- Kaspersky Secure Mobility Management help
- What's new
- Working in MMC-based Administration Console
- Key use cases
- About Kaspersky Secure Mobility Management
- Distribution kit
- Key features of mobile device management in MMC-based Administration Console
- About Kaspersky Endpoint Security for Android app
- About Kaspersky Device Management for iOS
- About the Kaspersky Endpoint Security for Android Administration Plug-in
- About the Kaspersky Device Management for iOS Administration Plug-in
- Hardware and software requirements
- Known issues and considerations
- Deployment
- Solution architecture
- Deployment scenarios for Kaspersky Endpoint Security for Android
- Deployment scenarios for iOS MDM profile
- Preparing the Administration Console for deployment of the integrated solution
- Configuring Administration Server settings for connection of mobile devices
- Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server
- Displaying the Mobile Device Management folder in the Administration Console
- Creating an administration group
- Creating a rule for device automatic allocating to administration groups
- Creating a mobile certificate
- Deploying mobile device management systems
- Deploying a system for management using iOS MDM protocol
- iOS MDM Server deployment scenarios
- Simplified deployment scheme
- Deployment scheme involving Kerberos constrained delegation (KCD)
- Installing iOS MDM Server
- Use of iOS MDM Server by multiple virtual Servers
- Receiving an APNs certificate
- Renewing an APNs certificate
- Configuring a reserve iOS MDM Server certificate
- Installing an APNs certificate on an iOS MDM Server
- Configuring access to Apple Push Notification service
- Connecting KES devices to the Administration Server
- Integration with Public Key Infrastructure
- Deploying a system for management using iOS MDM protocol
- Installing Kaspersky Endpoint Security for Android
- Activating the Kaspersky Endpoint Security for Android app
- Installing an iOS MDM profile
- Installing administration plug-ins
- Updating a previous version of the application
- Removing Kaspersky Endpoint Security for Android
- Disconnecting an iOS MDM device from management
- Configuration and Management
- Getting Started
- Protection
- Configuring anti-virus protection on Android devices
- Protecting Android devices on the internet
- Protection of stolen or lost device data
- Configuring device unlock password strength
- Configuring a virtual private network (VPN)
- Configuring Firewall on Android devices (only Samsung)
- Protecting Kaspersky Endpoint Security for Android against removal
- Detecting device hacks (root)
- Configuring a global HTTP proxy on iOS MDM devices
- Adding security certificates to iOS MDM devices
- Adding a SCEP profile to iOS MDM devices
- Restricting SD card usage (only Samsung)
- Control
- Management
- Configuring connection to a Wi-Fi network
- Configuring email
- Installing root certificates on Android devices
- Configuring notifications for Kaspersky Endpoint Security for Android
- Connecting iOS MDM devices to AirPlay
- Connecting iOS MDM devices to AirPrint
- Bypassing the Activation Lock on supervised iOS devices
- Configuring the Access Point Name (APN)
- Configuring the Android work profile
- Adding an LDAP account
- Adding a calendar account
- Adding a contacts account
- Configuring calendar subscription
- Adding web clips
- Adding fonts
- Device owner mode
- Commands for mobile devices
- Managing the app using third-party EMM systems (Android only)
- Network load
- Participating in Kaspersky Security Network
- Data provision to third-party services
- Global acceptance of additional Statements
- Samsung KNOX
- Appendices
- Using the Kaspersky Endpoint Security for Android app
- App features
- Main window at a glance
- Status bar icon
- Device scan
- Running a scheduled scan
- Changing the Protection mode
- Anti-virus database updates
- Scheduled database update
- Things to do if your device gets lost or stolen
- Web Protection
- Get Certificate
- Synchronizing with Kaspersky Security Center
- Activating the Kaspersky Endpoint Security for Android app without Kaspersky Security Center
- Installing the app in device owner mode
- Installing root certificates on the device
- Enabling accessibility on Android 13 or later
- Enabling accessibility for the app on Android 13
- Updating the app
- Removing the app
- Applications with a briefcase icon
- KNOX app
- Using the Kaspersky Security for iOS app
- Working in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console
- About mobile device management in Kaspersky Security Center Web Console and Cloud Console
- Distribution kit
- Key features of mobile device management in Kaspersky Security Center Web Console and Cloud Console
- About the Kaspersky Endpoint Security for Android app
- About the Kaspersky Security for iOS app
- About the Kaspersky Security for Mobile (Devices) plug-in
- About the Kaspersky Security for Mobile (Policies) plug-in
- Hardware and software requirements
- Known issues and considerations
- Deploying a mobile device management solution in Kaspersky Security Center Web Console or Cloud Console
- Managing mobile devices in Kaspersky Security Center Web Console and Cloud Console
- Managing group policies
- Defining policy settings
- Configuring anti-virus protection
- Defining device unlock settings
- Configuring protection of stolen or lost device data
- Configuring app control
- Configuring compliance control of mobile devices with corporate security requirements
- Configuring user access to websites
- Configuring feature restrictions
- Protecting Kaspersky Endpoint Security for Android against removal
- Configuring synchronization of mobile devices with Kaspersky Security Center
- Kaspersky Security Network
- Exchanging information with Google Analytics for Firebase, Firebase Performance Monitoring, and Crashlytics
- Configuring notifications on mobile devices
- Detecting device hacks
- Defining licensing settings
- Configuring events
- Configuring events about the installation, update, and removal of apps on users' devices
- Network load
- About mobile device management in Kaspersky Security Center Web Console and Cloud Console
- Application licensing
- Comparison of solution features depending on the management tools
- Contact Technical Support
- Sources of information about the application
- Glossary
- Activating the application
- Activation code
- Administration group
- Administration Server
- Administrator's workstation
- Android work profile
- Anti-virus databases
- Apple Push Notification service (APNs) certificate
- Application management plug-in
- Certificate Signing Request
- Compliance control
- Device administrator
- End User License Agreement
- Group task
- IMAP
- Installation package
- iOS MDM device
- iOS MDM profile
- iOS MDM Server
- Kaspersky categories
- Kaspersky Private Security Network (KPSN)
- Kaspersky Security Center Administrator
- Kaspersky Security Center Web Server
- Kaspersky Security Network (KSN)
- Kaspersky update servers
- Key file
- License
- License term
- Manifest file
- Network Agent
- Phishing
- Policy
- POP3
- Provisioning profile
- Proxy server
- Quarantine
- SSL
- Standalone installation package
- Subscription
- Supervised device
- Unlock code
- Virus
- Information about third-party code
- Trademark notices
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Configuring the work profile
To configure the settings of the Android work profile:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Android work profile.
- In the Android work profile workspace, select the Create work profile check box.
- Specify the work profile settings:
- On the General tab, specify the data sharing, contact, and other settings:
- Settings in the Data access and sharing section:
- Prohibit personal profile apps to share data with work profile apps
Restricts sharing of files, pictures, or other data from personal profile apps with work profile apps.
If the check box is selected, apps in personal profile can't share data with work profile apps.
If the check box is cleared, the apps in personal profile can share data with work profile apps.
The restriction doesn't affect search of contacts, access to the calendar, and copying data via clipboard across personal and work profiles. You can configure these functionalities by specifying the Prohibit personal profile apps to access work profile contacts, Synchronization of personal and work profile calendars, and Prohibit use of clipboard content across personal and work profiles options, respectively.
This check box is selected by default.
- Prohibit work profile apps to share data with personal profile apps
Restricts sharing of files, pictures, or other data from work profile apps with personal profile apps.
If the check box is selected, the apps in work profile can't share data with personal profile apps.
If the check box is cleared, the apps in work profile can share data with personal profile apps.
The restriction doesn't affect search of contacts, access to the calendar, and copying data via clipboard across personal and work profiles. You can configure these functionalities by specifying the Prohibit personal profile apps to access work profile contacts, Synchronization of personal and work profile calendars, and Prohibit use of clipboard content across personal and work profiles options, respectively.
This check box is selected by default.
- Prohibit work profile apps to access files in personal profile
Restricts access of work profile apps to files in personal profile.
If the check box is selected, the user can't access files in personal profile when using work profile apps.
If the check box is cleared, the user can access files in personal profile when using work profile apps. Note that the access must be also supported by the apps that are being used.
This check box is selected by default.
- Prohibit personal profile apps to access files in work profile
Restricts access of personal profile apps to files in work profile.
If the check box is selected, the user can't access files in work profile when using personal profile apps.
If the check box is cleared, the user can access files in work profile when using personal profile apps. Note that the access must be supported by the apps that are being used.
This check box is selected by default.
- Prohibit use of clipboard content across personal and work profiles
Selecting or clearing this check box specifies whether the device user is allowed to copy data via clipboard across personal and work profiles.
This check box is selected by default.
- Prohibit activation of USB debugging mode
Restricts the use of USB debugging node on the user's mobile device in the work profile. In USB debugging mode, the user can download an app via a workstation, for example.
If the check box is selected, USB debugging mode is not available to the user. The user is unable to configure the mobile device via USB after connecting the device to a workstation.
If the check box is cleared, the user can enable USB debugging mode, connect the mobile device to a workstation via USB, and configure the device.
This check box is selected by default.
- Prohibit the user to add and remove accounts in work profile
If the check box is selected, the user is prohibited to add and remove accounts in work profile via Settings or Google apps. This includes restricting the ability to sign in to Google apps for the first time. However, the user can sign in, add, and remove accounts via some other third-party apps in work profile.
Accounts that were added before the restriction is set will not be removed and sign in to these accounts is not restricted.
This check box is selected by default.
- Prohibit screen sharing, recording, and screenshots in work profile apps
Selecting or clearing this check box specifies whether the device user is allowed to take screenshots, record and share the device screen in work profile apps.
This check box is selected by default.
- Prohibit personal profile apps to share data with work profile apps
- Settings in the Contacts section:
- Prohibit showing contact name from work profile for incoming calls in personal profile
Selecting or clearing this check box specifies whether a contact name from work profile will be shown in personal profile for incoming calls.
This check box is selected by default.
- Prohibit personal profile apps to access work profile contacts
Selecting or clearing this check box specifies whether contact management apps (for example, built-in Google Contacts Manager) in personal profile are allowed to access work profile contacts.
This check box is selected by default.
- Prohibit showing contact name from work profile for incoming calls in personal profile
- Settings in the Data access and sharing section:
- On the Apps tab, specify the following settings:
- Enable App Control in Work profile only
Controls the startup of apps in the work profile on the user's mobile device. You can create lists of allowed, blocked, recommended, and required apps as well as allowed and blocked app categories in the App Control section.
If this check box is selected, depending on the App Control settings, Kaspersky Endpoint Security blocks or allows startup of apps only in the work profile. Meanwhile, App Control does not work in the personal profile.
This check box is cleared by default.
- Enable Web Protection in work profile only
Restricts user access to websites in the work profile on the device.You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section. If Web Protection is disabled, Kaspersky Endpoint Security only restricts user access to websites in the Phishing and Malware categories. These categories are selected by default in the Websites of selected categories are forbidden area of Web Protection.
If this check box is selected, Web Protection for Google Chrome blocks or allows access to websites only in the Android work profile. Meanwhile, Web Protection does not work in the personal profile.
If this check box is cleared, depending on the Web Protection settings, Kaspersky Endpoint Security blocks or allows access to websites in the personal and work profiles of the mobile device.
For Samsung Internet Browser and Huawei Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.
This check box is cleared by default.
For Samsung Internet Browser and Huawei Browser, leave the Enable Web Protection in work profile only check box unselected. These browsers do not allow you to enable Web Protection only in the work profile. If you select this check box, Web Protection in these browsers will not work.
You can specify website access settings (create a list of blocked website categories or a list of allowed websites) in the Web Protection section.
- Prohibit installation of apps in the work profile from unknown sources
Restricts installation of apps in the work profile from all sources other than Google Play Enterprise.
If the check box is selected, the user can install apps from Google Play only. Users use their own Google corporate accounts to install apps.
If the check box is cleared, the user can install apps in any available way. Only blocked apps the list of which can be created in the App Control section cannot be installed.
This check box is cleared by default.
- Prohibit removal of apps from work profile
Selecting or clearing this check box specifies whether the user is prohibited from removing apps from the work profile.
This check box is cleared by default.
- Prohibit display of notifications from work profile apps when screen is locked
Restricts display of notification contents from work profile apps on the lock screen of the device.
If the check box is selected, contents of notifications from work profile apps can't be viewed on the device lock screen. To view the notifications, the user has to unlock the device \ work profile.
If the check box is cleared, notifications from work profile apps are displayed on the device lock screen.
This check box is cleared by default.
- Prohibit use of camera for work profile apps
Selecting or clearing this check box specifies whether work profile apps can access the device camera.
This check box is selected by default.
On devices running Android 10 or later, if the Prohibit use of camera check box in the Device Management section is selected, the device camera may be blocked in the work profile even if the Prohibit use of camera for work profile apps check box is cleared.
- Granting runtime permissions for work profile apps
The Granting runtime permissions for work profile apps setting allows you to select an action to be performed when work profile apps are running and request additional permissions. This does not apply to permissions granted in device Settings (e.g. Access All Files).
- Prompt the user for permissions
When a permission is requested, the user decides whether to grant the specified permission to the app.
This option is selected by default.
- Grant permissions automatically
All work profile apps are granted permissions without user interaction.
- Deny permissions automatically
All work profile apps are denied permissions without user interaction.
Users can modify app permissions in the device Settings.
On Android 12 or later, the following permissions can't be granted automatically but can be denied automatically. If you select Grant permissions automatically, the app will prompt the user for these permissions:
- Manifest.permission.ACCESS_FINE_LOCATION
- Manifest.permission.ACCESS_BACKGROUND_LOCATION
- Manifest.permission.ACCESS_COARSE_LOCATION
- Manifest.permission.CAMERA
- Manifest.permission.RECORD_AUDIO
- Manifest.permission.RECORD_BACKGROUND_AUDIO
- Manifest.permission.ACTIVITY_RECOGNITION
- Manifest.permission.BODY_SENSORS
- Manifest.permission.READ_SMS
- Prompt the user for permissions
- Adding widgets of work profile apps to device home screen
The Adding widgets of work profile apps to device home screen setting allows you to choose whether the device user is allowed to add widgets of work profile apps to device home screen.
- Prohibit for all apps
The device user is prohibited from adding widgets of apps installed in the work profile.
This option is selected by default.
- Allow for all apps
The device user is allowed to add widgets of all apps installed in the work profile.
- Allow only for the listed apps
The device user is allowed to add widgets of listed apps installed in the work profile.
To add an app to the list, click Add and enter an app package name. How to get the package name of an app
To get the package name of an app:
- Open Google Play.
- Find the required app and open its page.
The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).
To get the package name of an app that has been added to Kaspersky Security Center:
- In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
- Click the Additional actions button and select Manage mobile apps packages in the drop-down list.
In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.
If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.
To remove an app from the list, select the app and click Delete.
- Prohibit for all apps
- Enable App Control in Work profile only
- On the Certificates tab, you can configure the following settings:
- Duplicate installation of the VPN certificates in personal profile
Selecting or clearing the check box specifies whether the VPN certificate added in the Mobile Device Management > Certificates section of the Kaspersky Security Center Administration Console and installed to the work profile will also be installed to the personal profile.
By default, VPN certificates received from Kaspersky Security Center are installed in the work profile.This setting is applied when a new VPN certificate is issued.
This check box is cleared by default.
- Duplicate installation of root certificates in personal profile
Selecting or clearing the check box specifies whether the root certificates added in the Root certificates policy section and installed to the work profile will also be installed to the personal profile.
This check box is cleared by default.
- Duplicate installation of the VPN certificates in personal profile
- On the Password tab, specify work profile password settings:
- Require to set password for work profile
Allows to specify the requirements for work profile password according to company security requirements.
If the check box is selected, password requirements are available for configuration. When the policy is applied, the user receives a notification prompting to set up work profile password according to company requirements.
If the check box is cleared, editing password settings is not available.
This check box is cleared by default.
- Minimum number of characters
The minimum number of characters in the user password. Possible values: 4 to 16 characters.
The user's password is 4 characters long by default.
The following is applicable only to personal and work profiles:
- In personal profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 10 or later.
- In work profile, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high on devices running Android 12 or later.
The values are determined by the following rules:
- If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN) with no repeating or ordered (e.g. 1234) sequences, or alphabetic/ alphanumeric. The PIN or password must be at least 4 characters long.
- If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN) with no repeating or ordered sequences, or alphabetic/ alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
- Minimum password complexity requirements (Android 12 or earlier)
Specifies minimum unlock password requirements. These requirements apply only to new user passwords. The following values are available:
- Numeric
The user can set a password that includes numbers or set any stronger password (for instance, alphabetic or alphanumeric).
This option is selected by default.
- Alphabetic
The user can set a password that includes letters (or other non-number symbols) or set any stronger password (for instance, alphanumeric).
- Alphanumeric
The user can set a password that includes both numbers and letters (or other non-number symbols) or set any stronger complex password.
- Not specified
The user can set any password.
- Complex
The user must set a complex password according to the specified password properties:
- Minimum number of letters
- Minimum number of digits
- Minimum number of special symbols (for example, !@#$%)
- Minimum number of uppercase letters
- Minimum number of lowercase letters
- Minimum number of non-letter characters (for example, 1^&*9)
- Complex numeric
The user can set a password that includes numbers with no repetitions (e.g. 4444) and no ordered sequences (e.g. 1234, 4321, 2468) or set any stronger complex password.
This option applies only to devices running Android 12 or earlier.
- Numeric
- Maximum number of incorrect password attempts before deletion of work profile
Specifies the maximum number of attempts by the user to enter password to unlock the device. When the policy is applied, the work profile will be deleted from the device after the maximum number of attempts is exceeded.
Possible values are 4 to 16.
The default value is not set. This means that the attempts are not limited.
- Maximum password age, in days
Specifies the number of days before the password expires. Applying a new value will set the current password lifetime to the new value.
The default value is 0. This means that the password won't expire.
- Number of days to notify that a password change is required
Specifies the number of days to notify the user before the password expires.
The default value is 0. This means that the user won't be notified about password expiration.
- Number of recent passwords that can't be used as a new password
Specifies the maximum number of previous user passwords that can't be used as a new password. This setting will apply only when the user sets new password on the device.
The default value is 0. This means that the new user password can match any previous password except the current one.
- The period of inactivity before the device screen locks, in seconds
Specifies the period of inactivity before the device locks. After this period, the device will lock.
The default value is 0. This means that the device won't lock after a certain period.
- Period after unlocking by biometric methods before entering a password, in minutes (Android 8.0+)
Specifies the period for unlocking the device without a password. During this period, the user can use biometric methods to unlock the screen. After this period, the user can unlock the screen only with a password.
The default value is 0. This means that the user won't be forced to unlock the device with a password after a certain period.
This option applies only to devices running Android 8 or later.
- Allow biometric unlock methods (Android 9+)
If the check box is selected, the use of biometric unlock methods on the mobile device is allowed.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of biometric methods to unlock the screen. The user can unlock the screen only with a password.
This check box is selected by default.
This setting applies only to devices running Android 9.0 or later. Starting from Android 10, this setting applies only to the device owner mode.
- Allow use of fingerprints
The use of fingerprints to unlock the screen.
This check box does not restrict the use of a fingerprint scanner when signing in to apps or confirming purchases.
If the check box is selected, the use of fingerprints on the mobile device is allowed.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of fingerprints to unlock the screen. The user can unlock the screen only with a password. In the Android settings, the option to use fingerprints will be unavailable (Android Settings > Security > Screen lock > Fingerprints).
This check box is available only if the Allow biometric unlock methods (Android 9.0 or later; starting from Android 10, only for device owner mode) check box is selected.
This check box is selected by default.
This settings applies to devices running all supported Android versions. Starting from Android 10, this setting applies only to the device owner mode.
- Allow face scanning (Android 9+)
If the check box is selected, the use of face scanning on the mobile device is allowed.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of face scanning to unlock the screen.
This check box is available only if the Allow biometric unlock methods (Android 9.0 or later; starting from Android 10, only for device owner mode) check box is selected.
This check box is selected by default.
This setting applies only to devices running Android 9.0 or later. Starting from Android 10, this setting applies only to the device owner mode.
- Allow iris scanning (Android 9+)
If the check box is selected, the use of iris scanning on the mobile device is allowed.
If the check box is cleared, Kaspersky Endpoint Security for Android blocks the use of iris scanning to unlock the screen.
This check box is available only if the Allow biometric unlock methods (Android 9.0 or later; starting from Android 10, only for device owner mode) check box is selected.
This check box is selected by default.
This setting applies only to devices running Android 9.0 or later. Starting from Android 10, this setting applies only to the device owner mode.
- Require to set password for work profile
- On the Passcode tab, specify the one-time passcode settings. The user will be prompted to enter the one-time passcode to unlock their work profile if it was locked.
- Passcode length
The number of digits in the passcode. Possible values: 4, 8, 12, or 16 characters.
The passcode length is 4 digits by default.
- Passcode
This field is displayed if you view the policy settings for a certain user device, not a group of devices.
This field displays the passcode required to unlock work profile. A new passcode is generated after the user unlocks work profile with the passcode.
This field is not editable.
- Passcode length
- On the General tab, specify the data sharing, contact, and other settings:
- To configure work profile settings on the user's mobile device, block changes to settings.
- Click the Apply button to save the changes you have made.
Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. The space of the user's mobile device is divided into a work profile and a personal profile.