[Topic 216446]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Kaspersky Security for Mobile Help

Kaspersky Security for Mobile is intended for protecting and managing corporate mobile devices, as well as personal mobile devices used by company employees for corporate purposes.

The components and features of Kaspersky Security for Mobile depend on the Kaspersky Security Center console that you use as an interface for protecting and managing mobile devices.

Select the necessary Help section, depending on your Kaspersky Security Center console:

• Microsoft Management Console-based Administration Console
• Kaspersky Security Center Web Console or Kaspersky Security Center Cloud Console

Separate Help sections describe features and operations that are available to users of the Kaspersky Endpoint Security for Android app and the Kaspersky Security for iOS app.

[Topic 180199]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

What's new

Kaspersky Secure Mobility Management 1.0

In this release, we added a wide range of features to plug-ins for MMC-based Administration Console to set up control over corporate mobile devices.

The following features were added to the plug-in for managing Android devices:

• The Kaspersky Endpoint Security for Android app now supports devices that operate in device owner mode. You can generate a QR code for app installation in device owner mode that allows you to configure different device settings.
• Features for Android devices in device owner mode:
  • Restrictions of Android operating system features. These restrictions include:
    • Device features (reset to factory settings, screen capture, calls and SMS messages, and so on).
    • Apps (the use of different apps, app installation settings, and so on).
    • Storage (mounting external media, file transfer over USB, and so on).
    • Network (Wi-Fi and mobile networks, VPN settings, and so on).
    • Location Services (the use of location and changing location settings).
  • Management of Google Chrome settings.
  • Kiosk mode (with a single app or set of apps).
  • Management of Exchange ActiveSync settings for Gmail.
  • Connection to a NDES/SCEP server.
  • Installation of root certificates on devices.
  • Silent installation of required apps and uninstallation of blocked apps defined in App Control rules.
  • Option to delete apps blocked by App Control.
• Features to configure screen unlock passwords for Android devices:
  • You can specify different password requirements.
  • You can manage the use of biometric unlock methods.
  • You can specify the password lifetime and history length.
  • You can specify the unlock password in the Administration Console and force the change on the device.
• New options for Samsung KNOX devices:
  • Option to prohibit developer mode.
  • Option to prohibit sending crash reports to Google.
• New features to configure Wi-Fi networks:
  • Support for the 802.1.x EAP security protocol and ability to configure its protection settings (such as the EAP method).
  • You can specify the list of allowed Wi-Fi networks to connect automatically and hide other networks from the user device.
• New options to delete all data on a lost or stolen Android device after failed attempts to enter the unlock password.
• Adding web clips to devices.

This release also includes the following new features in the plug-in for managing iOS MDM devices:

• The new Compliance Control component that lets you monitor iOS MDM devices for compliance with corporate security requirements and take various actions.
• You can manage apps on iOS MDM devices based on lists of allowed and prohibited apps.
• New commands are added:
  • Reset password
  • Schedule operating system update
  • Set Bluetooth state
• New features to configure VPN connections:
  • Support for the IKEv2 protocol.
  • You can set up activating the VPN connection for selected website domains in Safari.
• New option to force the use of a password on a device.
• New options to manage operating system features on supervised devices:
  • Delay software updates.
  • Manage access to USB devices.
  • Manage Wi-Fi, VPN, and Personal Hotspot settings.
  • Manage the use of NFC.

Starting from release 1.0, Kaspersky Security for Mobile no longer supports management of mobile devices by using the Exchange ActiveSync protocol (management of EAS devices). Instead, you can integrate with Exchange Server via policy settings for Android or iOS MDM devices. If you want to continue managing your devices via the Exchange ActiveSync protocol, please use earlier versions of the Kaspersky Security for Mobile solution.

[Topic 216976]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Comparison of application features depending on the management tools

You can manage mobile devices in Kaspersky Security Center by using the following management tools:

• Microsoft Management Console-based (hereinafter referred to as "MMC-based") Administration Console of Kaspersky Security Center
• Kaspersky Security Center Web Console
• Kaspersky Security Center Cloud Console

The table below compares the features that are available in these tools.

Availability of features depending on the management tools

[Topic 214493]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Distribution kit

The Kaspersky Security for Mobile distribution kit may include various components, depending on the chosen application version.

Mobile device management in Kaspersky Security Center Web Console

• on_prem_ksm_devices_xx.x.x.x.zip

  Archive that contains the files required for the installation of the Kaspersky Security for Mobile (Devices) plug-in:

  • plugin.zip

    Archive that contains the Kaspersky Security for Mobile (Devices) plug-in.

  • signature.txt

    File that contains the signature for the Kaspersky Security for Mobile (Devices) plug-in.

• on_prem_ksm_policies_xx.x.x.x.zip

  Archive that contains the files required for the installation of the Kaspersky Security for Mobile (Policies) plug-in:

  • plugin.zip

    Archive that contains the Kaspersky Security for Mobile (Policies) plug-in.

  • signature.txt

    File that contains the signature for the Kaspersky Security for Mobile (Policies) plug-in.

Mobile device management in Kaspersky Security Center Cloud Console

To manage mobile device in Kaspersky Security Center Cloud Console, you do not need to download a distribution package. You only need to create an account in Kaspersky Security Center Cloud Console. For more information about creating an account, please refer to Kaspersky Security Center Cloud Console Help.

Mobile device management in MMC-based Administration Console

• Klcfginst_en.exe

  Installer of Kaspersky Endpoint Security for Android Administration Plug-in for administering the application by means of the Kaspersky Security Center remote administration system.

• Klmdminst.exe

  Installer of Kaspersky Device Management for iOS Administration Plug-in for managing the application by means of the Kaspersky Security Center remote administration system.

File of the Kaspersky Endpoint Security for Android app

KES10_xx_xx_xxx.apk—Android package file of the Kaspersky Endpoint Security for Android app.

Auxiliary files

• sc_package_xx.exe

  Self-extracting archive that contains the files required for installing the Kaspersky Endpoint Security for Android app by creating installation packages:

  • adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll

    Files required for creating installation packages.

  • installer.ini

    Configuration file that contains Administration Server connection settings.

  • KES10_xx_xx_xxx.apk

    Android package file of the Kaspersky Endpoint Security for Android app.

  • kmlisten.exe

    Utility for delivering installation packages through the administrator's computer.

  • kmlisten.ini

    Configuration file that contains the settings for the kmlisten.exe utility.

  • kmlisten.kpd

    Application description file.

• SigningUtility.zip

  Archive that contains the utility for signing the distribution packages of the Kaspersky Endpoint Security for Android app and containers for iOS devices.

Documentation

• Help for Kaspersky Security for Mobile.

[Topic 216448]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Working in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console

This Help section describes protection and management of mobile devices by using Kaspersky Security Center Web Console (hereinafter also referred to as Web Console) or Kaspersky Security Center Cloud Console (hereinafter also referred to as Cloud Console).

[Topic 214475]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About mobile device management in Kaspersky Security Center Web Console and Cloud Console

You can manage mobile devices in Kaspersky Security Center Web Console and Cloud Console by using the following components:

• Kaspersky Endpoint Security for Android app

  The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

• Kaspersky Security for iOS app

  The Kaspersky Security for iOS app ensures protection of mobile devices against phishing and web threats.

• Kaspersky Security for Mobile (Devices) plug-in

  The Kaspersky Security for Mobile (Devices) plug-in provides the interface for managing mobile devices and the mobile apps installed on them through Kaspersky Security Center Web Console and Cloud Console.

• Kaspersky Security for Mobile (Policies) plug-in

  The Kaspersky Security for Mobile (Policies) plug-in lets you define the configuration settings for devices connected to Kaspersky Security Center, by using group policies.

The plug-ins are integrated into the Kaspersky Security Center remote administration system. You can use Kaspersky Security Center Web Console or Cloud Console to manage mobile devices, as well as client computers and virtual systems. After you connect mobile devices to the Administration Server, they become managed. You can remotely monitor managed devices.

[Topic 221102]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Key features of mobile device management in Kaspersky Security Center Web Console and Cloud Console

Kaspersky Security for Mobile provides the following features:

• Distribution of email messages for connecting Android mobile devices to Kaspersky Security Center by using links to download the Kaspersky Endpoint Security for Android app from Google Play.
• Distribution of email messages for connecting iOS mobile devices to Kaspersky Security Center by using links to download the Kaspersky Security for iOS app from App Store.
• Remote connection of mobile devices to Kaspersky Security Center and other third-party EMM systems (for example, VMWare AirWatch, MobileIron, IBM Maas360, SOTI MobiControl).
• Remote configuration of the mobile app, as well as remote configuration of services, apps, and functions of mobile devices.
• Remote configuration of mobile devices in accordance with the corporate security requirements.
• Prevention of leakage of corporate information stored on mobile devices, in case they are lost or stolen (Anti-Theft). Supported for Android devices only.
• Control of compliance with corporate security requirements (Compliance Control). Supported for Android devices only.
• Control of protection against online threats and control of internet use on mobile devices (Web Protection).
• Setup of notifications shown to the user in the Kaspersky Endpoint Security for Android and Kaspersky Security for iOS apps.
• Administrator notifications about the status and events of the Kaspersky Endpoint Security for Android and Kaspersky Security for iOS apps can be communicated in Kaspersky Security Center or by email.
• Change Control for policy settings (revision history).

Kaspersky Security for Mobile includes the following protection and management components:

• Anti-Virus (for Android devices)
• Anti-Theft (for Android devices)
• Web Protection (for Android and iOS devices)
• App Control (for Android devices)
• Compliance Control (for Android devices)
• Detection of root privileges on Android devices and jailbreak detection on iOS devices

[Topic 214476]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

The Kaspersky Endpoint Security for Android app includes the following components:

• Anti-Virus. This component detects and neutralizes threats on your device by using the Anti-Virus databases and the Kaspersky Security Network cloud service. Anti-Virus includes the following components:
  • Protection. It detects threats in open files, scans new apps, and prevents device infection in real time.
  • Scan. It is started on demand for the entire file system, only for installed apps, or a selected file or folder.
  • Update. It allows you to download new Anti-Virus databases for the application.
• Anti-Theft. This component protects information on the device against unauthorized access in case the device is lost or stolen. This component lets you send the following commands to the device:
  • Locate. Get the coordinates of the device's location.
  • Alarm. Make the device sound a loud alarm.
  • Wipe. Erase corporate data to protect sensitive company information.
• Web Protection. This component blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal confidential data of the user (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them, by using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Protection also supports website filtering by categories defined in the Kaspersky Security Network cloud service. This allows the administrator to restrict user access to certain categories of web pages (for example, web pages from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).
• App Control. This component lets you install recommended and required apps to your device via a direct link to the distribution package or a link to Google Play. App Control lets you remove blocked apps that violate corporate security requirements.
• Compliance control. This component allows you to check managed devices for compliance with the corporate security requirements and impose restrictions on certain functions of non-compliant devices.

You can configure the components of the Kaspersky Endpoint Security for Android app in Kaspersky Security Center Web Console and Cloud Console by defining the settings of group policies.

[Topic 234086]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Security for iOS app

The Kaspersky Security for iOS app ensures protection of mobile devices against phishing and web threats.

The Kaspersky Security for iOS app offers the following key features:

• Web Protection. This component blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal confidential data of the user (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them, by using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. You can configure this component in Kaspersky Security Center Web Console and Cloud Console by defining the settings of group policies.
• Jailbreak detection. When Kaspersky Security for iOS detects a jailbreak, it displays a critical message and informs you about the issue.

[Topic 216974]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Security for Mobile (Devices) plug-in

The Kaspersky Security for Mobile (Devices) plug-in provides the interface for managing mobile devices and the mobile apps installed on them through Kaspersky Security Center Web Console and Cloud Console. The Kaspersky Security for Mobile (Devices) plug-in allows you to perform the following:

• Connect mobile devices to Kaspersky Security Center.
• Manage the certificates of mobile devices.
• Configure Firebase Cloud Messaging (for Android devices only).
• Send commands to mobile devices (for Android devices only).

The Kaspersky Security for Mobile (Devices) plug-in can be installed when configuring Kaspersky Security Center Web Console. If you are using Kaspersky Security Center Cloud Console, you do not need to install this plug-in. For more information about deployment scenarios in different types of consoles, see section "Deployment scenarios".

[Topic 214478]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Security for Mobile (Policies) plug-in

The Kaspersky Security for Mobile (Policies) plug-in lets you define the configuration settings for devices connected to Kaspersky Security Center, by using group policies. The Kaspersky Security for Mobile (Policies) plug-in can be used to perform the following:

• Create group security policies for mobile devices.
• Remotely configure the operating settings of the mobile app on users' mobile devices.
• Receive reports and statistics on the operation of the mobile app on users' mobile devices.

The Kaspersky Security for Mobile (Policies) plug-in can be installed when configuring Kaspersky Security Center Web Console. If you are using Kaspersky Security Center Cloud Console, you do not need to install this plug-in. For more information about deployment scenarios in different types of consoles, see section "Deployment scenarios".

[Topic 214494]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Hardware and software requirements

This section lists the hardware and software requirements for the administrator's computer that is used to install the Kaspersky Security for Mobile (Devices) plug-in and the Kaspersky Security for Mobile (Policies) plug-in in Kaspersky Security Center Web Console and Cloud Console, as well as the hardware and software requirements of the mobile apps.

Hardware and software requirements for the administrator's computer

To install the Kaspersky Security for Mobile (Devices) plug-in and the Kaspersky Security for Mobile (Policies) plug-in, the administrator's computer must meet the hardware requirements of Kaspersky Security Center. For more information about the hardware and software requirements of Kaspersky Security Center:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

To use the Kaspersky Security for Mobile (Devices) plug-in and the Kaspersky Security for Mobile (Policies) plug-in in Kaspersky Security Center Web Console, Kaspersky Security Center Web Console must be installed on the administrator's computer.

To use the Kaspersky Security for Mobile (Devices) plug-in and the Kaspersky Security for Mobile (Policies) plug-in in Kaspersky Security Center Cloud Console, you must create an account in Kaspersky Security Center Cloud Console. For more information about creating an account, please refer to Kaspersky Security Center Cloud Console Help.

The Kaspersky Endpoint Security for Android app can function within the following third-party EMM systems:

• VMware AirWatch 9.3 or later
• MobileIron 10.0 or later
• IBM MaaS360 10.68 or later
• Microsoft Intune 1908 or later
• SOTI MobiControl 14.1.4 (1693) or later

Hardware and software requirements for the user's mobile device to support installation of the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app has the following hardware and software requirements:

• Smartphone or tablet with a screen resolution of 320x480 pixels or higher
• 65 MB of free disk space in the main memory of the device
• Android 5.0–13 (including Android 12L, excluding Go Edition)
• x86, x86-64, Arm5, Arm6, Arm7, or Arm8 processor architecture

The app can be installed only to the main memory of the device.

Hardware and software requirements for the user's mobile device to support installation of the Kaspersky Security for iOS app

The Kaspersky Security for iOS app has the following hardware requirements:

• iPhone 6S or later
• iPad Air 2 or later

The Kaspersky Security for iOS app has the following software requirements:

• iOS 14.1 or later
• iPadOS 14.1 or later

The Kaspersky Security for iOS app can't operate properly when a VPN client with an active VPN connection is running on the same mobile device.

[Topic 214562]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Known issues and considerations

Kaspersky Endpoint Security for Android and Kaspersky Security for iOS have several known issues that are non-critical for the operation of these apps.

Known issues of Kaspersky Security for iOS

• The Kaspersky Security for iOS app can't operate properly when a VPN client with an active VPN connection is running on the same mobile device.

Known issues of Kaspersky Endpoint Security for Android

Known issues when installing apps

• Kaspersky Endpoint Security for Android is installed only in the main memory of the device.
• On devices running Android 7.0, an error may occur during attempts to disable administrator rights for Kaspersky Endpoint Security for Android in device settings if Kaspersky Endpoint Security for Android is prohibited from overlaying on other windows. This issue is caused by a well-known defect in Android 7.
• Kaspersky Endpoint Security for Android on devices running Android 7.0 or later does not support multi-window mode.
• Kaspersky Endpoint Security for Android does not work on Chromebook devices running the Chrome operating system.
• Kaspersky Endpoint Security for Android does not work on devices running Android (Go edition) operating systems.
• When using the Kaspersky Endpoint Security for Android app with third-party EMM systems (for example, VMWare AirWatch), only the Anti-Virus and Web Protection components are available. The administrator can configure the settings of Anti-Virus and Web Protection in the EMM system console. In this case, notifications about app operation are available only in the interface of the Kaspersky Endpoint Security for Android app (Reports).

Known issues when upgrading the app version

• You can upgrade Kaspersky Endpoint Security for Android only to a more recent version of the app. Kaspersky Endpoint Security for Android cannot be downgraded to an older version.

Known issues in Anti-Virus operation

• Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
• For additional analysis of a device for new threats whose information has not yet been added to anti-virus databases, you must enable the use of Kaspersky Security Network. Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to Kaspersky online knowledge base with information about the reputation of files, web resources, and software. To use KSN, the mobile device must be connected to the internet.
• In some cases, updating anti-virus databases from the Administration Server on a mobile device may fail. In this case, run the anti-virus database update task on the Administration Server.
• On some devices, Kaspersky Endpoint Security for Android does not detect devices connected over USB OTG. It is not possible to run a virus scan on such devices.
• On devices running Android 11 or later, the Kaspersky Endpoint Security for Android app can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.
• On devices running Android 11 or later, the user must grant the "Allow access to manage all files" permission.
• On devices running Android 7.0 or later, the configuration window for the virus scan run schedule might be incorrectly displayed (management elements are not shown). This issue is caused by a well-known defect in Android 7.
• On devices running Android 7.0, real-time protection in the extended mode does not detect threats in files that are stored on an external SD card.
• On devices running Android 6.0, Kaspersky Endpoint Security for Android does not detect the downloading of a malicious file to the device memory. A malicious file may be detected by Anti-Virus when the file is run, or during a virus scan of the device. This issue is caused by a well-known defect in Android 6.0. To ensure device security, it is recommended to configure scheduled virus scans.

Known issues in Web Protection operation

• Web Protection on Android devices works only in the Google Chrome browser (including the Custom Tabs feature), Huawei Browser, and Samsung Internet Browser.

• For Web Protection to work, you must enable the use of Kaspersky Security Network. Web Protection blocks websites based on the KSN data on the reputation and category of websites.
• Forbidden websites may remain unblocked by Web Protection on devices running Android 6.0 with Google Chrome version 51 (or any earlier version) installed if the website is opened in the following ways (this issue is caused by a well-known defect in Google Chrome):
  • From search results.
  • From the bookmarks list.
  • From search history.
  • Using the web address autocomplete function.
  • Opening the website in a new tab in Google Chrome.
• Forbidden websites may remain unblocked in Google Chrome version 50 (or any earlier version) if the website is opened from Google search results while the Merge Tabs and Apps feature is enabled in the browser settings. This issue is caused by a well-known defect in Google Chrome.
• Websites from blocked categories may remain unblocked in Google Chrome if the user opens them from third-party apps, for example, from an IM client app. This issue is related to how the Accessibility service works with the Chrome Custom Tabs feature.
• Forbidden websites may remain unblocked in Samsung Internet Browser if the user opens them in background mode from the context menu or from third-party apps, for example, from an IM client app.
• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of Web Protection.
• On some Xiaomi devices, the "Display pop-up window" and "Display pop-up windows while running in the background" permissions should be granted for Web Protection to work.
• Allowed websites may be blocked in Samsung Internet Browser in the Only listed websites are allowed Web Protection mode when the page is refreshed. Websites are blocked if a regular expression contains advanced settings (for example, ^https?://example.com/pictures/). It is recommended to use regular expressions without additional settings (for example, ^https?://example.com).
• If Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android does not block search in the Google Search widget. Instead, it blocks user access to the search results.
• In a work profile, if Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android endlessly reloads the Google Chrome home page, blocks the browser, and interferes with the device.

Known issues in Anti-Theft operation

• For timely delivery of commands to Android devices, the app uses the Firebase Cloud Messaging (FCM) service. If FCM is not configured, commands will be delivered to the device only during synchronization with Kaspersky Security Center according to the schedule defined in the policy, for example, every 24 hours.
• To lock a device, Kaspersky Endpoint Security for Android must be set as the device administrator.
• To lock devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some devices, Anti-Theft commands may fail to execute if Battery Saver mode is enabled on the device. This defect has been confirmed on Alcatel 5080X.
• To locate devices running Android 10.0 or later, the user must grant the "All the time" permission to device location.

Known issues in App Control operation

• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. This does not apply to device owner mode.
• For App Control (app categories) to work, you must enable the use of Kaspersky Security Network. App Control determines the category of an app based on data that is available in KSN. To use KSN, the mobile device must be connected to the internet. For App Control, you can add individual apps to the lists of blocked and allowed apps. In this case, KSN is not required.
• When configuring App Control, it is recommended to clear the Block system apps check box. Blocking system apps may lead to problems in device operation.

Known issues when configuring device unlock password strength

• On devices running Android 10.0 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

  If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.

  If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.

• On devices running Android 7.1.1, if the unlock password does not meet the corporate security requirements (Compliance Control), the Settings system app may function improperly when an attempt is made to change the unlock password through Kaspersky Endpoint Security for Android. The issue is caused by a well-known defect in Android 7.1.1. In this case, to change the unlock password, use the Settings system app only.
• On some devices running Android 6.0 or later, an error may occur when screen unlock password is entered, if device data is encrypted. This issue is related to specific features of the Accessibility service with MIUI firmware.

Known issues with App removal protection

• Kaspersky Endpoint Security for Android must be set as the device administrator.
• To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some Xiaomi and Huawei devices, Kaspersky Endpoint Security for Android removal protection does not work. This issue is caused by the specific features of MIUI 7 and 8 firmware on Xiaomi and EMUI firmware on Huawei.

Known issues when configuring device restrictions

• On devices running Android 10.0 or later, prohibiting the use of Wi-Fi networks is not supported.
• On devices running Android 10.0 or later, the use of the camera cannot be completely prohibited.
• On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

Known issues when sending commands to mobile devices

• On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.

Known issues with specific devices

• On certain devices (for example, Huawei, Meizu, and Xiaomi), you must grant Kaspersky Endpoint Security for Android an autostart permission or manually add it to the list of apps that are started when the operating system starts. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted. In addition, if the device has been locked, you cannot use a command to unlock the device. You can unlock the device only by using a one-time unlock code.
• On certain devices (for example, Meizu and Asus) running Android 6.0 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device. If the user uses a graphic password to unlock the device, you must convert the graphic password to a numeric password. For more details about converting a graphic password into a numeric password, please refer to the Technical Support website of the mobile device manufacturer. This issue is related to the operation of the Accessibility Features service.
• On some Huawei devices running Android 5.Х, after Kaspersky Endpoint Security for Android is set as an Accessibility feature, an incorrect message about the lack of appropriate rights may be displayed. To hide this message, enable the app as a protected app in the device settings.
• On some Huawei devices running Android 5.X or 6.X, when Battery Saver mode is enabled for Kaspersky Endpoint Security for Android, the user can manually terminate the app. The user device becomes unprotected after that. This issue is due to some features of Huawei software. To restore the device protection, run Kaspersky Endpoint Security for Android manually. It is recommended to disable Battery Saver mode for Kaspersky Endpoint Security for Android in the device settings.
• On Huawei devices with EMUI firmware running Android 7.0, the user can hide the notification regarding the protection status of Kaspersky Endpoint Security for Android. This issue is due to some features of Huawei software.
• On some Xiaomi devices, when setting the password length to more than 5 characters in a policy, the user will be prompted to change the screen unlock password instead of the PIN code. You cannot set a PIN code that has more than 5 characters. This issue is due to some features of Xiaomi software.
• On Xiaomi devices with MIUI firmware running Android 6.0, the Kaspersky Endpoint Security for Android icon may be hidden in the status bar. This issue is due to some features of Xiaomi software. It is recommended to allow the display of notification icons in Notifications settings.
• On some Nexus devices running Android 6.0.1, the privileges required for proper operation cannot be granted through the Quick Start Wizard of Kaspersky Endpoint Security for Android. This issue is caused by a well-known defect in Security Patch for Android by Google. To ensure proper operation, the required privileges must be manually granted in the device settings.
• On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.
• On certain Samsung devices, it is impossible to block the use of fingerprints for unlocking the screen.
• Web Protection cannot be enabled on some Samsung devices, if the device is connected to a 3G/4G network, has Battery Saver mode enabled and restricts background data. It is recommended to disable the function that restricts background processes in Battery Saver settings.
• On certain Samsung devices, if the unlock password does not comply with corporate security requirements, Kaspersky Endpoint Security for Android does not block the use of fingerprints for unlocking the screen.
• On some Honor and Huawei devices, you cannot restrict the use of Bluetooth. When Kaspersky Endpoint Security for Android attempts to restrict the use of Bluetooth, the operating system shows a notification containing the options to reject or allow this restriction. The user can reject this restriction and continue to use Bluetooth.
• On Blackview devices, the user can clear the memory for the Kaspersky Endpoint Security for Android app. As a result, the device protection and management are disabled, all defined settings become ineffective, and the Kaspersky Endpoint Security for Android app is removed from the Accessibility features. This is because this vendor's devices provide the customized Recent screens app with elevated privileges. This app can override Kaspersky Endpoint Security for Android settings and cannot be replaced because it is part of the Android operating system.
• On some Google Pixel devices running Android 11 or earlier, the Kaspersky Endpoint Security for Android app crashes immediately after the start. This is caused by an issue in Android.
• On Samsung Galaxy S23 and S24 series devices Real-Time Protection may not work.

Known issues in app operation on Android 13

• On Android 13, the user can use the Foreground Services Task Manager to stop Kaspersky Endpoint Security from running in the background. This is caused by a well-known issue in Android 13.
• On Android 13, the permission to send notifications is requested when the initial app configuration begins. This is due to specifics of the Android 13 operating system.

[Topic 214499]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying a mobile device management solution in Kaspersky Security Center Web Console or Cloud Console

To manage mobile devices by using Kaspersky Security Center Web Console or Cloud Console, you must deploy a mobile device management solution.

[Topic 218256]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scenarios

Deployment in Kaspersky Security Center Web Console

Deployment of mobile device management solution in Kaspersky Security Center Web Console consists of the following steps:

1. Preparing Kaspersky Security Center Web Console for deployment
2. Deploying administration plug-ins
3. Deploying the mobile app
4. (Optional, for Android only) Configuring the information exchange with Firebase Cloud Messaging

   It is recommended to perform this step to ensure timely delivery of commands to mobile devices and forced synchronization when policy settings are changed.

Deployment in Kaspersky Security Center Cloud Console

Deployment of mobile device management solution in Kaspersky Security Center Cloud Console consists of the following steps:

1. Preparing Kaspersky Security Center Cloud Console for deployment
2. Deploying the mobile app
3. (Optional, for Android only) Configuring the information exchange with Firebase Cloud Messaging

   It is recommended to perform this step to ensure timely delivery of commands to mobile devices and forced synchronization when policy settings are changed.

[Topic 214951]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Preparing Kaspersky Security Center Web Console and Cloud Console for deployment

This section provides instructions on preparing Kaspersky Security Center Web Console and Cloud Console for deployment.

[Topic 218229]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Administration Server for connection of mobile devices

To connect mobile devices to the Administration Server, you must define the connection settings before installing the app on devices.

• If you are using Kaspersky Security Center Web Console, configure its properties as described below.
• If you are using Kaspersky Security Center Cloud Console, the connection settings are defined during the initial configuration of Kaspersky Security Center Cloud Console. For more information, please refer to Kaspersky Security Center Cloud Console Help.

To define Kaspersky Security Center Web Console properties for a mobile device connection:

1. In the main window of Kaspersky Security Center Web Console, click Settings ().

   The Administration Server properties window opens.

2. Configure the Administration Server ports that will be used by mobile devices:
   1. Select the Additional ports section.
   2. Enable the Open port for mobile devices toggle button.
   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices toggle button is off or an incorrect connection port is specified, mobile devices will not be able to connect to the Administration Server.

   4. In the Port for mobile device activation field, specify the port to be used by mobile devices to connect to the Administration Server for activation of the mobile app.

      Port 17100 is used by default.

      If you specify an incorrect connection port, the users of mobile devices will not be able to activate the mobile app by using the Administration Server.

3. If necessary, edit the certificate that will be used by mobile devices to connect to the Administration Server.

   By default, Administration Server uses the certificate that was created during Administration Server installation. If you want, replace the certificate issued through the Administration Server with another certificate or reissue the certificate issued through the Administration Server.

   To edit the certificate:

   1. Select the Certificates section.
   2. Define the required settings.

      For detailed information about the certificates, please refer to Kaspersky Security Center Help.

4. Click the Save button to save the changes you have made to the settings and exit the Administration Server properties window.

After you configure the mobile device connection settings, you can install the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on mobile devices and connect them to the Administration Server by using the specified settings.

[Topic 245223]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host
2. Configure the connection gateway on Kaspersky Security Center Administration Server

This article contains an overview of the scenario. For detailed instructions, please refer to the Kaspersky Security Center documentation.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway and click Properties.
   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.
   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on Administration Server.

[Topic 218231]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

Group policies are used to perform centralized configuration of the Kaspersky Endpoint Security for Android and Kaspersky Security for iOS apps installed on the users' mobile devices.

To apply a policy to a group of devices, you are advised to create a separate group for these devices in Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices by using a group policy.

To create an administration group:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Hierarchy of groups.
2. In the administration group structure, select the administration group that is to include the new administration group.
3. Click the Add button.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click the Add button.

A new administration group with the specified name appears in the hierarchy of administration groups.

[Topic 214519]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a rule for automatically allocating a device to administration groups

When the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app is installed on mobile devices, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console or Cloud Console. In order to manage newly connected devices, you can move them to an administration group manually or create a rule for allocating them automatically to administration groups.

To create a rule for automatic allocation of mobile devices to administration groups:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Discovery & deployment > Deployment & assignment > Moving rules.
2. In the New rule window that opens, click the Add button.
3. In the Rule name field, specify the rule name.
4. In the Administration group field, select the administration group to which mobile devices will be allocated after the app has been installed on them.
5. In the Apply rule section, select Run once for each device.
6. Select the Move only devices not added to an administration group check box to prevent the moving of the mobile devices that are allocated to other administration groups when applying the rule.
7. Select the Enable rule check box, to apply the rule immediately after creating it.

   You can enable the rule at any time later by using the toggle button on the Moving rules page.

8. Select Rule conditions > Applications and do the following:
   1. Enable the Operating system version toggle button.
   2. In the list of operating systems that opens, select Android or iOS.

   The rule will be applied to the corresponding devices. You must specify at least one condition to create a rule.

9. Click Save to create the rule.

The newly created rule is displayed on the Moving rules page. According to the rule, Kaspersky Security Center will allocate all newly connected devices to the selected administration group.

For detailed information on administration groups management and actions with unassigned devices:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

[Topic 218473]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying administration plug-ins

To manage mobile devices in Kaspersky Security Center Web Console, the following administration plug-ins must be installed:

• Kaspersky Security for Mobile (Devices) plug-in
• Kaspersky Security for Mobile (Policies) plug-in

If you are using Kaspersky Security Center Cloud Console, you do not need to install the administration plug-ins. You only need to create an account in Kaspersky Security Center Cloud Console. For more information about creating an account, please refer to Kaspersky Security Center Cloud Console Help.

You can use the following methods to install administration plug-ins:

• By using the Quick Start Wizard of Kaspersky Security Center Web Console.

  Kaspersky Security Center Web Console automatically prompts you to run the Quick Start Wizard after Administration Server installation, at the first connection to it. You can also start the Quick Start Wizard manually at any time.

  For more information on the Quick Start Wizard for Kaspersky Security Center, please refer to Kaspersky Security Center Help.

• By using the list of available distribution packages in Kaspersky Security Center Web Console.

  The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.

• Download the distribution packages from an external source and add administration plug-ins to Kaspersky Security Center Web Console.

  For example, the distribution packages of administration plug-ins can be downloaded on the Kaspersky website.

[Topic 218683]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing administration plug-ins from the list of available distribution packages

To install the administration plug-ins:

1. In the main window of Kaspersky Security Center Web Console, select Console settings > Web plug-ins.
2. Click the Add button.

   This opens the list of up-to-date versions of Kaspersky applications.

3. Install the administration plug-ins:
   1. In the list of available applications, click the Mobile devices section to expand it.
   2. Select Kaspersky Security for Mobile (Devices), and then click Install plug-in.
   3. Select Kaspersky Security for Mobile (Policies), and then click Install plug-in.

The distribution packages are downloaded and the plug-ins are installed. When each plug-in is installed and added to Kaspersky Security Center Web Console, a confirmation window is displayed.

[Topic 218684]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing administration plug-ins from the distribution package

You can download the distribution package on the Kaspersky website.

To install the Kaspersky Security for Mobile (Devices) plug-in from the distribution package:

1. Copy the plugin.zip and signature.txt files from the on_prem_ksm_devices_xx.x.x.x.zip archive of the distribution package to the administrator's workstation.
2. In the main window of Kaspersky Security Center Web Console, select Console settings > Web plug-ins.
3. Click Add from file.
4. In the Add from file window that opens, click Upload ZIP file, and then browse for plugin.zip.
5. Click Upload signature, and then browse for signature.txt.
6. Click the Add button.

The Kaspersky Security for Mobile (Devices) plug-in is installed and added to Kaspersky Security Center Web Console.

To install the Kaspersky Security for Mobile (Policies) plug-in from the distribution package:

1. Copy the plugin.zip and signature.txt files from the on_prem_ksm_policies_xx.x.x.x.zip archive of the distribution package to the administrator's workstation.
2. In the main window of Kaspersky Security Center Web Console, select Console settings > Web plug-ins.
3. Click Add from file.
4. In the Add from file window that opens, click Upload ZIP file, and then browse for plugin.zip.
5. Click Upload signature, and then browse for signature.txt.
6. Click the Add button.

The Kaspersky Security for Mobile (Policies) plug-in is installed and added to Kaspersky Security Center Web Console.

You can make sure that the administration plug-ins have been installed by viewing the list of installed plug-ins on the Console settings > Web plug-ins page.

[Topic 214500]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying the mobile app

To manage mobile devices in Kaspersky Security Center Web Console or Cloud Console, you must deploy the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on mobile devices. You can deploy apps on mobile devices by using Kaspersky Security Center Web Console or Cloud Console.

[Topic 218255]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying the mobile app by using Kaspersky Security Center Web Console or Cloud Console

The mobile app is deployed on the mobile devices of users whose user accounts have been added to Kaspersky Security Center. For more information about user accounts in Kaspersky Security Center:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

You can use the Kaspersky Security for Mobile (Devices) plug-in to install the app from Kaspersky Security Center Web Console and Cloud Console by sending an installation link to a mobile device.

• On an Android device, the user receives a Google Play link to download the Kaspersky Endpoint Security for Android app. The app can be installed by following the standard installation procedure on the Android platform. After the installation of the app, the user must provide the required permissions.

  Some Huawei and Honor devices do not have Google services and therefore no access to apps in Google Play. If some users of Huawei and Honor devices cannot install the app from Google Play, they should be instructed to install the app from Huawei App Gallery.

• On an iOS device, the user receives an App Store link to download the Kaspersky Security for iOS app. The app can be installed by following the standard installation procedure on the iOS platform.

  Before connecting an iOS device, send the address of Kaspersky Security Center to the device user to improve connection security. The user will see this address during app installation and can cancel the connection if the displayed address doesn't match the address you sent.

The link contains the following data:

• Kaspersky Security Center synchronization settings
• Mobile certificate

To deploy the app on a mobile device:

1. Start the Mobile Device Connection Wizard:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices, and then click Add.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Users & roles > Users. Click the name of the user or the user group to whom you want to send the link for connecting a mobile device, and then select Devices. Click Add mobile device. In this case, skip step 3.

   Proceed through the Wizard by using the Next button.

2. Select the operating system of the devices that you want to add:
   • Android
   • iOS and iPadOS
3. Select users and user groups to whom you want to send the link for connecting a mobile device.
4. Select email addresses where to send the link:
   • All email addresses
   • Main email address
   • Alternative email address
   • Another email address

     If you select this option, specify the email address below.

5. The link summary is displayed.

   Make sure that all parameters of the link are correct, and then click Send.

6. A window opens with a confirmation that the link for adding a mobile device has been sent.

   Click OK to finish the Wizard.

When the user installs the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app, the user's device will be displayed on the Devices > Mobile > Devices tab of Web Console or Cloud Console.After installing the app on users' mobile devices, you will be able to configure the settings for devices and apps by using group policies. You will also be able to send commands to mobile devices (for Android only) for data protection in case devices are lost or stolen.

[Topic 214522]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Activating the mobile app

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Endpoint Security for Android app and the Kaspersky Security for iOS app are fully functional, the Kaspersky Security Center license purchased by the organization must provide for the Mobile Device Management functionality. The Mobile Device Management functionality is intended for connecting mobile devices to Kaspersky Security Center and managing them.

For detailed information about licensing Kaspersky Security Center and licensing options:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

Activating the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on a mobile device is done by providing valid license information to the app. License information is delivered to the mobile device, together with the policy, when the device is synchronized with Kaspersky Security Center.

If the activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to the limited functionality mode. In this mode, most of the app components are not operational. When switched to the limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Therefore, if the activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the mobile app on their devices manually.

To activate the mobile app:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Licenses.
3. Use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   If a key file is selected from the Kaspersky Security Center key storage and sent to the device, Kaspersky Security for iOS will be not able to process it, because Kaspersky Security for iOS does not support this activation method. To activate Kaspersky Security for iOS, you must add the license to Kaspersky Security Center as an activation code.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the If the key on device is different, replace with this key check box.

4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214532]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Providing the required permissions for the Kaspersky Endpoint Security for Android app

Certain features of the Kaspersky Endpoint Security for Android app require permissions. Kaspersky Endpoint Security for Android asks for mandatory permissions during installation, as well as after installation and prior to using individual features of the app. It is impossible to install Kaspersky Endpoint Security for Android without providing the mandatory permissions.

On certain devices (for example, Huawei, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts, in the device settings. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

On devices running Android 11 or later, you must disable the Remove permissions if app isn't used system setting. Otherwise, after the app is not used for a few months, the system automatically resets the permissions that the user granted to the app.

Permissions requested by the Kaspersky Endpoint Security for Android app

[Topic 214957]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing certificates

Mobile certificates are used for the purpose of identifying the users of mobile devices on the Administration Server.

Kaspersky Security Center Web Console and Cloud Console allow you to perform the following actions with user mobile certificates:

• View the certificates and their statuses.
• Create new certificates.
• Renew the expiring certificates.
• Delete certificates.

For more information on Kaspersky Security Center certificates:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

[Topic 218601]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Viewing the list of certificates

Kaspersky Security Center Web Console and Cloud Console allow you to view the applied user mobile certificates, their statuses, and properties.

To view the list of applied user mobile certificates:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.

The Mobile certificates page opens with information about the applied user mobile certificates. You can view details of a certificate by clicking it in the User name column.

[Topic 218624]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Defining certificate settings

You can use Kaspersky Security Center Web Console or Cloud Console to configure the lifetime, automatic updates, and password protection of mobile certificates.

To define mobile certificate settings:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. Select Certificate settings.
4. In the Generate mobile certificates window that opens, you can configure the following:
   • Certificate validity period (days)

     Certificate lifetime period in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.

   • Reissue when certificate will expire in (days)

     The number of days remaining until the current certificate's expiration during which Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 1.

   • Reissue certificate automatically if possible

     If possible, certificates will be reissued automatically. If this option is disabled, certificates must be reissued manually as they expire. By default, this option is disabled.

   • Prompt for password during certificate installation

     The user will be prompted for a password when the certificate is installed on a mobile device. The password is used only once—during installation of the certificate on the mobile device. The password will be automatically generated by the Administration Server and sent to the user by email. You can specify the password length in the Password length field.

5. Click Save to apply the changes and close the window.

The specified settings will be used by Kaspersky Security Center for creating, updating, and protecting mobile certificates.

[Topic 218257]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a certificate

You can create mobile certificates in Kaspersky Security Center Web Console and Cloud Console for the purpose of identifying the users of mobile devices.

To create a mobile certificate:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. In the Mobile certificates window that opens, click Add to start Mobile Certificate Creation Wizard. Proceed through the Wizard by using the Next button.
4. Select users or user groups whose mobile devices you want to manage with a new certificate.
5. Specify the Publication parameters:
   • If you want to notify the users about the new certificate, select the Notify user about the new certificate check box.
   • If you want to allow using one certificate multiple times on the same device, select the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box.
6. Select the Authentication type:
   • Select Credentials (domain login or user name) if you want users to access the certificate by using their credentials.
   • Select One-time password if you want users to access the certificate by using a one-time password.

     This option is available if you did not select the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box in the previous step.

   • Select Password if you want users to access the certificate by using a password.

     This option is available if you selected the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box in the previous step.

7. Specify the method of certificate delivery in the Certificate delivery field:
   • If you have selected One-time password in the previous step, select one of the following options:
     • If you want to send the password by email, select Notify user by email.

       Then select which email address to use or select Another email address to specify another email address.

     • If you want to notify users about the password by other means, select Show the password after finishing the Wizard.
   • If you have selected Credentials (domain login or user name) in the previous step, select which email address to use or select Another email address to specify another email address.
8. The certificate summary is displayed.

   Make sure that all parameters are correct, and then click Create.

As a result, Mobile Certificate Creation Wizard creates a certificate that users can install on their mobile devices. The certificate becomes available after the next synchronization of mobile devices with Kaspersky Security Center.

For more information about creating certificates and configuring rules for issuing them:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

[Topic 218603]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Renewing a certificate

If any of the applied mobile certificates is about to expire, you can renew it by using Kaspersky Security Center Web Console or Cloud Console.

To renew a mobile certificate:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. Select the certificate that you want to renew, and then click Reissue.

The status of the certificate changes to The certificate has been reissued.

[Topic 218604]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting a certificate

You can delete mobile certificates by using Kaspersky Security Center Web Console or Cloud Console.

If you delete a mobile certificate, the device can no longer synchronize with the Administration Server and cannot be managed by means of Kaspersky Security Center. To start managing the mobile device again, you will need to reinstall the Kaspersky Endpoint Security for Android app on it.

To delete a mobile certificate:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. Select the certificate that you want to delete, and then click Delete.

The certificate is deleted and removed from the list of certificates.

[Topic 216467]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Exchanging information with Firebase Cloud Messaging

Kaspersky Endpoint Security for Android uses the Firebase Cloud Messaging (FCM) service to ensure timely delivery of commands to mobile devices and forced synchronization when policy settings are changed.

To use the Firebase Cloud Messaging service, you must define the service settings in Kaspersky Security Center Web Console or Cloud Console.

To enable Firebase Cloud Messaging in Kaspersky Security Center Web Console or Cloud Console:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Android devices synchronization.

   The Android devices synchronization window opens.

2. In the Sender ID and Server key fields, specify the Firebase Cloud Messaging settings: SENDER_ID and API Key.

Firebase Cloud Messaging is enabled.

To obtain a Sender ID and the Server key:

1. Register on Google portal.
2. Go to Google Cloud Platform.
3. Create a new project.

   Wait for the project to be created.

4. Find the relevant SENDER_ID of the project.
5. Enable Google Firebase Cloud Messaging for Android.
6. Follow the onscreen instructions to create credentials.
7. Retrieve the API Key from the properties of the newly created credentials.

For detailed information about operations in Google Cloud Platform, please refer to its documentation.

You now have a Sender ID and a Server key to configure the Firebase Cloud Messaging settings.

If the Firebase Cloud Messaging settings are not defined, commands on the mobile device and policy settings will be delivered when the device is synchronized with Kaspersky Security Center, according to the schedule set in the policy (for example, every 24 hours). In other words, commands and policy settings will be delivered with a delay.

For the purposes of supporting the main functionality of the product, you agree to automatically provide the Firebase Cloud Messaging service with the unique ID of the app installation (Instance ID), and the following data:

• Information about the installed software: app version, app ID, app build version, app package name.
• Information about the computer on which the software is installed: OS version, device ID, version of Google services.
• Information about FCM: app ID in FCM, FCM user ID, protocol version.

Data is transmitted to Firebase services over a secure connection. Access to and protection of information is regulated by the relevant terms of use of the Firebase services: Firebase Data Processing and Security Terms, Privacy and Security in Firebase.

To prevent the exchange of information with the Firebase Cloud Messaging service:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Android devices synchronization.

   The Android devices synchronization window opens.

2. Click Reset.
3. In the window that opens, click the OK button to confirm resetting.

The Firebase Cloud Messaging settings are cleared.

[Topic 214977]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing mobile devices in Kaspersky Security Center Web Console and Cloud Console

You can manage mobile devices in Kaspersky Security Center Web Console and Cloud Console by using group policies and by sending commands to mobile devices (for Android only).

To manage mobile devices in Kaspersky Security Center Web Console, you must install administration plug-ins.

[Topic 214537]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting mobile devices to Kaspersky Security Center

To manage a mobile device by using Kaspersky Security Center Web Console or Cloud Console, the device must be connected to Kaspersky Security Center. You can view the list of mobile devices connected to Kaspersky Security Center on the Devices > Mobile > Devices tab of Web Console or Cloud Console.

Before connecting an iOS device, send the address of Kaspersky Security Center to the device user to improve connection security. The user will see this address during app installation and can cancel the connection if the displayed address doesn't match the address you sent.

To connect a mobile device to Kaspersky Security Center:

1. Start the Mobile Device Connection Wizard:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices, and then click Add.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Users & roles > Users. Click the name of the user or the user group to whom you want to send the link for connecting a mobile device, and then select Devices. Click Add mobile device. In this case, skip step 3.

   Proceed through the Wizard by using the Next button.

2. Select the operating system of the devices that you want to add:
   • Android
   • iOS and iPadOS
3. Select users and user groups to whom you want to send the link for connecting a mobile device.
4. Select email addresses where to send the link:
   • All email addresses
   • Main email address
   • Alternative email address
   • Another email address

     If you select this option, specify the email address below.

5. The link summary is displayed.

   Make sure that all parameters of the link are correct, and then click Send.

6. A window opens with a confirmation that the link for adding a mobile device has been sent.

   Click OK to finish the Wizard.

When the user installs the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app, the user's device will be displayed on the Devices > Mobile > Devices tab of Web Console or Cloud Console.

[Topic 218459]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Moving unassigned mobile devices to administration groups

When the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app is installed on mobile devices, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console or Cloud Console. In order to manage newly connected devices, you can create a rule for their automatic allocating to administration groups or move them to an administration group manually.

To move an unassigned mobile device to an administration group:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Discovery & deployment > Unassigned devices.
2. Select the device that you want to move to an administration group, and then click Move to group.
3. In the tree of administration groups that opens, select the target group to which you want to move the device.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.

The device is moved to the specified administration group and the group policy is applied to it.

[Topic 214964]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Sending commands to mobile devices

You can send commands to Android mobile devices to protect data on a mobile device that is lost or stolen, or to perform forced synchronization of a mobile device with Kaspersky Security Center.

You can't send commands to iOS devices.

The following commands are supported:

• Lock device

  The mobile device is locked.

• Unlock device

  The mobile device is unlocked. After unlocking the mobile device running Android 5.0 – 6.Х, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.

• Reset to factory settings

  All data is deleted from the mobile device and the settings are rolled back to their default values.

• Wipe corporate data

  Containerized data and the corporate email account are wiped from the mobile device.

• Locate device

  Device is located and shown on Google Maps. The mobile service provider may charge a fee for internet access.

  On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.

• Sound alarm

  The mobile device sounds an alarm. The alarm sounds for 5 minutes (or for 1 minute if the device battery is low).

• Synchronize device

  The mobile device is synchronized with Kaspersky Security Center.

Kaspersky Endpoint Security for Android app requires specific permissions for the execution of commands. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.

On devices running Android 10.0 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11.0 or later, the user must also grant the "While using the app" permission to access the camera. Otherwise, anti-theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the required level of permissions. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the camera permission is requested again.

To send a command to a mobile device:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select the device to which you want to send the command, and then click either Control or Manage.
3. Select the required command in the Available commands list, and then click OK.
4. Click OK if you are prompted to confirm the operation.

The specified command is sent to the mobile device and the confirmation window is displayed.

[Topic 219533]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removing mobile devices from Kaspersky Security Center

If you do not need to manage a mobile device any longer, you can remove it from Kaspersky Security Center by using Web Console or Cloud Console.

To remove a mobile device from Kaspersky Security Center:

1. Remove the mobile app from the device or make sure that the user has removed the app from the required device.
2. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
3. Select the mobile device that you want to remove, and then click Delete.
4. Click OK to confirm the operation.

The device is removed from Kaspersky Security Center.

[Topic 214501]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing group policies

This section describes how to manage group policies in Kaspersky Security Center Web Console and Cloud Console.

[Topic 214502]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Group policies for managing mobile devices

A group policy is a package of settings for managing mobile devices that belong to an administration group and for managing mobile apps installed on the devices.

You can use a policy to configure settings of both individual devices and a group of devices. For a group of devices, administration settings can be configured in the window of group policy properties.

Each parameter represented in a policy has a "lock" attribute, which shows whether the setting is allowed for modification in the policies of nested hierarchy levels (for nested groups and secondary Administration Servers), in local application settings.

The values of settings configured in the policy and in local application settings are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings. If the user has specified other values of settings that have not been "locked", during the next synchronization of the device with the Administration Server the new values of settings are relayed to the Administration Server and saved in the local settings of the application instead of the values that had been previously specified by the administrator.

To keep corporate security of Android mobile devices up to date, you can monitor users' devices for compliance with corporate security requirements.

For more details on managing policies and administration groups in Kaspersky Security Center Web Console and Cloud Console:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

[Topic 219575]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Viewing the list of group policies

Kaspersky Security Center Web Console and Cloud Console allow you to view the group policies, their statuses, and properties.

To view the list of group policies,

In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.

The list of group policies opens with brief information about the group policies. On this page, you can create, modify, copy, move, and delete group policies.

[Topic 219617]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Viewing the policy distribution results

Kaspersky Security Center Web Console and Cloud Console allow you to view the distribution chart of a group policy and information about all devices that fall under that policy.

To view the distribution results of a group policy:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of group policies that opens, select the check box next to the name of the policy for which you want to view the distribution results, and then click Distribution.

The policy distribution results page opens. This page contains the policy summary, the policy distribution chart, and the table with information about all devices that fall under that policy. You can open the policy properties window by clicking the Configure policy button.

[Topic 216828]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a group policy

Kaspersky Security Center Web Console and Cloud Console allow you to create group policies for the purpose of managing mobile devices.

To create a group policy:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of Kaspersky Security Center group policies that opens, click Current path to select the administration group for which you want to create a policy.

   By default, the new group policy is applied to the Managed devices group.

3. Click Add to start the Policy Creation Wizard. Proceed through the Wizard by using the Next button.
4. Select Kaspersky Security for Mobile (Policies).
5. Type the name for the new policy in the Name field. If you specify the name of an existing policy, it will have (1) added at the end automatically.
6. Select the policy status:
   • Active

     The Wizard saves the created policy on the Administration Server. At the next synchronization of the mobile device with the Administration Server, the policy will be used on the device as the active policy.

   • Inactive

     The Wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to active state.

     Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.

7. You can enable or disable two options of inheritance, Inherit settings from parent policy and Force inheritance of settings in child policies:
   • If you enable Inherit settings from parent policy for a child administration group and lock some settings in the parent policy, then you cannot change these settings in the policy for the child group. You can, however, change the settings that are not locked in the parent policy.
   • If you disable Inherit settings from parent policy for a child administration group, then you can change all the settings in the child group, even if some settings are locked in the parent policy.
   • If you enable Force inheritance of settings in child policies in the parent administration group, this enables the Inherit settings from parent policy option for each child policy. In this case, you cannot disable this option for any child policy. All the settings that are locked in the parent policy are forcibly inherited in the child groups and you cannot change these settings in the child groups.
   • In the policies for the Managed devices group, the Inherit settings from parent policy option does not affect any settings, because the Managed devices group does not have any upstream groups and therefore does not inherit any policies.

   By default, the Inherit settings from parent policy option is enabled and the Force inheritance of settings in child policies option is disabled.

8. If you want, you can define the settings of the newly created policy. To do so, select the Application settings tab, and then proceed as described in the "Defining policy settings" section.

   Alternatively, you can do that later.

9. Click Save to create the policy.

A new group policy for managing mobile devices is created.

[Topic 216829]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Modifying a group policy

Kaspersky Security Center Web Console and Cloud Console allow you to modify the settings of group policies.

To modify a group policy:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings, and then define the policy settings as described in the "Defining policy settings" section.

   You can also configure general settings, settings inheritance, events logging and notifications, policy profiles, and view revision history. For more information, please refer to Kaspersky Security Center Help.

3. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 219624]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Copying a group policy

Kaspersky Security Center Web Console and Cloud Console allow you to create a copy of a group policy.

To create a copy of a group policy:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of group policies that opens, select the check box next to the name of the policy for which you want to create a copy, and then click Copy.
3. In the tree of administration groups that opens, select the target group in which you want to create a copy of the policy.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Copy.
5. Click OK to confirm the operation.

A copy of the policy will be created in the target group under the same name. The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) index is added to the name of the newly created or moved policy, for example: (1).

[Topic 219627]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Moving a policy to another administration group

Kaspersky Security Center Web Console and Cloud Console allow you to move a policy to another administration group.

To move a policy to another administration group:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of group policies that opens, select the check box next to the name of the policy that you want to move to another administration group, and then click Move.
3. In the tree of administration groups that opens, select the target group to which you want to move the policy.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.
5. Click OK to confirm the operation.

The result depends on the policy inheritance properties:

• If the policy is not inherited in the source group, it will be moved to the target group.
• If the policy is inherited in the source group, it will not be moved. Instead, a copy of this policy will be created in the target group.

The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) index is added to the name of the newly created or moved policy, for example: (1).

[Topic 219613]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting a group policy

Kaspersky Security Center Web Console and Cloud Console allow you to delete group policies.

You can delete only a policy that is not inherited in the current administration group. If a policy is inherited, you can only delete it in the upper-level group for which it was created.

To delete a group policy:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles.
2. In the list of group policies that opens, select the check box next to the name of the policy that you want to delete, and then click Delete.
3. Click OK to confirm the operation.

The group policy will be deleted.

[Topic 214958]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Defining policy settings

This section describes how to define the settings of Kaspersky Security Center policies for managing mobile devices.

You can define policy settings either when creating or modifying a policy.

[Topic 214480]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring anti-virus protection

You can define these policy settings only for Android devices.

For the timely detection of threats, viruses, and other malicious applications, you should configure real-time protection and autorun of virus scans.

Kaspersky Endpoint Security for Android detects the following types of objects:

• Viruses, worms, Trojans, and malicious tools
• Adware
• Apps that can be exploited by criminals to harm your device or personal data

Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips large files and does not notify you that such files were skipped.

[Topic 216851]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring real-time protection

You can define these policy settings only for Android devices.

To configure real-time protection:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Essential protection.
3. In the Anti-Virus section, configure the mobile device file system protection:
   • To enable real-time protection of the mobile device against threats, select the Enable real-time anti-virus protection check box.
   • Specify the level of protection:
     • If you want Kaspersky Endpoint Security for Android to scan only new apps and files from the Downloads folder, select Scan only new apps.
     • To enable extended protection of the mobile device against threats, select Scan all apps and monitor actions with files.

       Kaspersky Endpoint Security for Android will scan all files that the user opens, modifies, moves, copies, installs, or saves on the device, as well as newly installed mobile apps.

       On devices running Android 8.0 or later, Kaspersky Endpoint Security for Android scans files that the user modifies, moves, installs, and saves, as well as copies of files. Kaspersky Endpoint Security for Android does not scan files when they are opened, or source files when they are copied.

   • To enable additional scanning of new apps before they are started for the first time on the user's device by using the Kaspersky Security Network cloud service, select the Additional protection by Kaspersky Security Network check box.
   • To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and apps that may be used by cybercriminals to cause harm to the user's device and data check box.
4. In the Anti-Virus settings section, select the action to be performed on threat detection:
   • Delete and save a backup copy of file in quarantine

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will create a backup copy of file and save it in quarantine.

   • Delete

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

   • Skip

     If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 216852]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring autorun of virus scans on a mobile device

You can define these policy settings only for Android devices.

To configure autorun of virus scans on a mobile device:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Essential protection.
3. To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and apps that may be used by cybercriminals to cause harm to the user's device and data checkbox in the Device scan section.
4. In the Action on threat detection list, select one of the following options:
   • Delete and save a backup copy of file in quarantine

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will create a backup copy of file and save it in quarantine.

   • Delete

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

   • Skip

     If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

   • Ask user

     The Kaspersky Endpoint Security for Android app displays a notification prompting the user to choose the action to take on the detected object: Skip or Delete.

     When the app detects several objects, the Ask user option allows the device user to apply a selected action to each file by using the Apply to all threats check box.

     Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure the display of notifications on mobile devices running Android 10.0 or later. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. In this case, Kaspersky Endpoint Security for Android displays an Android system window prompting the user to choose the action to take on the detected object: Skip or Delete. To apply an action to multiple objects, you need to open Kaspersky Endpoint Security.

5. In the Scheduled scan section, you can configure the automatic full scan of the device file system.

   Select one of the following options:

   • Disabled

     The scan of the device file system will not be launched automatically.

   • After database update

     The device file system will be scanned automatically on each anti-virus database update.

   • Daily

     The device file system will be scanned automatically every day.

     If you select this option, you can also specify the time of the scan in the Start time field.

   • Weekly on

     The device file system will be scanned automatically once a week.

     If you select this option, you can also select the day of the week when you want to run the scan, by using the drop-down list and specify the time of the scan in the Start time field.

   On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

6. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 216853]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring anti-virus database updates

You can define these policy settings only for Android devices.

To configure anti-virus database updates:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Database update.
3. In the Database update section, configure the schedule of automatic database updates on the user's device.

   Select one of the following options:

   • Disabled

     Automatic updates of anti-virus databases will be disabled.

   • Daily

     Anti-virus databases will be updated every day.

     If you select this option, you can also specify the time of update in the Update time field.

   • Weekly

     Anti-virus databases will be updated once a week.

     If you select this option, you can also specify the time of update in the Update time field and the day of the week when you want to run update in the Day of the week drop-down list.

   On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

4. In the Database update source section, specify the update source from which Kaspersky Endpoint Security for Android receives and installs anti-virus database updates:
   • Kaspersky servers

     Kaspersky Endpoint Security for Android will use a Kaspersky update server as an update source for downloading anti-virus databases to the user's device.

   • Administration Server

     Available only if you use Kaspersky Security Center Web Console.

     Kaspersky Endpoint Security for Android will use the repository of Kaspersky Security Center Administration Server as an update source for downloading anti-virus databases to the user's device.

   • Other source

     Kaspersky Endpoint Security for Android will use a third-party server as an update source for downloading anti-virus databases to the user's device.

     If you select this option, you must specify the address of an HTTP server in the Use another server as an update source for anti-virus databases field.

5. If you want Kaspersky Endpoint Security for Android to download anti-virus database updates according to the update schedule when the user's device is roaming, select the Allow database update while roaming check box in the Update anti-virus databases while roaming section.
6. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality will not be available in the software in the U.S. territory from 12:00 AM Eastern Daylight Time (EDT) on September 10, 2024 in accordance with the restrictive measures.

[Topic 215298]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Defining device unlock settings

You can define these policy settings only for Android devices.

To keep a mobile device secure, you need to configure the use of a password for which the user is prompted when the device comes out of sleep mode.

You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, lock the device). You can impose restrictions by using the Compliance Control component.

On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.

To configure device unlock password strength:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Essential protection.
3. If you want the app to check whether an unlock password has been set, select the Require to set screen unlock password in the Password protection section.

   If the application detects that no system password has been set on the device, it prompts the user to set it. The password is set according to the parameters defined by the administrator.

4. Specify the minimum number of characters in the user password.

   Possible values: 4 to 16 characters.

   The user's password is 4 characters long by default.

   On devices running Android 10.0 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

   The values for devices running Android 10.0 or later are determined by the following rules:

   • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphanumeric. The PIN or password must be at least 4 characters long.
   • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
5. If you want the user to have the capability to use fingerprints to unlock the screen, select the Allow use of fingerprints (for devices running Android 9 or earlier) check box. If the unlock password is not compliant with corporate security requirements, you cannot use a fingerprint scanner to unlock the screen.

   On devices running Android 10.0 or later, the use of a fingerprint to unlock the screen is not supported.

   Kaspersky Endpoint Security for Android does not restrict the use of a fingerprint scanner for signing in to apps or confirming purchases.

   On certain Samsung devices, it is impossible to block the use of fingerprints for unlocking the screen.

   On certain Samsung devices, if the unlock password does not comply with corporate security requirements, Kaspersky Endpoint Security for Android does not block the use of fingerprints for unlocking the screen.

   After adding a fingerprint in the device settings, the user can unlock the screen by using the following methods:

   • Press the finger to the fingerprint scanner (main method).
   • Enter the unlock password (backup method).
6. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214549]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring protection of stolen or lost device data

You can define these policy settings only for Android devices.

To protect corporate data in case a mobile device is lost or stolen, you must configure the unauthorized access protection.

To ensure protection of stolen or lost device data, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time.

To configure protection of stolen or lost device data:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, select Application settings > Essential protection.
3. In the Anti-Theft section, configure device locking:
   • Specify the number of characters in the unlock code.
   • Specify the text to be displayed when the device is locked.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214553]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring app control

You can define these policy settings only for Android devices.

App Control checks that the apps installed on a mobile device are compliant with corporate security requirements. In Kaspersky Security Center, the administrator creates lists of allowed, blocked, mandatory, and recommended apps according to the corporate security requirements. As a result of App Control, Kaspersky Endpoint Security prompts the user to install mandatory and recommended apps, and to remove blocked apps. It is impossible to start blocked apps on the user's mobile device.

In Kaspersky Security Center Web Console and Cloud Console, you can manage apps on users' devices by applying pre-defined rules. You can configure two types of App Control rules: application rules and category rules.

An App rule is applied to a specific app, while a Category rule is applied to any app that belongs to a pre-defined category. App categories are specified by Kaspersky experts.

To configure App Control:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the table under the App Control section, add rules that will define what apps will be controlled.
   • To add a rule for a specific app:
     1. In the table, click App rule.
     2. In the App rule window that opens, choose the action that will be performed with the apps covered by the created rule.
     3. Specify the app that will be subject to the rule by filling in Link to installation package (for example, https://play.google.com/store/apps/details?id=com.kaspersky.kes), Package name (for example, katana.facebook.com), and App name.
     4. Click Save.

     The rule is added to the list of App Control rules.

   • To add a rule for a category of apps:
     1. In the table under the App Control section, click Category rule.
     2. In the Category rule window that opens, select the app category from the drop-down list.

        Apps within the selected category will be subject to the created rule.

     3. In the Operation mode section, select the action that will be performed when any apps within the selected category attempt to start up: Forbidden apps or Allowed apps.
     4. Fill in the Additional comment shown on the user's device when an app of a specified category is detected, if necessary.
     5. Click Save.

     The rule is added to the list of App Control rules.

4. In the Actions with forbidden apps section, choose what action is performed for forbidden applications:
   • If you want Kaspersky Endpoint Security for Android to block the startup of forbidden applications on the user's mobile device, select Block apps from launching.
   • If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select Do not block forbidden apps, report only.
5. In the Operation mode section, choose whether the rules you add will define allowed apps or forbidden apps:
   • If you want the rules to define which apps are allowed, select Forbidden apps.

     If you want Kaspersky Endpoint Security for Android to block the startup of system apps on the user's mobile device (such as Calendar, Camera, and Settings) in the Forbidden apps mode, select the Block system apps check box.

     Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation.

   • If you want the rules to define which apps are forbidden, select Allowed apps.
6. To receive information about all apps installed on mobile devices, in the Application report section, select the Send a list of installed apps on all mobile devices check box.

   Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed or removed from the device.

7. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214554]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring compliance control of mobile devices with corporate security requirements

You can define these policy settings only for Android devices.

Compliance control allows you to monitor Android devices for compliance with corporate security requirements and take actions in case of non-compliance. Corporate security requirements regulate how the user can work with the device. For example, real-time protection must be enabled on the device, anti-virus databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:

• Device non-compliance criterion.
• Action that will be taken on a device if the user does not fix the non-compliance within the set time period.
• Time period allocated for the user to fix the non-compliance (for example, 24 hours).

  When the specified time period is over, the selected action will be taken on the user's device.

  On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

To configure compliance control, you can perform the following actions:

• Enable or disable existing compliance rules.
• Edit an existing compliance rule.
• Add a new rule.
• Delete a rule.

[Topic 216834]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Enabling and disabling compliance rules

You can define these policy settings only for Android devices.

To enable or disable existing rules of compliance control of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, enable or disable the existing compliance rules by using the toggle buttons in the Status column.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 216835]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Editing compliance rules

You can define these policy settings only for Android devices.

To edit a rule for controlling the compliance of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, select the rule that you want to edit, and then click Edit.
4. In the Rule window that opens, edit the rule as follows:
   1. In the Action column, configure the list of actions to be performed in case of non-compliance with the rule by adding new actions, editing the existing actions, or deleting them.
   2. Optionally, specify the time period in which a user can fix the non-compliance by using the Time to rectification column for each action.
   3. Click the Save button to save the rule.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 216836]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Adding compliance rules

You can define these policy settings only for Android devices.

To add a rule for controlling the compliance of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, click Rule.
4. In the Rule window that opens, define the rule as follows:
   1. Select the non-compliance criterion for the rule.
   2. Click Add, and then select the action to be performed in case of non-compliance with the rule in the Action column.

      You can add several actions.

   3. Specify the time period in which a user can fix the non-compliance by using the Time to rectification column for each action.
   4. Click the Save button to save the rule.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 216839]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting compliance rules

You can define these policy settings only for Android devices.

To delete a rule for controlling the compliance of mobile devices with corporate security requirements:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Compliance Control section, select the rule that you want to delete, and then click Delete.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 216911]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

List of non-compliance criteria

You can define these policy settings only for Android devices.

To ensure that an Android device complies with corporate security requirements, Kaspersky Endpoint Security for Android can check the device against the following criteria:

• Real-time protection is disabled.

  Real-time protection must be enabled.

  For more information on configuring real-time protection, see the "Configuring real-time protection" section.

• Anti-Virus databases are out of date.

  The anti-virus database of Kaspersky Endpoint Security for Android must be regularly updated.

  For more information on defining the settings of anti-virus database updates, see the "Configuring anti-virus protection" section.

• Forbidden apps are installed.

  The device must not have applications installed that are classified as Block from launching, as specified in the App Control section.

  For more information on creating rules for applications, see the "Configuring App Control" section.

• Apps from forbidden categories are installed.

  The device must not have applications installed that fall under a category that is classified as Block from launching, as specified in the App Control section.

  For more information on creating rules for application categories, see the "Configuring App Control" section.

• Not all required apps are installed.

  The device must have specific applications installed that are classified as Force to install, as specified in the App Control section.

  For more information on creating rules for applications, see the "Configuring App Control" section.

• Operating system version is out of date.

  The device must have an allowed version of the operating system.

  For using this non-compliance criterion, you must specify the range of allowed operating system versions in the Minimum operating system version and Maximum operating system version drop-down lists.

• Device has not been synchronized for a long time.

  The device must be regularly synchronized with the Administration Server.

  For using this non-compliance criterion, you must specify the maximum time interval between device synchronizations in the Synchronization period drop-down list.

• Device has been rooted.

  The device must not be rooted.

  For more information, see the "Detecting device hacks (root)" section.

• Unlock password is not compliant with security requirements.

  The device must be protected with an unlock password that complies with the unlock password strength requirements.

[Topic 216913]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

List of actions in case of non-compliance

You can define these policy settings only for Android devices.

If the user does not fix a non-compliance issue within the specified time, the following actions are available:

• Block all apps except system apps.

  All apps on the user's mobile device, except system apps, are blocked from starting.

• Lock device.

  Mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.

• Wipe corporate data.

  Wipe containerized data, corporate email account, settings for connecting to the corporate Wi-Fi network and VPN, and Access Point Name (APN).

• Fully reset device to factory settings.

  All data is deleted from the mobile device and the settings are rolled back to their factory values.

[Topic 214543]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring user access to websites

You can define these policy settings for Android and iOS devices.

To protect personal and corporate data stored on mobile devices during internet browsing, you can configure user access to websites by using Web Protection. Web Protection scans websites before a user opens them, and then blocks websites that distribute malicious code and phishing websites designed to steal confidential data and gain access to financial accounts.

For Android devices, this feature also supports website filtering by categories defined in the Kaspersky Security Network cloud service. Filtering allows you to restrict access to certain websites or categories of websites (for example, those from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).

To enable Web Protection on iOS devices, the user must allow the Kaspersky Security for iOS app to add a VPN configuration.

To enable Web Protection on Android devices:

• Kaspersky Endpoint Security must be enabled as an Accessibility Features service.
• The Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement) should be accepted. Kaspersky Endpoint Security uses Kaspersky Security Network (KSN) to scan websites. The Web Protection Statement contains the terms of data exchange with KSN.

  You can accept the Web Protection Statement for the user in Kaspersky Security Center. In this case, the user is not required to take any action.

  If you have not accepted the Web Protection Statement and prompt the user to do this, the user must read and accept the Web Protection Statement in the app settings.

  If you have not accepted the Web Protection Statement, Web Protection is not available.

Web Protection on Android devices works only in the Google Chrome browser (including the Custom Tabs feature), Huawei Browser, and Samsung Internet Browser. Web Protection for Samsung Internet Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.

To configure user access to websites:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Web Protection section, select the Enable Web Protection check box to enable the feature.
4. For Android devices, you can select one of the following options:
   • To restrict user access to websites based on their content:
     1. Select Block websites of specified categories.
     2. Select the check boxes next to the categories of websites to which Kaspersky Endpoint Security for Android will block access.

        If Web Protection is enabled, user access to websites in the Phishing and Malware sites categories is always blocked.

   • To specify the list of allowed websites:
     1. Select Allow only specified websites.
     2. Create a list of websites by adding website addresses to which the app will not block access. Kaspersky Endpoint Security for Android supports only regular expressions. When entering the address of an allowed website, use the following templates:
        • https://example.com.*—All child pages of the website are allowed (for example, https://example.com/about).
        • https://.*example.com—All subdomain pages of the website are allowed (for example, https://pictures.example.com).
     3. You can also use the expression https? to select HTTP and HTTPS. For more details on regular expressions, please refer to the Oracle Technical Support website.
   • To block user access to all websites, select Block all websites.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214515]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring feature restrictions

You can define these policy settings only for Android devices.

Kaspersky Security Center Web Console enables you to configure user access to the following features of mobile devices:

• Wi-Fi
• Camera
• Bluetooth

By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.

To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Feature management section, configure the usage of Wi-Fi, camera, and Bluetooth:
   • To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi (only for devices running Android version 9 and earlier) check box.

     On devices running Android 10.0 or later, prohibiting the use of Wi-Fi networks is not supported.

   • To disable the camera on the user's mobile device, select the Prohibit use of camera check box.

     On devices running Android 10.0 or later, the use of the camera cannot be completely prohibited.

     On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

   • To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.

     On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby Bluetooth devices permission. The user can grant this permission during the Initial Configuration Wizard or at a later time.

     On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.

4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214507]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protecting Kaspersky Endpoint Security for Android against removal

For mobile device protection and compliance with corporate security requirements, you can enable protection against the removal of Kaspersky Endpoint Security for Android. In this case, the user cannot remove the app by using the Kaspersky Endpoint Security for Android interface. When removing the app by using the tools of the Android operating system, the user is prompted to disable administrator rights for Kaspersky Endpoint Security for Android. After disabling the rights, the mobile device will be locked.

To enable protection against the removal of Kaspersky Endpoint Security for Android:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Security controls.
3. In the Manage app on mobile device section, clear the Allow removal of Kaspersky Endpoint Security for Android from device check box.

   To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

If an attempt is made to remove the app, the mobile device will be locked.

[Topic 214539]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring synchronization of mobile devices with Kaspersky Security Center

You can define these policy settings for Android and iOS devices.

To manage mobile devices and receive reports or statistics from mobile devices, you must define synchronization settings. Synchronization of mobile devices with Kaspersky Security Center can be performed in the following ways:

• By schedule. Synchronization by schedule is performed by using HTTP. You can configure the synchronization schedule in the policy properties. Modifications to policy settings, commands, and tasks are performed when mobile devices are synchronized with Kaspersky Security Center according to the schedule—that is, with a delay. By default, mobile devices are synchronized with Kaspersky Security Center automatically every six hours.

  On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

• Forced (for Android devices). Forced synchronization is performed by using push notifications of the FCM service (Firebase Cloud Messaging). Forced synchronization is primarily intended for timely delivery of commands to a mobile device. If you want to use forced synchronization, make sure that the FCM settings are configured in Kaspersky Security Center.

To configure mobile device synchronization with Kaspersky Security Center:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Synchronization.
3. In the Synchronization with the Administration Server section, use the Synchronization period drop-down list to select the synchronization period.

   By default, synchronization is performed every six hours.

4. For Android devices, you can disable synchronization when the device is roaming. To do so, select the Do not synchronize while roaming check box.

   By default, synchronization while roaming is enabled.

5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214505]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Kaspersky Security Network

To protect mobile devices more effectively, Kaspersky Endpoint Security for Android and Kaspersky Security for iOS use data acquired from users around the globe. Kaspersky Security Network is designed to process such data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the Kaspersky online knowledge base with information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.

Your participation in Kaspersky Security Network helps Kaspersky to acquire real-time information about the types and sources of new threats, develop methods of neutralizing them, and reduce the number of false alarms. Participation in Kaspersky Security Network also lets you access reputation statistics for applications and websites.

When you participate in Kaspersky Security Network, some statistics are acquired while the mobile app is running and they are automatically sent to Kaspersky. This information makes it possible to keep track of threats in real time. Files or their parts that may be exploited by intruders to harm the computer or user's content can be also sent to Kaspersky for additional examination.

The following app components use the Kaspersky Security Network cloud service:

• The Anti-Virus, Web Protection, and App Control components in the Kaspersky Endpoint Security for Android app.
• The Web Protection component in the Kaspersky Security for iOS app.

To start using KSN, you must accept the terms and conditions of the End User License Agreement. For more information about sending data to KSN, refer to Information exchange with Kaspersky Security Network.

Refusal to participate in KSN reduces the level of device protection, which may lead to infection of the device and loss of data.

To improve the performance of the mobile app, you can also provide statistical data to Kaspersky Security Network.

Providing the information to Kaspersky Security Network is voluntary.

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality will not be available in the software in the U.S. territory from 12:00 AM Eastern Daylight Time (EDT) on September 10, 2024 in accordance with the restrictive measures.

[Topic 214534]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Information exchange with Kaspersky Security Network

Information exchange in Kaspersky Endpoint Security for Android

To improve real-time protection, Kaspersky Endpoint Security for Android uses the Kaspersky Security Network cloud service for operating the following components:

• Anti-Virus. The app obtains access to the Kaspersky online knowledge base regarding the reputation of files and apps. The scan is performed for threats whose information has not yet been added to Anti-Virus databases but is already available in KSN. Kaspersky Security Network cloud service provides full operation of Anti-Virus and reduces the likelihood of false alarms.
• Web Protection. The app uses data received from KSN to scan websites before they are opened. The app also determines the website category to control internet access to users, based on lists of allowed and blocked categories (for example, the "Internet communication" category).
• App Control. The app determines the app category to restrict the startup of apps that do not meet corporate security requirements, based on lists of allowed and blocked categories (for example, the "Games" category).

Information on the type of data submitted to Kaspersky when using KSN during operation of Anti-Virus and App Control is available in the End User License Agreement. By accepting the terms and conditions of the License Agreement, you agree to transfer this information.

Information on the type of data submitted to Kaspersky when using KSN during operation of Web Protection is available in the Statement regarding data processing for Web Protection. By accepting the terms and conditions of the Statement, you agree to transfer this information.

For more information about data provision to KSN, refer to Data provision in Kaspersky Endpoint Security for Android.

Providing data to KSN is voluntary. If you want, you can disable data exchange with KSN.

Information exchange in Kaspersky Security for iOS

To improve real-time protection, Kaspersky Security for iOS uses the Kaspersky Security Network cloud service for operating the Web Protection component. The app uses data received from KSN to scan web resources before they are opened.

Information on the type of data submitted to Kaspersky when using KSN during operation of Web Protection is available in the End User License Agreement. By accepting the terms and conditions of the License Agreement, you agree to transfer this information.

For more information about data provision to KSN, refer to Data provision in Kaspersky Security for iOS.

Providing data to KSN is voluntary. If you want, you can disable data exchange with KSN.

Sending statistics to KSN from Android and iOS apps

To exchange data with KSN for the purposes of improving the performance of the app, the following conditions must be fulfilled:

• The device user must read and accept the terms of the Kaspersky Security Network Statement.
• You must configure the group policy settings to allow statistics to be sent to KSN.

You can opt out of sending statistic data to Kaspersky Security Network at any time. Information on the type of statistic data submitted to Kaspersky when using KSN during operation of the mobile app is available in the Kaspersky Security Network Statement.

[Topic 214533]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Enabling and disabling Kaspersky Security Network

By default, the use of Kaspersky Security Network is enabled.

If the use of Kaspersky Security Network is disabled, Web Protection, App Control, and additional protection in Kaspersky Security Network are disabled automatically and their settings become unavailable.

To enable or disable the use of Kaspersky Security Network:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > KSN and statistics.
3. To enable or disable the use of Kaspersky Security Network, select or clear the Use Kaspersky Security Network check box.
4. If the use of Kaspersky Security Network is enabled and if you agree to submit data to Kaspersky, select the Allow statistics to be sent to Kaspersky Security Network check box. This data will help the mobile app more quickly respond to threats, improve the performance of protection components, and decrease the likelihood of false alarms.
5. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214544]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Exchanging information with Google Analytics for Firebase, SafetyNet Attestation, Firebase Performance Monitoring, and Crashlytics

You can define these policy settings only for Android devices.

Kaspersky Endpoint Security for Android exchanges data with the Google Analytics for Firebase, SafetyNet Attestation, Firebase Performance Monitoring, and Crashlytics services in order to improve the quality, appearance, and performance of Kaspersky software, products, services, and infrastructure by analyzing users' experience, features, status, and device settings used.

Exchanging information with the Google Analytics for Firebase, SafetyNet Attestation, Firebase Performance Monitoring, and Crashlytics services is disabled by default.

To enable data exchange:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > KSN and statistics.
3. In the Sending statistics to third-party services section, select the Allow data transfer to help improve the quality, appearance, and performance of the app check box.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214558]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring notifications on mobile devices

You can define these policy settings only for Android devices.

If you do not want the mobile device user to be distracted by Kaspersky Endpoint Security for Android notifications, you can disable certain notifications.

Kaspersky Endpoint Security uses the following tools to display the device protection status:

• Protection status notification. This notification is pinned to the notification bar. A protection status notification cannot be removed. The notification displays the device protection status (for example, ) and number of issues, if any. The device user can tap the device protection status and see the list of issues in the app.
• App notifications. These notifications inform the device user about the application (for example, threat detection).
• Pop-up messages. Pop-up messages require an action from the device user (for example, an action to take when a threat is detected).

All Kaspersky Endpoint Security for Android notifications are enabled by default.

On Android 13, the device user should grant permission to send notifications during the Initial Configuration Wizard or later.

An Android device user can disable all notifications from Kaspersky Endpoint Security for Android in the settings on the notification bar. If notifications are disabled, the user does not monitor the operation of the app and can ignore important information (for example, information about failures during device synchronization with Kaspersky Security Center). In this case, to find out the app operating status, the user must open Kaspersky Endpoint Security for Android.

To configure the display of notifications about the operation of Kaspersky Endpoint Security for Android on a mobile device:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Notifications and reports.
3. In the Notifications section, configure the display of notifications:
   • To hide all notifications and pop-up messages, disable the Display notifications when Kaspersky Endpoint Security is in the background toggle button.

     Kaspersky Endpoint Security for Android will display the protection status notification only. The notification displays the device protection status (for example, ) and number of issues. The app also displays notifications when the user is working with the app (for example, the user updates anti-virus databases manually).

     Kaspersky experts recommend that you enable notifications and pop-up messages. If you disable notifications and pop-up messages when the app is in background mode, the app will not warn users about threats in real time. Mobile device users can learn about the device protection status only when they open the app.

   • In List of security issues displayed on users' devices, select the Kaspersky Endpoint Security for Android issues that you want to be displayed on the user's mobile device.
4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214555]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Detecting device hacks

Kaspersky Security Center Web Console enables you to detect device hacks (root) on Android devices and jailbreaks on iOS devices. System files are unprotected on a hacked device and can therefore be modified. Moreover, third-party apps from unknown sources could be installed on hacked devices. Upon detection of a hack attempt, we recommend that you immediately restore normal operation of the device.

Kaspersky Endpoint Security for Android uses the following services to detect when a user obtains root privileges:

• Embedded service of Kaspersky Endpoint Security for Android. A Kaspersky service that checks whether a mobile device user has obtained root privileges (Kaspersky Mobile Security SDK).
• SafetyNet Attestation. A Google service that checks the integrity of the operating system, analyzes the device hardware and software, and identifies other security issues. For more details about SafetyNet Attestation, visit the Android Technical Support website.

Kaspersky Security for iOS uses the following service to detect a jailbreak:

• Embedded service of Kaspersky Security for iOS. A Kaspersky service that checks whether a mobile device is jailbroken (Kaspersky Mobile Security SDK).

If the device is hacked, you receive a notification. You can view hacking notifications in Kaspersky Security Center Web Console on the Monitoring & reporting > Dashboard tab. You can also disable notifications about hacks in the event notification settings.

On Android devices, you can impose restrictions on the user's activity if the device is hacked (for example, lock the device). You can impose restrictions by using the Compliance Control component. To do this, create a compliance rule with the Device has been rooted criterion.

[Topic 218553]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Defining licensing settings

You can define these policy settings for Android and iOS devices.

To manage mobile devices in Kaspersky Security Center Web Console or Cloud Console, you must activate the mobile app on the mobile devices. Activating the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on a mobile device is done by providing valid license information to the app. License information is delivered to the mobile device, together with the policy, when the device is synchronized with Kaspersky Security Center.

If the activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to the limited functionality mode. In this mode, most of the app components are not operational. When switched to the limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Therefore, if the activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

To define licensing settings of a group policy:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Licenses.
3. Use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the If the key on device is different, replace with this key check box.

4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

[Topic 214517]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring events

You can define these policy settings for Android and iOS devices.

You can define the storage and notification settings of events that occur on your users' devices and that are sent to Kaspersky Security Center.

You can configure events only when modifying a policy.

Events are distributed by importance level on the following tabs:

• Critical

  A critical event indicates a problem that may lead to data loss, an operational malfunction, or a critical error.

• Functional failure

  A functional failure indicates a serious problem, error, or malfunction that occurred during the operation of the app.

• Warning

  A warning is not necessarily serious, but nevertheless indicates a potential future problem.

• Info

  An informational event notifies about the successful completion of an operation or a procedure, or of the proper functioning of the app.

In each section, the list shows the types of events and the default event storage term in Kaspersky Security Center (in days).

From the list of events, you can do the following:

• Add or remove an event type from the list of event types that are sent to Kaspersky Security Center.
• Define the storage and notification settings for each event type, for example: how long events of this type must be stored in the Administration Server database or whether you will be notified about events of this type by email.

For more details on configuring events in Kaspersky Security Center Web Console and Cloud Console:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

[Topic 224230]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring events about the installation, update, and removal of apps on users' devices

You can define these policy settings for Android and iOS devices.

If you use Kaspersky Security Center Cloud Console, the list of types of events that occur on your users' devices, and that are sent to Kaspersky Security Center, does not include the installation, update, and removal of apps on the devices. This is because such events occur often and these events may replace other important events in the Kaspersky Security Center database when the events count limit is reached. They may also affect the performance of Administration Server or the DBMS, and the bandwidth of the internet connection with Kaspersky Security Center Cloud Console.

If you nevertheless want to store events of this type and be notified about them, proceed as described in this section.

To configure events about the installation, update, and removal of apps on users' devices:

1. In the settings of a policy, on the Event configuration tab, add the An app has been installed or removed (list of installed apps) informational event type to the list of events that are stored in the Administration Server database.

   For more details on configuring events, please refer to Kaspersky Security Center Cloud Console Help.

2. Enable the Send a list of installed apps on all mobile devices option.

Events about the installation, update, and removal of apps on users' devices are stored in the Kaspersky Security Center database. You are notified about these events.

[Topic 214560]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Network load

This section contains information on the volume of network traffic that is exchanged between mobile devices and Kaspersky Security Center.

Traffic volume

[Topic 216447]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Working in MMC-based Administration Console

This Help section describes protection and management of mobile devices by using the MMC-based Administration Console of Kaspersky Security Center.

[Topic 84084]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Key use cases

[Topic 91308]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Kaspersky Security for Mobile

Kaspersky Security for Mobile is an integrated solution for protecting and managing corporate mobile devices as well as personal mobile devices used by company employees for corporate purposes.

Kaspersky Security for Mobile includes the following components:

• Kaspersky Endpoint Security for Android mobile app

  The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

• Kaspersky Endpoint Security for Android Administration Plug-in

  The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center.

• Kaspersky Device Management for iOS Administration Plug-in

  The Kaspersky Device Management for iOS Administration Plug-in lets you define the configuration settings for devices connected to Kaspersky Security Center via the iOS MDM protocol (hereinafter referred to as "iOS MDM devices"), without using the iPhone Configuration Utility.

The administration plug-ins are integrated into the Kaspersky Security Center remote administration system. The administrator can use a single Administration Console of Kaspersky Security Center to manage all mobile device on the corporate network as well as client computers and virtual systems. After you connect mobile devices to the Administration Server, they become managed. The administrator can remotely monitor managed devices.

The Kaspersky Endpoint Security for Android mobile app may also operate as part of the Kaspersky Endpoint Security Cloud remote administration system. For more details on working with apps through Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud Online Help.

The Kaspersky Endpoint Security for Android mobile app can also operate as part of third-party EMM solutions of AppConfig Community participants.

[Topic 221101]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Key features of mobile device management in MMC-based Administration Console

Kaspersky Security for Mobile provides the following features:

• Distribution of email messages for connecting Android devices to Kaspersky Security Center by using Google Play links.
• Remote connection of mobile devices to Kaspersky Security Center and other third-party EMM systems (for example, VMWare AirWatch, MobileIron, IBM Maas360, SOTI MobiControl).
• Remote configuration of the Kaspersky Endpoint Security for Android app, as well as remote configuration of services, apps, and functions of Android devices.
• Remote configuration of mobile devices in accordance with the corporate security requirements.
• Prevention of leakage of corporate information stored on mobile devices, in case they are lost or stolen (Anti-Theft).
• Control of compliance with corporate security requirements (Compliance Control).
• Control of internet use on mobile devices (Web Protection).
• Setup of corporate mail on mobile devices, including organizations with a Microsoft Exchange mail server deployed in the company (only for iOS and Samsung devices).
• Configuration of the corporate network (Wi-Fi, VPN) allowing VPN to be used on mobile devices. VPN can be configured only on iOS and Samsung devices.
• Configuration of the mobile device status to be displayed in Kaspersky Security Center when policy rules are violated: Critical, Warning, OK.
• Setup of notifications shown to the user in the Kaspersky Endpoint Security for Android app.
• Configuration of settings on devices supporting Samsung KNOX 2.6 or later.
• Configuration of settings on devices supporting Android work profiles.
• Configuration of settings of Android mobile devices in device owner mode.
• Deployment of the Kaspersky Endpoint Security for Android app through the Samsung KNOX Mobile Enrollment console. Samsung KNOX Mobile Enrollment is intended for batch installation and initial configuration of apps on Samsung devices purchased from official vendors.
• An upgrade of the Kaspersky Endpoint Security for Android app to the specified version can be performed by using Kaspersky Security Center policies.
• Administrator notifications about the status and events of the Kaspersky Endpoint Security for Android app can be communicated in Kaspersky Security Center or by email.
• Change Control for policy settings (revision history).
• Commands for remote mobile device management. For example, if a mobile device is lost or stolen, you can send commands to locate the device or wipe all corporate data from the device.
• Configuration of screen unlock password settings for mobile devices.
• Configuration of Wi-Fi network settings for mobile devices.
• Adding web clips to open websites from the Home screen of mobile devices.

Kaspersky Security for Mobile includes the following protection and management components:

• Anti-Virus (for Android devices)
• Anti-Theft (for Android devices)
• Web Protection (for Android and iOS devices)
• App Control (for Android devices)
• Compliance Control (for Android and iOS devices)
• Detection of root privileges on devices (for Android devices)

[Topic 99558]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

Kaspersky Endpoint Security for Android app includes the following components:

• Anti-Virus. It allows you to detect and neutralize threats on your device by using the Anti-Virus databases and the Kaspersky Security Network cloud service. Anti-Virus includes the following components:
  • Protection. Detects threats in open files, scans new apps, and prevents device infection in real time.
  • Scan. It is started on demand for the entire file system, only for installed apps, or a selected file or folder.
  • Update. Update allows you to download new Anti-Virus databases for the application.
• Anti-Theft. This component protects information on the device against unauthorized access in case the device is lost or stolen. This component lets you send the following commands to the device:
  • Locate to get the coordinates of the device's location.
  • Alarm to make the device sound a loud alarm.
  • Mugshot to make the device take pictures with the frontal camera if someone attempts to unlock it.
  • Wipe corporate data to protect sensitive company information.
• Web Protection. This component blocks malicious sites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal confidential data of the user (for example, passwords to online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Protection also supports website filtering by categories defined in Kaspersky Security Network cloud service. This allows the administrator to restrict user access to certain categories of web pages (for example, web pages from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).
• App Control. This component lets you install recommended and required apps to your device via a direct link to the distribution package or a link to Google Play. App Control lets you remove blocked apps that violate corporate security requirements.
• Compliance Control. This component lets you check managed devices for compliance with corporate security requirements and impose restrictions on certain functions of non-compliant devices.

You can also install the Kaspersky Endpoint Security for Android app in device owner mode. This will give you full control over company-owned Android devices and let you configure a wide range of device settings. In device owner mode, you can:

• Restrict Android operating system features.
• Configure Google Chrome settings.
• Configure app startup settings in App Control.
• Limit the set of apps that are available to a device user in Kiosk mode.
• Configure Exchange ActiveSync settings for Gmail.
• Configure the connection to an NDES/SCEP server.
• Install root certificates on devices.

[Topic 136121]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Kaspersky Device Management for iOS

Kaspersky Device Management for iOS ensures protection and control of mobile devices that are connected to Kaspersky Security Center and includes device management features, such as:

• Password protection. This feature allows you to set password complexity requirements so that users use complex passwords compliant with corporate password policy.
• Network management. This feature allows you to add approved VPN and Wi-Fi networks or restrict access to others.
• Wipe corporate data. In case the device is lost or stolen, you can send the Wipe command to it to protect sensitive company information.
• Web Protection. This component blocks malicious sites designed to spread malicious code. Web Protection also blocks fake (phishing)  websites designed to steal confidential data of the user (for example, passwords to online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Protection also supports website filtering by categories defined in Kaspersky Security Network cloud service. This allows the administrator to restrict user access to certain categories of web pages (for example, web pages from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).
• Application restrictions. This component lets you control whether device native apps, such as iTunes, Safari, or Game Center can be used on a supervised device.
• Feature restrictions. This component allows to check managed devices for compliance with the corporate security requirements and impose restrictions on certain functions of non-compliant devices.
• Compliance Control. This component monitors iOS MDM devices for compliance with corporate security requirements and takes actions in case of non-compliance. Compliance control is based on a list of rules. Each rule includes the following components:
  • Status (whether the rule is enabled or disabled).
  • Device check criteria (for example, absence of the specified apps or operating system version).
  • Actions performed on the device in case of non-compliance (for example, wipe corporate data or send an email message to the user).

[Topic 89640]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Endpoint Security for Android Administration Plug-in

The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center. The Kaspersky Endpoint Security for Android Administration Plug-in can be used to:

• Create group security policies for mobile devices.
• Remotely configure the operating settings of the Kaspersky Endpoint Security for Android app on users' mobile devices.
• Receive reports and statistics on the operation of the Kaspersky Endpoint Security for Android mobile app on users' devices.

The Kaspersky Endpoint Security for Android Administration Plug-in is installed by default when deploying Kaspersky Security Center. The plug-in does not require individual installation.

[Topic 89639]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Device Management for iOS Administration Plug-in

The Administration Plug-in of Kaspersky Device Management for iOS provides an interface for managing mobile devices connected by means of the iOS MDM protocol through the Administration Console of Kaspersky Security Center. The Kaspersky Device Management for iOS Administration Plug-in can be used to do the following:

• Create group security policies for mobile devices.
• Remotely configure devices connected by using the iOS MDM protocol (hereinafter referred to as "iOS MDM devices").
• Receive reports and statistics on the operation of users' mobile devices.

For more details on connecting mobile devices to Kaspersky Security Center by using the iOS MDM protocol, please refer to Kaspersky Security Center Help.

The Kaspersky Device Management for iOS Administration Plug-in is installed by default when deploying Kaspersky Security Center. The plug-in does not require separate installation.

[Topic 102017]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Hardware and software requirements

This section lists the hardware and software requirements for the administrator's computer that is used to deploy the apps on mobile devices, as well as the mobile device operating systems supported by Kaspersky Security for Mobile.

Hardware and software requirements for the administrator's computer

To deploy the comprehensive solution Kaspersky Security for Mobile, the administrator's computer must meet the hardware requirements of Kaspersky Security Center. For more details on using the hardware requirements of Kaspersky Security Center, see the Kaspersky Security Center Help.

To work with the Administration Plug-in of Kaspersky Endpoint Security for Android, the Administration Console of Kaspersky Security Center version 12 or later must be installed on the administrator's computer.

To work with the Kaspersky Device Management for iOS Administration Plug-in, the administrator's computer must meet the following software requirements:

• Administration Console of Kaspersky Security Center 12 or later
• iOS MDM Server component
• Instruction set of version SSE2 or more recent version

To deploy the Kaspersky Endpoint Security for Android mobile app via the Administration Server, the administrator's computer must meet the following software requirements:

• Kaspersky Security Center 12 or later
• Administration Plug-in for Kaspersky Endpoint Security for Android

There are no software requirements for the administrator's computer when the Kaspersky Endpoint Security for Android mobile app is deployed from the relevant online stores.

The Kaspersky Endpoint Security for Android mobile app can also be used as part of the Kaspersky Endpoint Security Cloud remote administration system (Version 6.0 and above). For more details on working with apps through Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud Help.

The Kaspersky Endpoint Security for Android mobile app can function within third-party EMM systems:

• VMware AirWatch 9.3 or later
• MobileIron 10.0 or later
• IBM MaaS360 10.68 or later
• Microsoft Intune 1908 or later
• SOTI MobiControl 14.1.4 (1693) or later

Hardware and software requirements for the user's mobile device to support installation of the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app has the following hardware and software requirements:

• Smartphone or tablet with a screen resolution of 320x480 pixels or higher
• 65 MB of free disk space in the main memory of the device
• Android 5.0–13 (including Android 12L, excluding Go Edition)
• x86, x86-64, Arm5, Arm6, Arm7, or Arm8 processor architecture

The app can be installed only to the main memory of the device.

Hardware and Software Requirements for an iOS MDM Profile

For an iOS MDM profile, the device must meet the following hardware and software requirements:

• iOS 10–16 or iPadOS 13–15
• Internet connection

[Topic 153756]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Known issues and considerations

The following known issues are non-critical for the operation of the solution.

Known issues when installing apps

• Kaspersky Endpoint Security for Android is installed only in the main memory of the device.
• On devices running Android 7.0, an error may occur during attempts to disable administrator rights for Kaspersky Endpoint Security for Android in device settings if Kaspersky Endpoint Security for Android is prohibited from overlaying on other windows. This issue is caused by a well-known defect in Android 7.
• Kaspersky Endpoint Security for Android on devices running Android 7.0 or later does not support multi-window mode.
• Kaspersky Endpoint Security for Android does not work on Chromebook devices running the Chrome operating system.
• Kaspersky Endpoint Security for Android does not work on devices running Android (Go edition) operating systems.
• When using the Kaspersky Endpoint Security for Android app with third-party EMM systems (for example, VMWare AirWatch), only the Anti-Virus and Web Protection components are available. The administrator can configure the settings of Anti-Virus and Web Protection in the EMM system console. In this case, notifications about app operation are available only in the interface of the Kaspersky Endpoint Security for Android app (Reports).

Known issues when upgrading the app version

• You can upgrade Kaspersky Endpoint Security for Android only to a more recent version of the app. Kaspersky Endpoint Security for Android cannot be downgraded to an older version.
• To upgrade Kaspersky Endpoint Security for Android using a standalone installation package, installation of apps from unknown sources must be allowed on the user's mobile device.
• You can update through Google Play if Kaspersky Endpoint Security for Android was installed from Google Play. If the app was installed using another method, you cannot update through Google Play.
• You can update through Kaspersky Security Center if Kaspersky Endpoint Security for Android was installed through Kaspersky Security Center. If the app was installed from Google Play, you cannot update the app through Kaspersky Security Center.
• After you upgrade administration plug-ins to Technical Release 33, the Kaspersky Endpoint Security for Android app must also be upgraded to Technical Release 33. Otherwise, you will not be able to activate Samsung KNOX on some of your users' devices.

Known issues in Anti-Virus operation

• Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
• For additional analysis of a device for new threats whose information has not yet been added to anti-virus databases, you must enable the use of Kaspersky Security Network. Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to Kaspersky online knowledge base with information about the reputation of files, web resources, and software. To use KSN, the mobile device must be connected to the internet.
• In some cases, updating anti-virus databases from the Administration Server on a mobile device may fail. In this case, run the anti-virus database update task on the Administration Server.
• On some devices, Kaspersky Endpoint Security for Android does not detect devices connected over USB OTG. It is not possible to run a virus scan on such devices.
• On devices running Android 11 or later, the Kaspersky Endpoint Security for Android app can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.
• On devices running Android 11 or later, the user must grant the "Allow access to manage all files" permission.
• On devices running Android 7.0 or later, the configuration window for the virus scan run schedule might be incorrectly displayed (management elements are not shown). This issue is caused by a well-known defect in Android 7.
• On devices running Android 7.0, real-time protection in the extended mode does not detect threats in files that are stored on an external SD card.
• On devices running Android 6.0, Kaspersky Endpoint Security for Android does not detect the downloading of a malicious file to the device memory. A malicious file may be detected by Anti-Virus when the file is run, or during a virus scan of the device. This issue is caused by a well-known defect in Android 6.0. To ensure device security, it is recommended to configure scheduled virus scans.

Known issues in Web Protection operation

• Web Protection on Android devices works only in the Google Chrome browser (including the Custom Tabs feature), Huawei Browser, and Samsung Internet Browser. Web Protection for Samsung Internet Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.
• Kaspersky Endpoint Security in the work profile scans only the website domain in HTTPS traffic. Malicious and phishing websites may remain unblocked if the app installed in the work profile. If the domain is trusted, Web Protection can skip a threat (for example, https://trusted.domain.com/phishing/). If the domain is untrusted, Web Protection blocks malicious and phishing websites.
• For Web Protection to work, you must enable the use of Kaspersky Security Network. Web Protection blocks websites based on the KSN data on the reputation and category of websites.
• Forbidden websites may remain unblocked by Web Protection on devices running Android 6.0 with Google Chrome version 51 (or any earlier version) installed if the website is opened in the following ways (this issue is caused by a well-known defect in Google Chrome):
  • From search results.
  • From the bookmarks list.
  • From search history.
  • Using the web address autocomplete function.
  • Opening the website in a new tab in Google Chrome.
• Forbidden websites may remain unblocked in Google Chrome version 50 (or any earlier version) if the website is opened from Google search results while the Merge Tabs and Apps feature is enabled in the browser settings. This issue is caused by a well-known defect in Google Chrome.
• Websites from blocked categories may remain unblocked in Google Chrome if the user opens them from third-party apps, for example, from an IM client app. This issue is related to how the Accessibility service works with the Chrome Custom Tabs feature.
• Forbidden websites may remain unblocked in Samsung Internet Browser if the user opens them in background mode from the context menu or from third-party apps, for example, from an IM client app.
• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of Web Protection.
• On some Xiaomi devices, the "Display pop-up window" and "Display pop-up windows while running in the background" permissions should be granted for Web Protection to work.
• When entering a website address in Web Protection settings, adhere to the following rules:
  • For Android devices, specify the address in regular expressions format (for example, https://example.com.*).
  • For iOS MDM devices, specify the HTTP or HTTPS data transport protocol (for example, http://www.example.com).
• Allowed websites may be blocked in Samsung Internet Browser in the Only listed websites are allowed Web Protection mode when the page is refreshed. Websites are blocked if a regular expression contains advanced settings (for example, ^https?://example.com/pictures/). It is recommended to use regular expressions without additional settings (for example, ^https?://example.com).
• If Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android does not block search in the Google Search widget. Instead, it blocks user access to the search results.
• In a work profile, if Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android endlessly reloads the Google Chrome home page, blocks the browser, and interferes with the device.

Known issues in Anti-Theft operation

• For timely delivery of commands to Android devices, the app uses the Firebase Cloud Messaging (FCM) service. If FCM is not configured, commands will be delivered to the device only during synchronization with Kaspersky Security Center according to the schedule defined in the policy, for example, every 24 hours.
• To lock a device, Kaspersky Endpoint Security for Android must be set as the device administrator.
• To lock devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some devices, Anti-Theft commands may fail to execute if Battery Saver mode is enabled on the device. This defect has been confirmed on Alcatel 5080X.
• To locate devices running Android 10.0 or later, the user must grant the "All the time" permission to device location.
• To take a mugshot with devices running Android 11.0 or later, the user must grant the "While using the app" permission to access the camera.

Known issues in App Control operation

• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. This does not apply to device owner mode.
• For App Control (app categories) to work, you must enable the use of Kaspersky Security Network. App Control determines the category of an app based on data that is available in KSN. To use KSN, the mobile device must be connected to the internet. For App Control, you can add individual apps to the lists of blocked and allowed apps. In this case, KSN is not required.
• When configuring App Control, it is recommended to clear the Block system apps check box. Blocking system apps may lead to problems in device operation.
• On iOS MDM devices, if you specify allowed apps in the list of apps allowed to be installed, all apps except system apps and those added to the list of allowed apps will be hidden on the device screen.

Known issues when configuring certificates in iOS MDM policy

• When you add a certificate to an iOS MDM policy and attempt to save or close the policy, MMC-based Administration Console of Kaspersky Security Center may crash, but the certificate is saved to the policy settings.

Known issues when configuring email

• Remote configuration of a mailbox is available only on the following devices:
  • iOS MDM devices.
  • Samsung devices (Exchange ActiveSync).
  • Android devices with the TouchDown mail client installed.

    In previous versions of Kaspersky Endpoint Security for Android, you can use Kaspersky Security Center to remotely configure TouchDown profile settings on a user's device. TouchDown support has been discontinued in Kaspersky Endpoint Security for Android Service Pack 4. For more detail, refer to the Symantec technical support website.

    After upgrading the Kaspersky Endpoint Security for Android Administration Plug-in, the TouchDown settings in the policy are hidden but saved. When new devices are connected, TouchDown settings will be configured after the policy is applied.

    After the policy is modified and saved, TouchDown settings will be deleted. The TouchDown settings on a user's devices will be cleared after a policy is applied.

Known issues when configuring device unlock password strength

• On devices running Android 10.0 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

  If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.

  If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.

• On devices running Android 10.0 or later, using a fingerprint to unlock the screen can be managed for work profile only.
• On devices running Android 7.1.1, if the unlock password does not meet the corporate security requirements (Compliance Control), the Settings system app may function improperly when an attempt is made to change the unlock password through Kaspersky Endpoint Security for Android. The issue is caused by a well-known defect in Android 7.1.1. In this case, to change the unlock password, use the Settings system app only.
• On some devices running Android 6.0 or later, an error may occur when screen unlock password is entered, if device data is encrypted. This issue is related to specific features of the Accessibility service with MIUI firmware.

Known issues when configuring Wi-Fi

• On devices running Android version 8.0 or later, settings of the proxy server for Wi-Fi cannot be redefined with the policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.

Known issues when configuring APN

• Remote configuration of APN is available only on iOS MDM devices or Samsung devices.
• Configure APN for iOS MDM devices in the Cellular communications section. The APN section is out of date. Before configuring the APN settings, make sure that the Apply on device check box in the APN section is cleared.

Known issues with Firewall

• Use of Firewall is available only on Samsung devices.

Known issues when configuring VPN

• Remote configuration of VPN is available only on the following devices:
  • iOS MDM devices.
  • Samsung devices.
• When you set up a VPN connection for selected domains in Safari, if you change the Connect automatically option, the changes are not applied on the device. The Connect automatically check box is selected by default and we recommend against changing it if you want to activate a VPN automatically for specified domains.

Known issues when working with containers

• In Kaspersky Security for Mobile Service Pack 3 Maintenance Release 2, there is no longer support for creating containers for mobile apps. However, containers that were created in earlier versions of the application can be added to Android devices.
• To install containerized apps, installation of apps from unknown sources must be allowed on the user's mobile device. For details about installing apps without Google Play, please refer to the Android Help Guide.
• App containerization is not supported on Android devices for apps that contain more than 65,536 methods (multidex configuration).

Known issues with App removal protection

• Kaspersky Endpoint Security for Android must be set as the device administrator.
• To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some Xiaomi and Huawei devices, Kaspersky Endpoint Security for Android removal protection does not work. This issue is caused by the specific features of MIUI 7 and 8 firmware on Xiaomi and EMUI firmware on Huawei.

Known issues when configuring device restrictions

• On devices running Android 10.0 or later, prohibiting the use of Wi-Fi networks is not supported.
• On devices running Android 10.0 or later, the use of the camera cannot be completely prohibited.
• On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

Known issues when sending commands to mobile devices

• On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.

Known issues with Android work profile

• If you create an Android work profile by using a policy, the user must grant the "Allow access to manage all files" permission to Kaspersky Endpoint Security for Android that is installed on the devices running Android 11 or later and that is related to the work profile.
• The Prohibit activation of USB debugging mode Android work profile function does not work on devices with Android 13. This is caused by an issue in Android 13.

Known issues with specific devices

• On certain devices (for example, Huawei, Meizu, and Xiaomi), you must grant Kaspersky Endpoint Security for Android an autostart permission or manually add it to the list of apps that are started when the operating system starts. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted. In addition, if the device has been locked, you cannot use a command to unlock the device. You can unlock the device only by using a one-time unlock code.
• On certain devices (for example, Meizu and Asus) running Android 6.0 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device. If the user uses a graphic password to unlock the device, you must convert the graphic password to a numeric password. For more details about converting a graphic password into a numeric password, please refer to the Technical Support website of the mobile device manufacturer. This issue is related to the operation of the Accessibility Features service.
• On some Huawei devices running Android 5.Х, after Kaspersky Endpoint Security for Android is set as an Accessibility feature, an incorrect message about the lack of appropriate rights may be displayed. To hide this message, enable the app as a protected app in the device settings.
• On some Huawei devices running Android 5.X or 6.X, when Battery Saver mode is enabled for Kaspersky Endpoint Security for Android, the user can manually terminate the app. The user device becomes unprotected after that. This issue is due to some features of Huawei software. To restore the device protection, run Kaspersky Endpoint Security for Android manually. It is recommended to disable Battery Saver mode for Kaspersky Endpoint Security for Android in the device settings.
• On Huawei devices with EMUI firmware running Android 7.0, the user can hide the notification regarding the protection status of Kaspersky Endpoint Security for Android. This issue is due to some features of Huawei software.
• On some Xiaomi devices, the user can use the Foreground Services Task Manager to stop Kaspersky Endpoint Security for Android from running in the background. This issue is due to some features of Xiaomi software.
• On some Xiaomi devices, when setting the password length to more than 5 characters in a policy, the user will be prompted to change the screen unlock password instead of the PIN code. You cannot set a PIN code that has more than 5 characters. This issue is due to some features of Xiaomi software.
• On Xiaomi devices with MIUI firmware running Android 6.0, the Kaspersky Endpoint Security for Android icon may be hidden in the status bar. This issue is due to some features of Xiaomi software. It is recommended to allow the display of notification icons in Notifications settings.
• On some Nexus devices running Android 6.0.1, the privileges required for proper operation cannot be granted through the Quick Start Wizard of Kaspersky Endpoint Security for Android. This issue is caused by a well-known defect in Security Patch for Android by Google. To ensure proper operation, the required privileges must be manually granted in the device settings.
• On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.
• On certain Samsung devices, it is impossible to block the use of fingerprints for unlocking the screen.
• Web Protection cannot be enabled on some Samsung devices, if the device is connected to a 3G/4G network, has Battery Saver mode enabled and restricts background data. It is recommended to disable the function that restricts background processes in Battery Saver settings.
• On certain Samsung devices, if the unlock password does not comply with corporate security requirements, Kaspersky Endpoint Security for Android does not block the use of fingerprints for unlocking the screen.
• After executing Anti-Theft commands (such as Locate, Device Lock, Unlock, and Mugshot), the mobile certificate and the VPN certificate may be deleted on some Samsung devices. The certificates have to be reinstalled to continue. This issue occurs due to the Mobile Device Fundamentals Protection Profile (MDFPP) security standard.
• On some Honor and Huawei devices, you cannot restrict the use of Bluetooth. When Kaspersky Endpoint Security for Android attempts to restrict the use of Bluetooth, the operating system shows a notification containing the options to reject or allow this restriction. The user can reject this restriction and continue to use Bluetooth.
• On some Samsung devices, after Kaspersky Endpoint Security is installed or updated from a standalone installation package, KNOX MDM profile activation is unavailable.
• On Blackview devices, the user can clear the memory for the Kaspersky Endpoint Security for Android app. As a result, the device protection and management are disabled, all defined settings become ineffective, and the Kaspersky Endpoint Security for Android app is removed from the Accessibility features. This is because this vendor's devices provide the customized Recent screens app with elevated privileges. This app can override Kaspersky Endpoint Security for Android settings and cannot be replaced because it is part of the Android operating system.
• On some Google Pixel devices running Android 11 or earlier, the Kaspersky Endpoint Security for Android app crashes immediately after the start. This is caused by an issue in Android.
• On some TECNO devices, the user can unlock the device using face scanning, even if this biometric unlock method is prohibited by the policy.
• On some Sony and Google Pixel devices running Android 13 or later, the Kaspersky Endpoint Security Help, which has information about enabling accessibility is displayed incorrectly.
• On Samsung Galaxy S23 and S24 series devices Real-Time Protection may not work.

Known issues in app operation on Android 13

• On Android 13, the user can use the Foreground Services Task Manager to stop Kaspersky Endpoint Security from running in the background. This is caused by a well-known issue in Android 13.
• On Android 13, the permission to send notifications is requested when the initial app configuration begins. This is due to specifics of the Android 13 operating system.

Known issues when adding web clips

• The maximum number of web clips that can be added to an Android device depends on the device type. When this number is reached, web clips are no longer added to the Android device.

Known issues in device owner mode

• On devices running Android 10 or earlier, if you select Prohibit modification of apps in Settings when configuring restrictions for apps and apply the policy, the user still can clear app defaults and stop apps in app settings. This is due to Android operating system specifics.
• Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.
• The Kaspersky Endpoint Security for Android app can't be installed in device owner mode on the following devices: Honor 30i (Android 10), Huawei y8p, Huawei Y5 (Android 8), Huawei Mate 40 PRO (Android 10), Xiaomi Redmi 4X (Android 7.1), Honor 5c (Android 7.0, EMUI 5.0). This is due to the device firmware specifics: the QR code scanner is not available after the device is reset to factory settings.
• On devices with Android 10, location permissions are automatically set to Allow only while using the app instead of Allow all the time and can't be changed by the administrator or users. This issue is caused by a well-known bug in Android 10.
• The Prohibit screen capture restriction does not block the device user from capturing the device settings screen.

[Topic 136255]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment

This Help section is intended for specialists who install Kaspersky Security for Mobile, as well as for specialists who provide technical support to organizations that use Kaspersky Security for Mobile.

[Topic 98741]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Solution architecture

Kaspersky Security for Mobile includes the following components:

• Kaspersky Endpoint Security for Android mobile app

  The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats. It supports interaction between the mobile device and the Kaspersky Security Center Administration Server using Firebase Cloud Messaging.

• Kaspersky Endpoint Security for Android Administration Plug-in

  The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center.

• Kaspersky Device Management for iOS Administration Plug-in

  The Administration Plug-in of Kaspersky Device Management for iOS provides an interface for managing mobile devices connected by means of the iOS MDM protocol through the Administration Console of Kaspersky Security Center.

The architecture of the Kaspersky Security for Mobile integrated solution is shown in the figure below.

The architecture of Kaspersky Security for Mobile

For details on Administration Console, Administration Server, and iOS MDM Server, please refer to Kaspersky Security Center Help.

[Topic 65441]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Common integrated solution deployment scenarios

This section covers the common deployment scenarios for the Kaspersky Security for Mobile integrated solution.

Different deployment scenarios can be used to deploy the integrated solution on Android devices and iOS devices. If the organization uses mobile devices running various operating systems, apps should be installed for each operating system separately by following the appropriate deployment scenario.

[Topic 99483]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scenarios for Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be deployed on mobile devices within the corporate network in several ways. You can use the most suitable deployment scenario for your organization or combine several deployment scenarios.

For details on deploying Kaspersky Endpoint Security for Android in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

Deploying Kaspersky Endpoint Security for Android via Kaspersky Security Center on personal devices

For personal devices, you can deploy Kaspersky Endpoint Security for Android via Kaspersky Security Center by using the following methods:

• Deliver messages with the Google Play link (recommended)
• Deliver messages with a link to the installation package in Kaspersky Security Center

Deployment of Kaspersky Endpoint Security for Android using Google Play consists in sending messages containing the Google Play link to users of devices from the Administration Console.

To deploy Kaspersky Endpoint Security for Android via the installation package, do the following:

1. Create and configure an app installation package.
2. Create a standalone installation package.
3. Send messages with a link for downloading a standalone installation package to users of Android devices. Mass mailing is available.

The user installs Kaspersky Endpoint Security for Android on a mobile device after receiving a message with a Google Play link or a link for downloading the installation package from the Kaspersky Security Center server. No additional preparations are needed to begin using the app.

Deploying Kaspersky Endpoint Security for Android via Kaspersky Security Center on company-owned devices (device owner mode)

For company-owned devices (device owner mode), you can deploy Kaspersky Endpoint Security for Android via Kaspersky Security Center by using the following method:

• Deliver the QR code with a link to a general app version (APK installation file)
• Deliver the QR code with a link to the installation package in Kaspersky Security Center

To deploy Kaspersky Endpoint Security for Android in device owner mode via the general app version, do the following:

1. Create a QR code for app installation from the Administration Console.
2. Pre-configure the mobile device and install Kaspersky Endpoint Security for Android using the QR code.

To deploy Kaspersky Endpoint Security for Android in device owner mode via the installation package, do the following:

1. Create and configure an app installation package.
2. Create a standalone installation package.
3. Create a QR code for app installation via the installation package.
4. Pre-configure the mobile device and install Kaspersky Endpoint Security for Android using the QR code.

Deploying Kaspersky Endpoint Security for Android from Google Play

Kaspersky Endpoint Security for Android is installed from Google Play independently by the users of devices. Users download the mobile app distribution package from Google Play and install the app on devices. After the app has been installed on the device, you need to make additional preparations before you can begin using it: configure the settings of the connection to the Administration Server and install a mobile certificate.

Deploying Kaspersky Endpoint Security for Android via KNOX Mobile Enrollment

Deployment of Kaspersky Endpoint Security for Android consists of adding a KNOX MDM profile to mobile devices. The KNOX MDM profile contains a link to an app deployed on the Kaspersky Security Center Web Server or another server. After the app is installed on the mobile device, you must also install a mobile certificate.

You can read about installation through KNOX Mobile Enrollment in the Samsung KNOX section.

[Topic 141784]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scenarios for iOS MDM profile

An iOS MDM profile is a profile that contains the settings for connecting mobile devices running iOS to Kaspersky Security Center. After installation of an iOS MDM profile and synchronization with Kaspersky Security Center, the device becomes a managed device. Mobile devices are managed through the Apple Push Notification service (APNs). For more details on installing an iOS MDM profile and working with APNs, please refer to Kaspersky Security Center Help.

Using an iOS MDM profile, you can do the following:

• Remotely configure the settings of iOS MDM devices by using group policies.
• Send device lock and data wipe commands.
• Remotely install Kaspersky apps and other third-party apps.

An iOS MDM profile can be deployed on mobile devices within the corporate network in several ways. You can use the most suitable deployment scenario for your organization or combine several deployment scenarios.

Before deploying an iOS MDM profile, the administrator must do the following:

1. Install an iOS MDM Server.
2. Obtain an Apple Push Notification Service certificate (APNs certificate).
3. Install an APNs certificate to the iOS MDM Server.

For more details on installing an iOS MDM Server and working with an APNs certificate, please refer to Kaspersky Security Center help.

For details on deploying an iOS MDM profile in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

Deploying an iOS MDM profile via Kaspersky Security Center

Deployment of an iOS MDM profile via Kaspersky Security Center can be carried out by sending messages containing a link to download the iOS MDM profile. Mass mailing is available.

The user installs the iOS MDM profile to a mobile device after receiving the message with a link to the Kaspersky Security Center Web Server. No additional preparations for the iOS MDM profile are required.

For more details on creating an iOS MDM profile, please refer to Kaspersky Security Center Help.

[Topic 99201]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Preparing the Administration Console for deployment of the integrated solution

This section provides instructions on preparing the Administration Console for deployment of the integrated solution.

[Topic 89678]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Administration Server settings for connection of mobile devices

In order for mobile devices to be able to connect to the Administration Server, before installing the Kaspersky Endpoint Security mobile app configure the mobile device connection settings in the Administration Server properties.

To configure Administration Server settings for connecting mobile devices:

1. In the context menu of the Administration Server, select Properties.

   The Administration Server settings window opens.

2. Select Server connection settings → Additional ports.
3. Select the Open port for mobile devices check box.
4. In the Port for mobile devices field, specify the port through which mobile devices will connect to the Administration Server.

   Port 13292 is used by default. If the Open port for mobile devices check box is cleared or the wrong connection port is specified, mobile devices will not be able to connect to the Administration Server.

5. In the Port to activate mobile clients field, specify the port to be used by mobile devices to connect to the Administration Server for activation of the Kaspersky Endpoint Security for Android app. Port 17100 is used by default.
6. Click OK.

[Topic 245223_1]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host
2. Configure the connection gateway on Kaspersky Security Center Administration Server

This article contains an overview of the scenario. For detailed instructions, please refer to the Kaspersky Security Center documentation.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway and click Properties.
   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.
   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on Administration Server.

[Topic 89684]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Displaying the Mobile Device Management folder in the Administration Console

By displaying the Mobile Device Management folder in the Administration Console, you can view the list of mobile devices managed by the Administration Server, configure the mobile device management settings, and install certificates on mobile devices of users.

To enable the display of the Mobile Device Management folder in the Administration Console:

1. In the context menu of the Administration Server, select View → Configuring interface.
2. In the window that opens, select the Display Mobile Device Management check box.
3. Click OK.

The Mobile Device Management folder is displayed in the Administration Console tree after the Administration Console is restarted.

[Topic 89688]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

To perform centralized configuration of the Kaspersky Endpoint Security for Android app installed on the users' mobile devices, the group policies must be applied to the devices.

To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices using a group policy.

To create administration group, follow the steps below:

1. In the console tree, select the Managed devices folder.
2. In the workspace of the Managed devices folder or subfolder, select the Devices tab.
3. Click the New group  button.

   This opens the window in which you can create a new group.

4. In the Group name window type the group name and click OK.

A new administration group folder with the specified name appears in the console tree. For more detailed information on use of administration groups, see Kaspersky Security Center Help.

[Topic 89691]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a rule for device automatic allocating to administration groups

You can centrally administer the settings of Kaspersky Endpoint Security for Android app installed on users' mobile devices only if the devices belong to a previously created administration group for which a group policy has been configured.

If the rule to automatically allocate mobile devices detected on the network to the administration group is not configured, during the first synchronization of the device with the Administration Server, the device is automatically sent to the Administration Console in the Additional → Network poll → Domains → KES10 folder. A group policy does not apply to this device.

To create the rule for automatic allocating of mobile devices to administration group, follow the steps below:

1. In the console tree, select the Unassigned devices folder.
2. From the context menu of the Unassigned devices folder, select Properties.

   The Properties: Unassigned devices window appears.

3. In the Move devices section, click Add to start the process of creating a rule for automatically allocating devices to an administration group.

   The New rule window appears.

4. Type the rule name.
5. Specify the administration group to which mobile devices should be allocated after the Kaspersky Endpoint Security for Android mobile app has been installed on them. To do so, click Browse to the right of the Group to move devices to field and select the group in the window that appears.
6. In the Rule application section, select Run once for each device.
7. Select the Move only devices not added to administration groups check box to prevent allocating to the selected group the mobile devices that were allocated to other administration groups when applying the rule.
8. Select the Enable rule check box, so that the rule can be applied to newly detected devices.
9. Open the Apps section and do the following:
   1. Select the Operating system version check box.
   2. Select one or several types of operating systems of the devices to be allocated to the specified group: Android or iOS.
10. Click OK.

The newly created rule is displayed in the list of device allocation rules in the Move devices section in the properties window of the Unassigned devices folder.

According to the rule, Kaspersky Security Center allocates all devices that meet the specified requirements from the Unassigned devices folder to the selected group. The mobile devices which were earlier allocated to the Unassigned devices folder can also be allocated to the required administration group of the Managed devices folder manually. For more detailed information on administration groups management and actions with undistributed devices, see Kaspersky Security Center Help.

[Topic 89730]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a mobile certificate

You have to create a mobile certificate in Administration Console for the purpose of identifying the user of a mobile device.

To create a mobile certificate:

1. In the console tree, select the Mobile Device Management → Certificates folder.
2. In the workspace of the Certificates folder, click the Add certificate button to start the Certificate Installation Wizard.
3. In the Certificate type window of the Wizard, select the Mobile certificate option.
4. In the User selection window of the Wizard, specify the users for whom you want to create a mobile certificate.
5. In the Certificate source window of the Wizard, select the method by which the mobile certificate is created.
   • To create a mobile certificate automatically using Administration Server tools, select Issue certificate through Administration Server tools.
   • To assign a previously created certificate to a user, select the Specify certificate file option. Click the Specify button to open the Certificate window and specify the certificate file in it.

     Clear the Publish certificate check box if you do not want to specify the type of mobile device and the method of notifying the user about certificate creation.

6. In the Method of user notification window of the Wizard, configure the settings of mobile device user notification about certificate creation using a text message or via email.
7. In the Generating the certificate window of the Wizard, click Done to finish the Certificate Installation Wizard.

As a result, the Certificate Installation Wizard creates a mobile certificate that the user can install on the mobile device. To get the certificate, start synchronization of the mobile device with the Administration Server. For more information about creating certificates and configuring rules for issuing them, refer to Kaspersky Security Center help.

[Topic 141433]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing Kaspersky Endpoint Security for Android

This section describes the methods for deploying Kaspersky Endpoint Security for Android on a corporate network.

[Topic 150051]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Permissions

For all features of apps, Kaspersky Endpoint Security for Android prompts the user for the required permissions. Kaspersky Endpoint Security for Android prompts for the mandatory permissions while completing the Setup Wizard, as well as after installation prior to using individual features of apps. It is impossible to install Kaspersky Endpoint Security for Android without providing the mandatory permissions.

On certain devices (for example, Huawei, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts in the device settings. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

On devices running Android 11 or later, you must disable the Remove permissions if app isn't used system setting. Otherwise, after the app is not used for a few months, the system automatically resets the permissions that the user granted to the app.

Permissions requested by Kaspersky Endpoint Security for Android

[Topic 141434]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation of Kaspersky Endpoint Security for Android using a Google Play link

Kaspersky Endpoint Security for Android is installed on the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center Help.

Kaspersky Security for Mobile lets you install the app through Kaspersky Security Center by using a Google Play link (recommended method).

The user will receive a link to Google Play. The app can be installed by following the standard installation procedure on the Android platform. Additional configuration of Kaspersky Endpoint Security for Android after installation is not required.

Some Huawei and Honor devices do not have Google services and therefore an access to apps in Google Play. If some users of Huawei and Honor devices cannot install the app from Google Play, they should be instructed to install the app from Huawei App Gallery.

The link contains the following data:

• Kaspersky Security Center synchronization settings.
• Mobile certificate.
• Indicator of acceptance of the Terms and Conditions of the End User License Agreement for Kaspersky Endpoint Security for Android and additional Statements. If the administrator accepts the terms of License Agreement and additional Statements in the Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

To install Kaspersky Endpoint Security for Android through Kaspersky Security Center using a Google Play link:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select Android.
4. In the Device type section, select Personal device.

   Kaspersky Security Center checks for administration plug-in updates. If Kaspersky Security Center detects updates, you can install the new version of the administration plug-in. When the administration plug-in is updated, you can accept the Terms and Conditions of the End User of the License Agreement (EULA) and additional Statements for Kaspersky Endpoint Security for Android. If the administrator accepts the License Agreement and additional Statements in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app. This feature is available in Kaspersky Security Center version 12.

5. On the Kaspersky Endpoint Security for Android installation method page, select Link to an app version on Google Play.
6. On the Select users page of the Wizard, select one or more users for installation of Kaspersky Endpoint Security for Android to their mobile devices.

   If a user is not in the list, you can add a new user account without exiting the New Mobile Device Connection Wizard.

7. On the Certificate source page of the Wizard, select the source of the certificate for protection of data transfer between Kaspersky Endpoint Security for Android and Kaspersky Security Center:
   • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
   • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the Wizard. This option cannot be used if you want to install Kaspersky Endpoint Security for Android to several mobile devices. A separate certificate must be created for each user.
8. On the User notification method page of the Wizard, select the channel used to forward the app installation link:
   • To send the link by email, select Send link to Kaspersky Endpoint Security and configure the settings in the By email section. Make sure that the email address is specified in the settings of user accounts.
   • To install Kaspersky Endpoint Security for Android using a QR code, select Show link to installation package and scan the QR code using the camera of the mobile device.
   • If none of the listed methods are suitable for you, select Show link to installation package → Copy to copy the link for installing Kaspersky Endpoint Security for Android to the clipboard. Use any available method to deliver the app installation link. You can also use other methods of installation of Kaspersky Endpoint Security for Android.
9. Click Finish to close the New Mobile Device Connection Wizard.

After installing Kaspersky Endpoint Security for Android on users' mobile devices, you will be able to configure the settings for devices and apps by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

[Topic 241804]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation of Kaspersky Endpoint Security for Android in device owner mode

Device owner mode is the device operation mode for company-owned Android devices. This mode lets you have full control over the entire device and configure a wide range of device functions. Device owner mode is supported on Android 7.0 or later.

Kaspersky Security Center lets you install the Kaspersky Endpoint Security for Android app in device owner mode by generating a QR code for app installation on the device.

Kaspersky Endpoint Security for Android is installed on the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center Help.

Ways to install the app

The Kaspersky Endpoint Security for Android app can be installed via a QR code that includes one of the following:

• Link to a general app version

  Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated using Google Play or Huawei AppGallery.

• Link to the installation package in Kaspersky Security Center

  Choose this method for mobile devices with no access to the internet. The app's installation package will be downloaded from the Kaspersky Security Center server. The app will also be updated through Kaspersky Security Center using policy settings.

  For this method, follow the steps below before generating a QR-code:

  1. Create and configure an app installation package.
  2. Create a standalone installation package.

Generating QR code for app installation

To generate a QR code for app installation in device owner mode:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select Android.
4. In the Device type section, select Company-owned device (device owner mode).
5. In the Additional section, select the required options:
   • Select the Enable all system apps check box if you want system apps to be active on the device. If the check box is cleared, all system apps are disabled.
   • Select the Allow use of mobile network to download Kaspersky Endpoint Security check box if you want to use mobile data for downloading the Kaspersky Endpoint Security for Android app. The option is supported on devices with Android 8 and later. If the check box is cleared, the app will be downloaded when the device is connected to Wi-Fi.
6. Click Next.

   Kaspersky Security Center checks for administration plug-in updates. If Kaspersky Security Center detects updates, you can install the new version of the administration plug-in. When the administration plug-in is updated, you can accept the Terms and Conditions of the End User of the License Agreement (EULA) and additional Statements for Kaspersky Endpoint Security for Android. If the administrator accepts the License Agreement and additional Statements in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

7. On the Method to install Kaspersky Endpoint Security for Android in device owner mode page, select an installation method:
   • Link to a general app version
   • Link to the installation package in Kaspersky Security Center

     If you choose this option, leave the Allow HTTP use for app download in device owner mode check box selected to ensure the app is downloaded. Otherwise, the app will be downloaded via HTTPS only if the Kaspersky Security Center Web Server certificate was issued by a trusted certificate authority.

   For more details about these methods, see the Ways to install the app section above.

8. On the Select users page of the Wizard, select one or more users for installation of Kaspersky Endpoint Security for Android to their mobile devices.

   If a user is not in the list, you can add a new user account without exiting the New Mobile Device Connection Wizard.

9. On the Certificate source page of the Wizard, select the source of the certificate for protection of data transfer between Kaspersky Endpoint Security for Android and Kaspersky Security Center:
   • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
   • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the Wizard. This option cannot be used if you want to install Kaspersky Endpoint Security for Android to several mobile devices. A separate certificate must be created for each user.
10. On the User notification method page, specify email addresses. Make sure that the email address is specified in the user account settings in Kaspersky Security Center.
11. On the Result page, verify the information and save the QR code.
12. Click Finish to close the New Mobile Device Connection Wizard.

Additional configuration on the Android device is required to install Kaspersky Endpoint Security for Android in device owner mode.

After installing Kaspersky Endpoint Security for Android on users' mobile devices, you will be able to configure the settings for devices and apps by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

[Topic 209663]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Other methods of installation of Kaspersky Endpoint Security for Android

You can install Kaspersky Endpoint Security for Android using a link to your own web server or instruct the users to install the app manually.

[Topic 209665]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Manual installation from Google Play or Huawei AppGallery

Users can manually install Kaspersky Endpoint Security for Android from Google Play or Huawei AppGallery. The app can be installed by following the standard installation procedure of the Android platform. Users use their own Google accounts to install the application.

For details on the procedure of installing Kaspersky Endpoint Security for Android from Google Play, see the Google technical support website.

For details on the procedure of installing Kaspersky Endpoint Security for Android from Huawei AppGallery, see the HUAWEI Support website.

Some Huawei and Honor devices do not have Google services and therefore an access to apps in Google Play. If some users of Huawei and Honor devices cannot install the app from Google Play, they should be instructed to install the app from Huawei App Gallery.

After installing Kaspersky Endpoint Security for Android from Google Play or Huawei AppGallery, you must prepare the app for use. The process of preparing the app for use includes the following steps:

1. The administrator sends the settings of mobile device synchronization with the Administration Server (server address and port number) using any available method (for example, by sending an email message).
2. The user can configure the settings of mobile device synchronization with the Administration Server during operation of the Initial Configuration Wizard or in the Kaspersky Endpoint Security for Android settings.
3. The administrator creates a mobile certificate for the mobile device user.
4. The user receives an automatic notification with a prompt to install the mobile certificate. When installation is confirmed, the mobile certificate is installed on the mobile device.

Internet access should be enabled on the mobile device for synchronization with the Administration Server.

See the Kaspersky Security Center Help for details on how to configure the settings of mobile device synchronization with the Administration Server and receive a mobile certificate.

During the next synchronization of the mobile device with Administration Server, the user's mobile device on which Kaspersky Endpoint Security for Android is installed is moved to the Additional → Network poll → Domains folder in the administration group that was specified during installation of the application (the default group is KES10). You can move a mobile device to the administration group that you created in the Managed devices folder either manually or using automatic allocation rules.

This installation method is convenient if you want to install a specific version of Kaspersky Endpoint Security for Android.

To install Kaspersky Endpoint Security for Android using a link to your own web server:

1. Create an installation package and configure its settings.

   The installation package is a set of files created for remote installation of the Kaspersky app through Kaspersky Security Center.

2. Create a standalone installation package.

   A standalone installation package is the installation file of a mobile app that contains the settings of the app connection to the Administration Server and an indicator of acceptance of the Terms and Conditions of the End User License Agreement (EULA) for the Kaspersky Endpoint Security for Android. It is created on the basis of the Kaspersky Endpoint Security for Android installation package. The standalone installation package is a special case of an installation package.

The user will receive a link to the web server hosting the standalone installation package for Kaspersky Endpoint Security for Android. To install the app, the user must run the APK file. Additional configuration of Kaspersky Endpoint Security for Android after installation is not required.

To install Kaspersky Endpoint Security for Android using a link to your own web server, installation of apps from unknown sources must be allowed on the user's mobile device.

[Topic 89690]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating and configuring an installation package

The Kaspersky Endpoint Security for Android installation package is the sc_package.exe self-extracting archive. The archive includes files required for installing mobile app on devices:

• adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll – Set of files required for installing Kaspersky Endpoint Security for Android.
• installer.ini – Configuration file that contains the Administration Server connection settings.
• KES10_xx_xx_xxx.apk – Setup file for Kaspersky Endpoint Security for Android.
• kmlisten.exe – Utility for delivering the application installation package through a the workstation.
• kmlisten.ini – Configuration file that contains the settings for the installation package delivery utility.
• kmlisten.kpd – Application description file.

To create the Kaspersky Endpoint Security for Android installation package:

1. In the console tree, select the Additional → Remote installation → Installation packages folder.
2. In the workspace of the Installation packages  folder, click the Create installation package button.

   The Installation Package Creation Wizard starts. Follow the instructions of the Wizard.

3. In the Select installation package type window of the Wizard, click the Create installation package for Kaspersky application button.
4. In the Defining installation package name window of the Wizard, enter the installation package name to be displayed in the workspace of the Installation packages folder.
5. In the Select application installation package for installation window of the Wizard, select the sc_package.exe self-extracting archive included in the distribution kit.

   If you have already unpacked the archive, choose the application description file, kmlisten.kpd. The application name and the version number appear in the entry field.

6. In the Accept EULA window of the Wizard, read, understand, and accept the terms and conditions of the End User License Agreement.

   You must accept the terms and conditions of the End User License Agreement for creating the installation package. If you accept the terms of License Agreement in the Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

   If you decide to stop the protection of the mobile devices, you can uninstall Kaspersky Endpoint Security for Android app and revoke your End User License Agreement (EULA) for the app. To learn more about revoking EULA, please refer to the Kaspersky Security Center help.

After the Wizard finishes, the created installation package appears in the Installation packages folder workspace. The installation packages are stored in the Packages folder, in the public shared folder on the Administration Server.

To configure the installation package settings:

1. In the console tree, select the Additional → Remote installation → Installation packages folder.
2. In the context menu of the Kaspersky Endpoint Security for Android installation package, select Properties.
3. On the Settings tab, specify the Administration Server connection settings for mobile devices and the name of the administration group to which the mobile devices will be added automatically after the first synchronization with the Administration Server. Follow the steps below:
   • In the Connection to the Administration Server section, in the Server address field, type the name of the Administration Server for mobile devices in the format that was used for installing Mobile devices support during the Administration Server deployment.

     Depending on the Administration Server name format for the Mobile devices support component, specify the DNS name or the IP address of the Administration Server. In the SSL port number field, specify the number of the port open on the Administration Server for connecting mobile devices. Port 13292 is used by default.

   • In the Allocation of computers to groups section, in the Group name field, type the name of the group to which mobile devices will be added after the first synchronization with the Administration Server (KES10 is used by default).

     The specified group will be automatically created in the Additional → Network poll → Domains folder.

   • In the Actions during installation section, select the Request email address check box if you want the app to ask users to provide their corporate email address when the app is started for the first time.

     The user's email address is used to form the name of the mobile device when it is added to the administration group.

4. To apply the specified settings, click Apply.

[Topic 89728]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a standalone installation package

To create a standalone installation package, follow the steps below:

1. In the console tree, select the Additional → Remote installation → Installation packages folder.
2. Choose the installation package of Kaspersky Endpoint Security for Android.
3. In the context menu of the installation package, select Create a standalone installation package.

   The wizard that creates the standalone installation package will be started. Follow the instructions of the Wizard.

4. Configure ways in which the standalone installation package is distributed:
   • To distribute the path to the created standalone installation package among users via email, in the Further actions section click the link Send the link to the standalone installation package by email.

     The message editor window opens, and the text in the window contains the path to the shared folder with the standalone installation package.

   • To post the link to the created standalone installation package on your corporate website, click the link Sample HTML code for posting link on website.

     A tmp file containing HTML_RJL links opens.

5. To publish the created standalone installation package on the Kaspersky Security Center Web Server and view the entire list of standalone packages for the selected installation package, in the Standalone installation package wizard completed successfully window select the Open the stand-alone packages list check box.

After the wizard closes, the window List of standalone packages for the installation package <Installation package name> opens.

The List of standalone packages for the installation package <Installation package name> window contains the following information:

• A list of standalone installation packages.
• The network path to the shared folder in the Path field.
• The address of the standalone package on the Kaspersky Security Center Web Server in the URL field.

When sending email notifications, you can specify either the address in the URL field or the path in the Path field as a resource from which users can download the setup file of the app. When sending text message notifications to users, you have to specify the download link appearing in the URL field.

You are advised to copy the address of the created standalone package to clipboard and then paste the link to the required installation package into the email or text message notification for users.

[Topic 88051]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring synchronization settings

To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Mobile device synchronization with Kaspersky Security Center may be performed in the following ways:

• By schedule. Synchronization by schedule is performed using the HTTP protocol. You can configure the synchronization schedule in the group policy settings. Modifications to group policy settings, commands and tasks will be performed when the device is synchronizing with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with the Kaspersky Security Center automatically every 6 hours.

  On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

• Forced. Forced synchronization is performed using push notifications of the FCM service (Firebase Cloud Messaging). Forced synchronization is primarily intended for timely delivery of commands to a mobile device. If you want to use forced synchronization, make sure that the GSM settings are configured in Kaspersky Security Center. For more information, refer to Kaspersky Security Center help.

To configure the settings of mobile device synchronization with the Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Synchronization section.
5. Select the frequency of synchronization in the Synchronize drop-down list.
6. To disable synchronization of a device with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.

   The device user can manually perform synchronization in the app settings ( → Settings → Synchronization → Synchronize).

7. To hide synchronization settings (server address, port and administration group) from the user in the app settings, clear the Show synchronization settings on device check box. It is impossible to modify hidden settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. You can manually synchronize the mobile device by using a special command. To learn more about working with commands for mobile devices, please refer to the Kaspersky Security Center help.

[Topic 136294]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Activating the Kaspersky Endpoint Security for Android app

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Endpoint Security for Android app is fully functional, the Kaspersky Security Center license purchased by the organization must provide for the Mobile Device Management functionality. The Mobile Device Management functionality is intended for connecting mobile devices to Kaspersky Security Center and managing them.

For detailed information about the licensing of Kaspersky Security Center and licensing options, please refer to Kaspersky Security Center Help.

Activating the Kaspersky Endpoint Security for Android app on a mobile device is done by providing valid license information to the app. License information is delivered to the mobile device, together with the policy, when the device is synchronized with Kaspersky Security Center.

If the activation of the Kaspersky Endpoint Security for Android app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to the limited functionality mode. In this mode, most of the app components are not operational. When switched to the limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Therefore, if the activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the Kaspersky Endpoint Security for Android app on their devices manually.

To activate the Kaspersky Endpoint Security for Android app:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Licensing section.
5. In the Licensing section, open the Key drop-down list, and then select the required application activation key from the key storage of the Kaspersky Security Center Administration Server.

   The details of the app for which the license has been purchased are displayed in the field below.

6. Select the Activate with a key from Kaspersky Security Center storage check box.

   If the app was activated without a key stored in the Kaspersky Security Center storage, Kaspersky Security for Mobile replaces this key with the activation key selected in the Key drop-down list.

7. To activate the app on the user's mobile device, block changes to settings.
8. Click the Apply button to save the changes you have made.

   Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

[Topic 141488]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing an iOS MDM profile

This section describes the methods of deploying iOS MDM profiles on a corporate network.

Before deploying an iOS MDM profile, the administrator must do the following:

1. Install an iOS MDM Server.
2. Obtain an Apple Push Notification Service certificate (APNs certificate).
3. Install an APNs certificate to the iOS MDM Server.

For more details on installing an iOS MDM Server and working with an APNs certificate, please refer to Kaspersky Security Center help.

For details on deploying an iOS MDM profile in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

[Topic 135822]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About iOS device management modes

You can deploy an iOS device management system in several different ways. The management mode depends on the owner of the mobile device (personal or corporate) and corporate security requirements. You can choose the management mode that is most suitable for the company, and use several modes at the same time.

Unsupervised devices

Unsupervised iOS devices are employees' personal devices that are connected to Kaspersky Security Center. In this mode, the user is allowed to use a personal Apple ID, work with any apps, and store personal data on the device. You can use a Kaspersky Device Management for iOS group policy to configure access to corporate resources, security settings, and other settings. By default, all iOS devices are unsupervised.

Supervised devices

Supervised iOS devices are corporate devices that are connected to Kaspersky Security Center. Initial configuration of the mobile device is performed in Apple Configurator. Apple Configurator is an application designed to prepare and configure iOS devices. Apple Configurator is installed on a computer running OS X. For more details about working with Apple Configurator, please refer to the Apple Technical Support website. You can use a Kaspersky Device Management for iOS group policy for further configuration. On supervised devices, you can access an extended selection of settings. For example, you can configure Global HTTP Proxy and additional restrictions (for example, blocked use of iMessage and Game Center), and you can block user account modifications.

To work with supervised and unsupervised iOS devices, the iOS MDM Server must have an APNs certificate installed, and an iOS MDM profile must be installed on the mobile devices of users.

[Topic 141792]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing via Kaspersky Security Center

The iOS MDM profile is installed to the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center help.

To install an iOS MDM profile:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select iOS.
4. In the iOS MDM device protection method window of the Wizard, select Use iOS MDM profile of iOS MDM Server and specify the iOS MDM profile from the list.
5. In the Select users window of the Wizard, select one or several users for installation of the iOS MDM profile to their mobile devices.

   If the user is not in the list, you can add a new user account without exiting the New Mobile Device Connection Wizard.

6. In the Certificate source window of the Wizard, select the source of the certificate for protection of data transfer between the mobile device and Kaspersky Security Center:
   • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
   • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the Wizard. This option cannot be used if you want to install the iOS MDM profile to several mobile devices. A separate certificate must be created for each user.
7. In the User notification method window of the Wizard, select the channel used to forward the app installation link:
   • To send the link by email, select Send link to iOS MDM profile and configure the settings in the By email section. Make sure that the email address is specified in the settings of user accounts.
   • To install the iOS MDM profile using a QR code, select Show link to installation package and scan the QR code using the camera of the mobile device.
   • If none of the listed methods are suitable for you, select Show link to installation package → Copy to copy the iOS MDM profile installation link to the clipboard. Use any available method to deliver the app installation link.
8. Finish the New Mobile Device Connection Wizard.

After installing the iOS MDM profile to users' mobile devices, you will be able to configure the app settings by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

On mobile devices running iOS 12.1 or later, you must manually confirm installation of an iOS MDM profile on the mobile device. You must also grant permission for remote management of the device.

[Topic 98776]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing administration plug-ins

To manage mobile devices, the following administration plug-ins must be installed to the administrator's workstation:

• The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center.
• The Administration Plug-in of Kaspersky Device Management for iOS provides an interface for managing mobile devices connected by means of the iOS MDM protocol through the Administration Console of Kaspersky Security Center.

You can install administration plug-ins by using the following methods:

• Install an administration plug-in using Quick Start Wizard of Kaspersky Security Center.

  The application automatically prompts you to run the Quick Start Wizard after Administration Server installation, at the first connection to it. You can also start the Quick Start Wizard manually at any time.

  The Quick Start Wizard allows you to accept the Terms and Conditions of the End User License Agreement (EULA) for the Kaspersky Endpoint Security for the Android app in Administration Console. If the administrator accepts the terms of the License Agreement in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app. For more details on the Quick Start Wizard for Kaspersky Security Center, please refer to Kaspersky Security Center Help.

• Install the administration plug-in using the list of available distribution packages in Administration Console of Kaspersky Security Center.

  The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.

• Download the distribution package from an external source and install the administration plug-in using the EXE file.

  For example, the distribution package of the administration plug-in can be downloaded on the Kaspersky website.

Installing administration plug-ins from the list in Administration Console

To install the administration plug-ins:

1. In the console tree, select Advanced → Remote installation → Installation packages.
2. In the workspace, select Additional actions → View current versions of Kaspersky applications.

   This opens the list of up-to-date versions of Kaspersky applications.

3. In the Mobile devices section, select the Kaspersky Endpoint Security for Android or Kaspersky Device Management for iOS plug-in.
4. Click Download distribution packages button.

   A plug-in distribution will be downloaded to the computer memory (EXE file).

5. Run the EXE file and follow the instructions of the Installation Wizard.

Installing administration plug-ins from the distribution package

To install the Kaspersky Endpoint Security for Android Administration Plug-in,

Copy the plug-in installation file klcfinst.exe from the integrated solution distribution package and run it on the administrator's workstation.

The installation is performed by the Wizard, and you do not have to configure the settings.

To install the Kaspersky Device Management for iOS Administration Plug-in,

Copy the plug-in installation file klmdminst.exe from the integrated solution distribution package and run it on the administrator's workstation.

The installation is performed by the Wizard, and you do not have to configure the settings.

You can make sure that the administration plug-ins are installed by viewing the list of installed app administration plug-ins in the properties window of the Administration Server in the Advanced → Details of application management plug-ins installed section.

[Topic 136488]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Updating a previous version of the application

The application upgrade must meet the following requirements:

• The version of the Kaspersky Endpoint Security Administration Plug-in and the version of the Kaspersky Endpoint Security for Android mobile app must match.

  You can view the build numbers of the versions of the Administration Plug-in and mobile app in the Release Notes for Kaspersky Security for Mobile.

• Make sure that Kaspersky Security Center satisfies the software requirements of Kaspersky Security for Mobile.
• The administration plug-ins of Kaspersky Endpoint Security 10.0 Service Pack 2 (Build 10.6.0.1801) and Kaspersky Device Management for iOS 10.0 Service Pack 2 (Build 10.6.0.1767) and later versions can be automatically upgraded to the current version. Upgrades of earlier versions of administration plug-ins are not supported.

  To upgrade administration plug-ins of earlier versions, you must remove the installed administration plug-ins and group policies that were created with them. Then install the new versions of the administration plug-ins. For details on removing administration plug-ins, please visit the Kaspersky Technical Support website.

• Use the same version of Kaspersky Endpoint Security for Android on all mobile devices of the organization.

The terms and conditions of technical support for Kaspersky Security for Mobile versions are available on the Kaspersky Technical Support website.

To view the version and build number of administration plug-ins:

1. In the console tree in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window, select Advanced → Details of application management plug-ins installed.

The workspace displays information about installed administration plug-ins in the format <Plug-in name> <Version> <Build>.

You can view the version and build number of the Kaspersky Endpoint Security for Android app by using the following methods:

• If Kaspersky Endpoint Security for Android was installed with a standalone installation package, you can view the version and build number of the app in the package properties.
• If Kaspersky Endpoint Security for Android was installed through Google Play, you can view the build number in the app settings ( → About the app).

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality will not be available in the software in the U.S. territory from 12:00 AM Eastern Daylight Time (EDT) on September 10, 2024 in accordance with the restrictive measures.

[Topic 102240]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Upgrading the previous version of Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be updated in the following ways:

• Using Google Play. The mobile device user downloads the new version of the app from Google Play and installs it on the device.
• Using Kaspersky Security Center. You can remotely update the version of the app on the device using the Kaspersky Security Center remote administration system.

You can select the app update method that is most suitable for your organization. You can use only one update method.

Updating the app from Google Play

The app can be updated from Google Play by following the standard update procedure of the Android platform. The following conditions must be met in order for the app to be updated:

• The device user must have a Google account.
• The device must be linked to your Google account.
• The device must be connected to the internet.

After downloading the app from Google Play, Kaspersky Endpoint Security for Android checks the Terms and Conditions of the End User License Agreement (EULA). If the terms of the EULA are updated, the app sends a request to the Kaspersky Security Center. If the administrator accepts the EULA in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app. If the administrator uses an outdated version of the administration plug-in, Kaspersky Security Center prompts you to update the administration plug-in. When updating the administration plug-in, an administrator can accept the terms of the EULA in Administration Console for the Kaspersky Endpoint Security for Android.

You can update the app through Google Play if Kaspersky Endpoint Security for Android was installed from Google Play. If the app was installed using another method, you cannot update the app through Google Play.

Updating the app through Kaspersky Security Center

Kaspersky Endpoint Security for Android can be upgraded using Kaspersky Security Center after application of a group policy. In the group policy settings, you can select the Kaspersky Endpoint Security for the Android standalone installation package of the version that meets the corporate security requirements.

You can update through Kaspersky Security Center if Kaspersky Endpoint Security for Android was installed through Kaspersky Security Center. If the app was installed from Google Play, you cannot update the app through Kaspersky Security Center.

To upgrade Kaspersky Endpoint Security for Android using a standalone installation package, installation of apps from unknown sources must be allowed on the user's mobile device. For details about installing apps without Google Play, please refer to the Android Help Guide.

To update the version of the app:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Additional section.
5. In the Upgrading Kaspersky Endpoint Security for Android section, click the Select button.

   This opens the Upgrading Kaspersky Endpoint Security for Android window.

6. In the list of Kaspersky Endpoint Security standalone installation packages, select the package whose version meets the corporate security requirements.

   You can upgrade Kaspersky Endpoint Security only to a more recent application version. Kaspersky Endpoint Security cannot be upgraded to an older application version.

7. Click the Select button.

   A description of the selected standalone installation package is displayed in the Upgrading Kaspersky Endpoint Security for Android section.

8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. The mobile device user is prompted to install the new version of the app. After the user gives consent, the new app version is installed on the mobile device.

[Topic 180201]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing an earlier version of Kaspersky Endpoint Security for Android

If you want to prevent automatic update of the app and use a specific version of Kaspersky Endpoint Security for Android, disable automatic update of the app in Google Play settings. For more detail, refer to the Google technical support website.

Automatic update of Kaspersky Endpoint Security for Android is available only if the app was installed from Google Play or through Kaspersky Security Center using the Google Play link. If the app was installed through Kaspersky Security Center using a link to your own web server (using the standalone installation package), automatic update is not available. In this case, you can use a group policy to manually update Kaspersky Endpoint Security for Android.

To install an earlier version of Kaspersky Endpoint Security for Android:

1. Remove Kaspersky Endpoint Security for Android from users' mobile devices.
2. Install Kaspersky Endpoint Security for Android through Kaspersky Security Center using a link to your own web server. To do so, you will need the installation package for the specific version. You can download the distribution package for earlier versions of Kaspersky Endpoint Security for Android on the Kaspersky Technical Support website.

For details on earlier versions of Kaspersky Endpoint Security for Android, please refer to the Help for the appropriate version of Kaspersky Security for Mobile.

[Topic 99183]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Upgrading previous versions of administration plug-ins

You can upgrade administration plug-ins by using the following methods:

• Install new version administration plug-in from the list of available distribution packages in Administration Console of Kaspersky Security Center.

  The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.

• Download the distribution package from an external source and install new version administration plug-in using the EXE file.

  To upgrade Kaspersky Endpoint Security for Android and Kaspersky Device Management for iOS Administration Plug-ins, you need to download the latest version of the application from the web page of Kaspersky Security for Mobile and run the Setup Wizard for each of the two plug-ins. Previous versions of plug-ins are removed automatically during operation of the Installation Wizard.

Kaspersky experts recommend using the same version of the app and administration plug-ins. If user upgrades the app from Google Play, the Kaspersky Security Center shows notification with a prompt to upgrade the administration plug-in.

When administration plug-ins are updated, the existing administration groups in the Managed devices folder and rules for the automatic allocation of devices from the Unassigned devices folder to these groups are saved. The existing group policies for mobile devices are also saved. New policy settings that implement the new functions of the Kaspersky Security for Mobile integrated solution will be added to the existing policies and will have the default values.

If new settings have been added or the default values have been changed in the new version of the administration plug-in, the changes will be applied only after a group policy is opened. Until the administrator opens a group policy, the settings of the previous version of the plug-in will be applied on mobile devices even if the plug-in version has been updated.

Upgrading from the list in Administration Console

To upgrade the administration plug-ins:

1. In the console tree, select Advanced → Remote installation → Installation packages.
2. In the workspace, select Additional actions → View current versions of Kaspersky applications.

   This opens the list of up-to-date versions of Kaspersky applications.

3. In the Mobile devices section, select the Kaspersky Endpoint Security for Android or Kaspersky Device Management for iOS plug-in.
4. Click Download distribution packages button.

   A plug-in distribution will be downloaded to computer memory (EXE file). Run the EXE file. Follow the instructions of the Installation Wizard.

Upgrading from the distribution package

To upgrade the Kaspersky Endpoint Security for Android Administration Plug-in,

Copy the plug-in installation file klcfinst.exe from the integrated solution distribution package and run it on the administrator's workstation.

The installation is performed by the Wizard, and you do not need to configure the settings.

To upgrade the Kaspersky Device Management for iOS Administration Plug-in,

Copy the plug-in installation file klmdminst.exe from the integrated solution distribution package and run it on the administrator's workstation.

Plug-in installation is performed by the Wizard, and you do not need to configure the settings.

You can make sure that the administration plug-ins are upgraded by viewing the list of installed app administration plug-ins in the properties window of the Administration Server, in the Advanced → Details of application management plug-ins installed section.

[Topic 98987]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removal of Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be removed in the following ways:

1. App removal by the user

   The user removes Kaspersky Endpoint Security for Android manually using the app interface. In order for users to be able to remove the app, app removal should be allowed in the policy applied to the device.

2. App removal by the administrator

   The administrator removes the app remotely using the Administration Console of Kaspersky Security Center. The app can be removed from a separate device or from several devices at once.

To remove Kaspersky Endpoint Security for Android from a device operating in device owner mode:

1. Send the Reset to factory settings command from Administration Console to the device. This command removes all device data and rolls back device settings to their factory values.
2. Manually remove the device from the list of managed devices in Administration Console.

   If the device is not removed from Administration Console, there can be problems with further installation of Kaspersky apps on this device.

[Topic 99000]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Remote app removal

You can remove Kaspersky Endpoint Security for Android from users' mobile devices remotely in the following ways:

• Using a group policy. This method is convenient if you want to remove the app from several devices at once.
• By configuring local app settings. This method is convenient if you want to remove the app from a separate device.

For information about removing Kaspersky Endpoint Security for Android from devices operating in device owner mode, see the App removal in device owner mode section below.

To remove the app by applying a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Additional section.
5. In the Removal of Kaspersky Endpoint Security for Android section, select the Remove Kaspersky Endpoint Security for Android from device check box.

   This setting doesn't apply to devices operating in device owner mode.

6. Click the Apply button to save the changes you have made.

As a result, Kaspersky Endpoint Security for Android is removed from mobile devices after synchronization with the Administration Server. Users of mobile devices receive a notification that the app has been removed.

To remove the app by configuring local settings:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. In the list of devices, select the device on which you want to remove the app.
3. Open the device properties window double-clicking.
4. Select Apps → Kaspersky Endpoint Security for Android.
5. Open the Kaspersky Endpoint Security properties window by double-clicking.
6. Select the Additional section.
7. In the Removal of Kaspersky Endpoint Security for Android section, select the Remove Kaspersky Endpoint Security for Android from device check box.

   This setting doesn't apply to devices operating in device owner mode.

8. Click the Apply button to save the changes you have made.

As a result, Kaspersky Endpoint Security for Android is removed from mobile device after synchronization with the Administration Server. The mobile device user receives a notification that the app has been removed.

App removal in device owner mode

To remove Kaspersky Endpoint Security for Android from a device operating in device owner mode:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. In the list of devices, select the device on which you want to remove the app.
3. Right-click the device.
4. In the context menu, select Mobile Device Management → Reset to factory settings.

   The Reset to factory settings command is sent to the device. This command removes all device data and rolls back device settings to their factory values.

5. In the list of devices, right-click the device and select Delete.

   The device is removed from the list of managed devices in Administration Console.

   If the device is not removed from Administration Console, there can be problems with further installation of Kaspersky apps on this device.

[Topic 98994]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Permitting users to remove the app

To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

You can allow users to remove Kaspersky Endpoint Security for Android from their mobile devices in the following ways:

• Using a group policy. This method is convenient if you want to allow users to remove the app from several devices at once.
• Using local app settings. This method is convenient if you want to allow the user of a separate device to remove the app.

On devices operating in device owner mode, Kaspersky Endpoint Security for Android can be removed only by the administrator. For instructions, please refer to Remote app removal.

To allow removal of the app in a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Additional section.
5. In the Removal of Kaspersky Endpoint Security for Android section, set the Allow removal of Kaspersky Endpoint Security for Android check box.

   This setting doesn't apply to devices operating in device owner mode.

6. Click the Apply button to save the changes you have made.

As a result, removal of the app by users is allowed on mobile devices after synchronization with the Administration Server. The app removal button becomes available in the Kaspersky Endpoint Security for Android settings.

To allow removal of the app in the local app settings:

1. In the console tree, select Additional → Mobile Device Management → Mobile devices.
2. In the list of devices, select the device from which you want to allow app removal by the user.
3. Open the device properties window double-clicking.
4. Select Applications → Kaspersky Endpoint Security for Mobile.
5. Open the Kaspersky Endpoint Security properties window by double-clicking.
6. Select the section Additional.
7. In the Removal of Kaspersky Endpoint Security for Android section, set the Allow removal of Kaspersky Endpoint Security for Android check box.

   This setting doesn't apply to devices operating in device owner mode.

8. Click the Apply button to save the changes you have made.

As a result, removal of the app by the user is allowed on the mobile device after synchronization with the Administration Server. The app removal button becomes available in the Kaspersky Endpoint Security for Android settings.

[Topic 98992]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App removal by the user

To independently remove Kaspersky Endpoint Security for Android from a mobile device, the user must do the following:

1. In the main window of Kaspersky Endpoint Security for Android, tap   → Uninstall the app.

   A confirmation prompt appears on the screen.

   If the Uninstall the app button is missing, this means that the administrator enabled protection against removal of Kaspersky Endpoint Security for Android or the device operates in device owner mode.

   On devices operating in device owner mode, Kaspersky Endpoint Security for Android can be removed only by the administrator. For instructions, please refer to Remote app removal.

2. Confirm removal of Kaspersky Endpoint Security for Android.

The Kaspersky Endpoint Security for Android app will be removed from the user's mobile device.

[Topic 136270]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuration and Management

This Help section is intended for specialists who administer Kaspersky Security for Mobile, as well as for specialists who provide technical support to organizations that use Kaspersky Security for Mobile.

[Topic 141535]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Getting Started

This section describes the actions that you are recommended to perform when getting started with Kaspersky Security for Mobile.

[Topic 100337]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Starting and stopping the application

Kaspersky Security Center automatically starts and stops administration plug-ins of Kaspersky Endpoint Security and Kaspersky Device Management for iOS.

Kaspersky Endpoint Security for Android launches when the operating system starts up and protects the mobile device during the entire session. The user can stop the app by disabling all Kaspersky Endpoint Security for Android components. You can use group policies to configure user permissions to manage app components.

On certain devices (for example, Huawei, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts (Security → Permissions → Autorun). If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

You must also disable Battery Saver mode for Kaspersky Endpoint Security for Android. This is necessary for the app to run in the background, such as running a scheduled virus scan or synchronizing the device with Kaspersky Security Center. This issue is attributable to the specific features of the embedded software of these devices.

[Topic 89688_1]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

To perform centralized configuration of the Kaspersky Endpoint Security for Android app installed on the users' mobile devices, the group policies must be applied to the devices.

To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices using a group policy.

To create administration group, follow the steps below:

1. In the console tree, select the Managed devices folder.
2. In the workspace of the Managed devices folder or subfolder, select the Devices tab.
3. Click the New group  button.

   This opens the window in which you can create a new group.

4. In the Group name window type the group name and click OK.

A new administration group folder with the specified name appears in the console tree. For more detailed information on use of administration groups, see Kaspersky Security Center Help.

[Topic 99958]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Group policies for managing mobile devices

A group policy is a package of settings for managing mobile devices that belong to an administration group and for managing mobile apps installed on the devices. You can create a group policy using the Policy Wizard.

You can use a policy to configure settings of both individual devices and a group of devices. For a group of devices, administration settings can be configured in the window of group policy properties. For an individual device, they can be configured in the window of local application settings. Individual management settings specified for one device may differ from the values of settings configured in the policy for a group to which this device belongs.

Each parameter represented in a policy has a "lock" attribute, which shows whether the setting is allowed for modification in the policies of nested hierarchy levels (for nested groups and secondary Administration Servers), in local application settings.

The values of settings configured in the policy and in local application settings are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings. If the user has specified other values of settings that have not been "locked", during the next synchronization of the device with the Administration Server the new values of settings are relayed to the Administration Server and saved in the local settings of the application instead of the values that had been previously specified by the administrator.

To keep corporate security of mobile devices up to date, you can monitor users' devices for compliance with the group management policy.

The security level indicator is displayed in the upper part of the group policy window. The security level indicator will help you configure the policy so as to ensure a high level of device protection. The protection level indicator status changes depending on the policy settings:

• High protection level – an appropriate level of device protection is provided. All protection components function according to the settings recommended by Kaspersky.
• Medium protection level – the protection level is lower than recommended. Some critical protection components are disabled (for example, Web Protection). Important issues are marked with the icon.
• Low protection level – there are problems that may lead to infection of the device and loss of data. Some critical protection components are disabled (for example, real-time protection of devices is disabled). Critical issues are marked with the icon.

For more details on managing policies and administration groups in the Administration Console of Kaspersky Security Center, see Kaspersky Security Center help.

[Topic 89890]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a group policy

This section describes the process of creating group policies for devices on which Kaspersky Endpoint Security for Android mobile app are installed and policies for iOS MDM devices.

Policies created for an administration group are shown in the group workspace in the Administration Console of Kaspersky Security Center on the Policies tab. The icon indicating the policy status (active / inactive) appears before the policy name. Several policies for different apps can be created in one group. Only one policy for each app can be active. When a new active policy is created, the previous active policy becomes inactive.

You can modify a policy after it is created.

To a policy for managing mobile devices:

1. From the console tree, select an administration group for which you want to create a policy.
2. In the workspace of the group, select the Policies tab.
3. Click the Create policy link to start the Policy Wizard.

This starts the Policy Wizard.

Step 1. Choose an application for creating a group policy

At this step, select the application for which you want to create a group policy in the list of applications:

• Kaspersky Endpoint Security for Android – for devices using the Kaspersky Endpoint Security for Android mobile app.

It is recommended to create a separate policy for Huawei and Honor devices that do not have Google play services. This way you can send links to Huawei AppGallery to the users of all such devices.

• Kaspersky Device Management for iOS – for iOS MDM devices.

A policy for mobile devices can be created if the Kaspersky Endpoint Security for Android Administration Plug-in and the Kaspersky Device Management for iOS Administration Plug-in are installed on the administrator's desktop. If the plug-ins are not installed, the name of the relevant application does not appear in the list of applications.

Proceed to the next step of the Policy Wizard.

Step 2. Enter a group policy name

At this step, type the name for the new policy in the Name field. If you specify the name of an existing policy, it will have (1) added at the end automatically.

Proceed to the next step of the Policy Wizard.

Step 3. Create a group policy for the application

At this step, the Wizard prompts you to select the status of the policy:

• Active policy. The Wizard saves the created policy on the Administration Server. At the next synchronization of the mobile device with the Administration Server, the policy will be used on the device as the active policy.
• Inactive policy. The Wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to active state.

  Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.

Exit the Wizard.

[Topic 88051_1]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring synchronization settings

To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Mobile device synchronization with Kaspersky Security Center may be performed in the following ways:

• By schedule. Synchronization by schedule is performed using the HTTP protocol. You can configure the synchronization schedule in the group policy settings. Modifications to group policy settings, commands and tasks will be performed when the device is synchronizing with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with the Kaspersky Security Center automatically every 6 hours.

  On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

• Forced. Forced synchronization is performed using push notifications of the FCM service (Firebase Cloud Messaging). Forced synchronization is primarily intended for timely delivery of commands to a mobile device. If you want to use forced synchronization, make sure that the GSM settings are configured in Kaspersky Security Center. For more information, refer to Kaspersky Security Center help.

To configure the settings of mobile device synchronization with the Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Synchronization section.
5. Select the frequency of synchronization in the Synchronize drop-down list.
6. To disable synchronization of a device with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.

   The device user can manually perform synchronization in the app settings ( → Settings → Synchronization → Synchronize).

7. To hide synchronization settings (server address, port and administration group) from the user in the app settings, clear the Show synchronization settings on device check box. It is impossible to modify hidden settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. You can manually synchronize the mobile device by using a special command. To learn more about working with commands for mobile devices, please refer to the Kaspersky Security Center help.

[Topic 152432]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing revisions to group policies

Kaspersky Security Center lets you track group policy modifications. Every time you save changes made to a group policy, a revision is created. Each revision has a number.

You can manage revisions only for Kaspersky Endpoint Security for Android policies. You cannot manage revisions for a Kaspersky Device Management for iOS policy.

You can perform the following actions on group policy revisions:

• Compare a selected revision to the current one.
• Compare selected revisions.
• Compare a policy with a selected revision of another policy.
• View a selected revision.
• Roll back policy changes to a selected revision.
• Save revisions as a .txt file.

For more details about managing revisions of group policies and other objects (for example, user accounts), please refer to Kaspersky Security Center help.

To view the history of group policy revisions:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Revision history section.

   A list of policy revisions is displayed. It contains the following information:

   • Policy revision number.
   • Date and time the policy was modified.
   • Name of the user who modified the policy.
   • Action performed on the policy.
   • Description of the revision made to policy settings.

[Topic 89954]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removing a group policy

To remove a group policy:

1. In the console tree, select an administration group for which you want to remove a policy.
2. In the workspace of the administration group on the Policies tab select the policy you want to remove.
3. In the context menu of the policy, select Delete.

As a result, the group policy is deleted. Before the new group policy is applied, mobile devices belonging to the administration group continue to work with the settings specified in the policy that has been deleted.

[Topic 100347]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Restricting permissions to configure group policies

Kaspersky Security Center administrators can configure the access permissions of Administration Console users for different functions of the Kaspersky Security for Mobile integrated solution depending on the job duties of users.

In the Administration Console interface, you can configure access rights in the Administration Server properties window on the Security and User roles tabs. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes.

You can also configure user permissions specific to functional areas. Information about the correspondence between functional areas and policy tabs is given in Annex.

For each functional area, the administrator can assign the following permissions:

• Allow editing. The Administration Console user is allowed to change the policy settings in the properties window.
• Block editing. The Administration Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface.

For more details on managing user rights and roles in the Administration Console of Kaspersky Security Center, see the Kaspersky Security Center help.

[Topic 136319]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protection

This section contains information about how to remotely manage protection of mobile devices in the Administration Console of Kaspersky Security Center.

[Topic 136503]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring anti-virus protection on Android devices

For the timely detection of threats, viruses, and other malicious applications, you should configure the settings for real-time protection and autorun of virus scans.

Kaspersky Endpoint Security for Android detects the following types of objects:

• Viruses, worms, Trojans, and malicious tools
• Adware
• Apps that can be exploited by criminals to harm your device or personal data

Anti-Virus has a number of limitations:

• When Anti-Virus is running, a threat detected in the external memory of the device (such as an SD card) cannot be neutralized automatically in the Work profile (Applications with a briefcase icon, Configuring the Android work profile). Kaspersky Endpoint Security for Android does not have access to external memory in the Work profile. Information about detected objects is displayed in app notifications. To neutralize objects detected in the external memory, the object files have to be deleted manually and the device scan restarted.
• Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.

To configure the mobile device real-time protection settings:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Protection section.
5. In the Protection section, configure the settings of mobile device file system protection:
   • To enable real-time protection of the mobile device against threats, select the Enable Protection check box.

     Kaspersky Endpoint Security for Android scans only new apps and files from the Downloads folder.

   • To enable extended protection of the mobile device against threats, select the Extended protection mode check box.

     Kaspersky Endpoint Security for Android will scan all files that the user opens, modifies, moves, copies, installs or saves on the device, as well as newly installed mobile apps.

     On devices running Android 8.0 or later, Kaspersky Endpoint Security for Android scans files that the user modifies, moves, installs and saves, as well as copies of files. Kaspersky Endpoint Security for Android does not scan files when they are opened, or source files when they are copied.

   • To enable additional scanning of new apps before they are started for the first time on the user's device with the help of the Kaspersky Security Network cloud service, select the Cloud protection (KSN) check box.
   • To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and apps that can be used by criminals to cause harm to the user's device and data check box.
6. In the Action on threat detection list, select one of the following options:
   • Delete

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

   • Skip

     If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

   • Quarantine
7. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

To configure autorun of virus scans on the mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Scan section.
5. To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and apps that can be used by criminals to cause harm to the user's device and data check box.
6. In the Action on threat detection list, select one of the following options:
   • Delete

     Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.

   • Skip

     If the detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file was deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.

   • Quarantine
   • Ask user

     The Kaspersky Endpoint Security for Android app displays a notification prompting the user to choose the action to take on the detected object: Skip or Delete.

     When the app detects several objects, the Ask user option allows the device user to apply a selected action to each file by using the Apply to all threats check box.

     Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure the display of notifications on mobile devices running Android 10.0 or later. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. In this case, Kaspersky Endpoint Security for Android displays an Android system window prompting the user to choose the action to take on the detected object: Skip or Delete. To apply an action to multiple objects, you need to open Kaspersky Endpoint Security.

7. The Scheduled scan section lets you configure the settings of the automatic launch of the full scan of the device file system. To do so, click the Schedule button and specify the frequency and start time of the full scan in the Schedule window.

   On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. Kaspersky Endpoint Security for Android scans all files, including the contents of archives.

To keep mobile device protection up to date, configure the anti-virus database update settings.

By default, anti-virus database updates are disabled for when the device is roaming. Scheduled updates of anti-virus databases are not performed.

To configure the settings of anti-virus database updates:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Database update section.
5. If you want Kaspersky Endpoint Security for Android to download database updates according to the update schedule when the device is in the roaming zone, select the Allow database update while roaming check box in the Database update while roaming section.

   Even if the check box is cleared, the user can manually start an anti-virus database update when the device is roaming.

6. In the Database update source section, specify the update source from which Kaspersky Endpoint Security for Android receives and installs anti-virus database updates:
   • Kaspersky servers

     Using a Kaspersky update server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To update databases from Kaspersky servers, Kaspersky Endpoint Security for Android transmits data to Kaspersky (for example, the update task run ID). The list of data that is transmitted during database updates is provided in the End User License Agreement.

   • Administration Server

     Using the repository of Kaspersky Security Center Administration Server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices.

   • Other source

     Using a third-party server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To start an update, you should enter the address of an HTTP server in the field below (e.g., http://domain.com/).

7. In the Scheduled database update section, configure the settings for automatic anti-virus database updates on the user's device. To do so, click the Schedule button and specify the frequency and start time of updates in the Schedule window.

   On Android 12 or later, the app may perform this task later than specified if the device is in battery saver mode.

8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

[Topic 148305]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protecting Android devices on the internet

To protect the personal data of a mobile device user on the internet, enable Web Protection. Web Protection blocks malicious websites that distribute malicious code, and phishing websites designed to steal your confidential data and gain access to your financial accounts. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. Web Protection also lets you configure a user's access to websites based on predefined lists of allowed and blocked websites.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time.

Web Protection on Android devices works only in the Google Chrome browser (including the Custom Tabs feature), Huawei Browser, and Samsung Internet Browser. Web Protection for Samsung Internet Browser does not block sites on a mobile device if a work profile is used and Web Protection is enabled only for the work profile.

To enable Web Protection in Google Chrome, Huawei browser, or Samsung Internet Browser:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Web Protection.
5. To use the Web Protection, you or device user must read and accept the Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement):
   1. Click the link Web Protection Statement.

      This opens Statement regarding data processing for purpose of using Web Protection window. To accept the Web Protection Statement, you must read and accept Privacy Policy.

   2. Click the Privacy Policy link. Read and accept the Privacy Policy.

      If you do not accept Privacy Policy, mobile device user can accept Privacy Policy in the Initial Configuration Wizard or in the app ( → About → Terms and conditions → Privacy Policy).

   3. Select the Web Protection Statement acceptance mode:
      • I have read and accept the Web Protection Statement
      • Request acceptance of the Web Protection Statement from the device user
      • I do not accept the Web Protection Statement
6. If you select I do not accept the Web Protection Statement, the Web Protection does not block sites on a mobile device. Mobile device user cannot enable Web Protection in the Kaspersky Endpoint Security.
7. Select the Enable Web Protection check box.
8. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

[Topic 89901]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Protection of stolen or lost device data

This section describes how you can configure the unauthorized access protection settings on the device in case it gets lost or stolen.

[Topic 89902]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Sending commands to a mobile device

To protect data on a mobile device that is lost or stolen, you can send special commands (see the table below).

Commands for protecting data on a lost or stolen device

Special rights and permissions are required for the execution of commands of Kaspersky Endpoint Security for Android. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required rights and permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, it will be impossible to execute commands.

On devices running Android 10.0 or later, the user must grant the "All the time" permission to access the location. On devices running Android 11.0 or later, the user must also grant the "While using the app" permission to access camera. Otherwise, Anti-Theft commands will not function. The user will be notified of this limitation and will again be prompted to grant the permissions of required level. If the user selects the "Only this time" option for the camera permission, access is considered granted by the app. It is recommended to contact the user directly if the Camera permission is requested again.

For the complete list of available commands, please refer to Commands for mobile devices. To learn more about sending commands from Administration Console, please refer to Kaspersky Security Center help.

[Topic 138758]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Unlocking a mobile device

You can unlock a mobile device by using the following methods:

• Send the mobile device unlock command.
• Enter the one-time unlock code on the mobile device (only for Android devices).

On certain devices (for example, Huawei, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts. If the app is not added to the list, you can unlock the device only by using a one-time unlock code. You cannot use commands to unlock the device.

To learn more about sending commands from the list of mobile devices in Administration Console, please refer to Kaspersky Security Center help.

A one-time unlock code is a secret application code for unlocking the mobile device. The one-time code is generated by the application and is unique to each mobile device. You can change the length of the one-time code (4, 8 or 16 digits) in group policy settings in the Anti-Theft section.

To unlock the mobile device using a one-time code:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. Select a mobile device for which you want to get a one-time unlock code.
3. Open the mobile device properties window by double-clicking.
4. Select Apps → Kaspersky Endpoint Security for Android.
5. Open the Kaspersky Endpoint Security properties window by double-clicking.
6. Select the Anti-Theft section.
7. A unique code for the selected device is shown in the One-time code field of the One-time device unlock code section.
8. Use any available method (such as email) to communicate the one-time code to the user of the locked device.
9. The user enters the one-time code on the screen of the device that is locked by Kaspersky Endpoint Security for Android.

The mobile device will be unlocked. After unlocking the mobile device running Android 5.0 – 6.Х, the screen unlock password is reset to "1234". After unlocking a device running Android 7.0 or later, the screen unlock password is not changed.

[Topic 145531]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Data encryption

To protect data against unauthorized access, you must enable encryption of all data on the device (for example, account credentials, external devices and apps, as well as email messages, SMS messages, contacts, photos, and other files). For access to encrypted data, you must specify a special key – device unlock password. If data is encrypted, access to it can be obtained only when the device is unlocked.

Data encryption is enabled by default on password-locked iOS devices (Settings → Touch ID / Face ID and Password → Enable Password).

To encrypt all data on an Android device:

1. Enable screen lock on the Android device (Settings → Security → Screen lock).
2. Set a device unlock password that is compliant with corporate security requirements.

   It is not recommended to use a pattern lock for unlocking the device. On certain Android devices running Android 6.0 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device instead of a pattern lock. This issue is related to the operation of the Accessibility Features service. To unlock the device screen in this case, convert the pattern lock into a numeric password. For more details about converting a pattern lock into a numeric password, please refer to the Technical Support website of the mobile device manufacturer.

3. Enable encryption of all data on the device (Settings → Security → Encrypt data).

[Topic 243163]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting data on Android devices after failed password entry attempts

You can configure deleting all data on an Android device (that is, resetting the device to factory settings) after the user makes too many failed attempts to enter the screen unlock password.

These settings apply to devices operating in device owner mode and to personal devices on which the Kaspersky Endpoint Security for Android app is enabled as a device administrator.

To configure wiping all data:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Anti-Theft section.
5. In the Data wipe on device section, select the Wipe all data after failed attempts to enter unlock password check box.
6. In the Maximum number of attempts to enter unlock password field, specify the number of attempts that the user can make to unlock the device. The default value is 8. The maximum available value is 20.
7. Click the Apply button to save the changes you have made.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center. If the user exceeds the specified number of attempts to enter the correct screen unlock password, the Kaspersky Endpoint Security for Android app wipes all device data.

[Topic 136564]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring device unlock password strength

To protect access to a user's mobile device, you should set a device unlock password.

This section contains information about how to configure password protection on Android and iOS devices.

[Topic 90495]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a strong unlock password for an Android device

To keep an Android device secure, you need to configure the use of a password for which the user is prompted when the device comes out of sleep mode.

You can impose restrictions on the user's activity on the device if the unlock password is weak (for example, lock the device). You can impose restrictions using the Compliance Control component. To do this, in the scan rule settings, you must select the Unlock password is not compliant with security requirements criterion.

On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.

To configure the use of an unlock password:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.
4. In the policy Properties window, select the Device Management section.
5. If you want the app to check whether an unlock password has been set, select the Require to set screen unlock password check box in the Screen lock section.

   If the application detects that no system password has been set on the device, it prompts the user to set it. The password is set according to the parameters defined by the administrator.

6. Specify the following options, if required:
   • Minimum number of characters

     The minimum number of characters in the user password. Possible values: 4 to 16 characters.

     The user's password is 4 characters long by default.

     On devices running Android 10.0 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

     The values for devices running Android 10.0 or later are determined by the following rules:

     • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphabetic/ alphanumeric. The PIN or password must be at least 4 characters long.
     • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
   • Minimum unlock password requirements (for device owner mode, Android 12 or earlier)

     Specifies minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:

     • Numeric

       The user can set a password that includes numbers or set any stronger password (for instance, alphabetic or alphanumeric).

       This option is selected by default.

     • Alphabetic

       The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, alphanumeric).

     • Alphanumeric

       The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.

     • Any

       The user can set any password.

     • Complex

       The user must set a complex password according to the specified password properties:

       • Minimum number of letters
       • Minimum number of digits
       • Minimum number of special symbols
       • Minimum number of uppercase letters
       • Minimum number of lowercase letters
       • Minimum number of non-letter characters
     • Complex numeric

       The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.

     • Weak biometric

       The user can use biometric unlock methods or set a stronger complex password.

     This option applies only to devices running Android 12 or later in device owner mode.

   • Password lifetime, in days

     Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.

     The default value is 0. This means that the password won't expire.

   • Number of days to notify before password expires (for device owner mode)

     Specifies the number of days to notify the user before the password expires.

     The default value is 0. This means that the user won't be notified about password expiration.

     This option applies only to devices operating in device owner mode.

   • Password history length

     Specifies the maximum number of previous user passwords that can't be used as a new password.

     The default value is 0. This means that the new user password can match any previous password except the current one.

   • Period of inactivity before device locks, in seconds

     Specifies the period of inactivity before the device locks. After this period, the device will lock.

     The default value is 0. This means that the device won't lock after a certain period.

   • Period for unlocking without password, in minutes (for device owner mode, Android 8.0+)

     Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.

     The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.

     This option applies only to devices running Android 8 or later in device owner mode.

   • Allow biometric unlock methods (Android 9+)

     If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.

     If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.

     This check box is selected by default.

     This setting applies only to devices running Android 9 or later.

   • Allow use of fingerprints

     The use of fingerprints to unlock the screen. This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.

     On devices running Android 10.0 or later, the use of fingerprints to unlock the screen can be managed for work profiles only.

     If the check box is selected, the use of fingerprints on the mobile device is allowed. If the unlock password does not comply with corporate security requirements, the user cannot use a fingerprint scanner to unlock the screen.

     If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the Android settings, the option to use fingerprints will be unavailable (Android Settings > Security > Screen lock > Fingerprints).

     This check box is available only if the Allow biometric unlock methods (Android 9+) check box is selected.

     This check box is selected by default.

   • Allow face scanning (Android 9+)

     If the check box is selected, the use of face scanning on the mobile device is allowed.

     If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.

     This check box is available only if the Allow biometric unlock methods (Android 9+) check box is selected.

     This check box is selected by default.

     This setting applies only to devices running Android 9 or later.

   • Allow iris scanning (Android 9+)

     If the check box is selected, the use of iris scanning on the mobile device is allowed.

     If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.

     This check box is available only if the Allow biometric unlock methods (Android 9+) check box is selected.

     This check box is selected by default.

     This setting applies only to devices running Android 9 or later.

   • Force use of password at startup

     If the check box is selected, the user is not required to enter the password when the device starts up.

     Once this option is applied, it cannot be reverted without resetting the device to factory defaults.

     If the check box is cleared, the startup requirements remain unchanged.

     This check box is cleared by default.

   • Unlock password

     This option lets you set the password on the user device.

     On devices running Android 11 or later, this option applies only if the device is in device owner mode.

     Once you save the policy, this option applies to the device by sending a command with the specified password. The input is cleared and the specified password is not saved in Administration Console.

     • If the device is not protected with the password or is running Android 10 or earlier, Kaspersky Endpoint Security for Android sets the password immediately.
     • If the device is running Android 11 or later, Kaspersky Endpoint Security for Android prompts the user to apply the new password.

     If you leave this option empty, no changes are applied to the device.

7. Click the Apply button to save the changes you have made.