after installation and prior to using individual features of apps. It is impossible to install Kaspersky Endpoint Security for Android without providing the mandatory permissions.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts in the device settings. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

On devices running Android 11 or later or Android 6-10 with Google Play services, you must disable the Remove permissions if app isn't used system setting. Otherwise, after the app is not used for a few months, the system automatically resets the permissions that the user granted to the app.

Permissions requested by Kaspersky Endpoint Security for Android

Starting and stopping Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android launches when the operating system starts up and protects the mobile device during the entire session. The user can stop the app by disabling all Kaspersky Endpoint Security for Android components. You can use policies to configure user permissions to manage app components.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts (Security → Permissions → Autorun). If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

You must also disable Battery Saver mode for Kaspersky Endpoint Security for Android. This is necessary for the app to run in the background, for example, when running a scheduled malware scan or synchronizing the device with Kaspersky Security Center. This issue is due to the specific features of the embedded software of these devices.

Activating Kaspersky Endpoint Security for Android

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Endpoint Security for Android app is fully functional, the Kaspersky Security Center license purchased by the organization must support the Mobile Device Management functionality.

For detailed information about licensing options, refer to the About the license section.

Activating the Kaspersky Endpoint Security for Android app on a mobile device is performed by providing valid license information to the app. License information is delivered to the device together with the policy settings as soon as the device is synchronized with Kaspersky Security Center.

If activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to limited functionality mode. In this mode, most of the app components are not operational. When switched to limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Accordingly, if the app is not activated within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the mobile app on their devices manually.

To activate the mobile app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Click the License button.
4. In the window that opens, use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the Replace with selected key if the key on devices is different check box.

5. Click Save to save the changes you have made.

The app is activated after the next device synchronization with Kaspersky Security Center.

Updating Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be updated in the following ways:

• Using the Kaspersky website. The mobile device user downloads the new version of the app from the Kaspersky website and installs it on the device.
• Using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps. The mobile device user downloads the new version of the app from an app store and installs it on the device following the standard update procedure for the Android platform.

  To update the app using the Samsung Galaxy Store, the device user must have a Samsung account.

• Using Kaspersky Security Center. You can remotely update the version of the app on the device using Kaspersky Security Center.

You can select the app update method that is most suitable for your organization. You can use only one update method.

Updating the app from the Kaspersky website

To update the app from the Kaspersky website:

1. Go to the Kaspersky website.
2. Find Kaspersky Security for Mobile on the website.
3. Tap Show Downloads.
4. Select a version of the app and tap Download.
5. Open the downloaded APK file and follow the instructions on the screen.

Kaspersky Endpoint Security for Android is updated.

After downloading the app, Kaspersky Endpoint Security for Android checks the Terms and Conditions of the End User License Agreement (EULA). If the terms of the EULA have been updated, the app sends a request to the Kaspersky Security Center. If the administrator accepts the EULA in Web Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

Updating the app through Kaspersky Security Center

Kaspersky Endpoint Security for Android can be updated using Kaspersky Security Center after a group policy is applied. In the group policy settings, you can select the standalone installation package of the version of Kaspersky Endpoint Security for Android that meets the corporate security requirements.

You can update through Kaspersky Security Center if Kaspersky Endpoint Security for Android was installed using an installation package in Kaspersky Security Center or using a standalone installation package. If the app was installed from Google Play, you cannot update the app through Kaspersky Security Center.

To update Kaspersky Endpoint Security for Android using a standalone installation package, installation of apps from unknown sources must be allowed on the user's mobile device. For details about installing apps without Google Play, please refer to the Android Help.

To update the version of the app:

1. Add a new Kaspersky Endpoint Security for Android installation package.
2. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
3. In the policy properties window, select Application settings.
4. Select Android and go to the KES for Android settings section.
5. On the App update card, click Settings.

   The App update window opens.

6. Enable the settings using the App update toggle switch.
7. Click Select.

   The Select installation package window opens.

8. In the list of Kaspersky Endpoint Security for Android standalone installation packages, select the package whose version meets the corporate security requirements.

   Kaspersky Endpoint Security for Android cannot be downgraded to an older version of the application.

9. Click Select.
10. Click OK.
11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The mobile device user is prompted to install the new version of the app. After the user confirms installation, the new app version is installed on the mobile device.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

Removing Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be removed in the following ways:

1. App removal by the user

   The user removes Kaspersky Endpoint Security for Android manually using the app interface. In order for users to be able to remove the app, the app removal should be allowed in the Configure access to app settings card of the KES for Android settings section in the policy settings.

2. App removal by the administrator (corporate devices only)

   The administrator removes the app remotely using the Kaspersky Security Center Web Console. The app can be removed from an individual device or from several devices at once.

Permitting users to remove Kaspersky Endpoint Security for Android

To protect the app from removal on devices running Android 7 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

To allow removal of the app in a group policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the KES for Android settings section.
4. On the Configure access to app settings card, click Settings.

   The Configure access to app settings window opens.

5. Select the Allow removing the app from device check box.
6. Click OK.
7. Click Save to save the changes you have made.

As a result, users will be allowed to remove the app from mobile devices after synchronization with the Administration Server. The app removal button becomes available in the Kaspersky Endpoint Security for Android settings.

To remove the app from a device:

1. In the main window of Kaspersky Endpoint Security for Android, select Settings → App settings → Additional → Remove app.

   On corporate devices, Kaspersky Endpoint Security for Android can be removed only by the administrator.

2. Confirm removal of Kaspersky Endpoint Security for Android.

Kaspersky Endpoint Security for Android will be removed from the device.

Removal of Kaspersky Endpoint Security for Android by the user

On corporate devices, Kaspersky Endpoint Security for Android can be removed only by the administrator.

To independently remove Kaspersky Endpoint Security for Android from a mobile device, the user must do the following:

1. In the main window of Kaspersky Endpoint Security for Android, select Settings → App settings → Additional → Remove app.

   If the Remove app button is missing, this means that the administrator enabled protection against removal of Kaspersky Endpoint Security for Android or the device operates in corporate device mode.

2. Confirm the removal of Kaspersky Endpoint Security for Android.

Kaspersky Endpoint Security for Android will be removed from the device.

Remote removal of Kaspersky Endpoint Security for Android on corporate devices

You can remove the Kaspersky Endpoint Security for Android app from corporate devices remotely by sending a Reset to factory settings command.

Executing the Reset to factory settings command wipes all data from the device and rolls back device settings to their factory values. This app removal method is recommended by Android Enterprise to guarantee that data is removed from a corporate device.

To remove the app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select a device that you want to send a command to.

   You can select multiple devices.

3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Reset to factory settings command.
5. Click Send.

   You can view and cancel commands in the Command history.

   The command is sent to the devices you selected. Kaspersky Endpoint Security for Android is removed from these devices.

6. In the list of devices, select the device, and then click Delete.

   The device is removed from the list of managed devices in Kaspersky Security Center Web Console.

   If the device is not removed from Kaspersky Security Center Web Console, there can be problems with further installation of Kaspersky apps on this device.