- Kaspersky Secure Mobility Management help
- What's new
- Working in MMC-based Administration Console
- Key use cases
- About Kaspersky Secure Mobility Management
- Distribution kit
- Key features of mobile device management in MMC-based Administration Console
- About Kaspersky Endpoint Security for Android app
- About Kaspersky Device Management for iOS
- About the Kaspersky Endpoint Security for Android Administration Plug-in
- About the Kaspersky Device Management for iOS Administration Plug-in
- Hardware and software requirements
- Known issues and considerations
- Deployment
- Solution architecture
- Deployment scenarios for Kaspersky Endpoint Security for Android
- Deployment scenarios for iOS MDM profile
- Preparing the Administration Console for deployment of the integrated solution
- Configuring Administration Server settings for connection of mobile devices
- Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server
- Displaying the Mobile Device Management folder in the Administration Console
- Creating an administration group
- Creating a rule for device automatic allocating to administration groups
- Creating a mobile certificate
- Deploying mobile device management systems
- Deploying a system for management using iOS MDM protocol
- iOS MDM Server deployment scenarios
- Simplified deployment scheme
- Deployment scheme involving Kerberos constrained delegation (KCD)
- Installing iOS MDM Server
- Use of iOS MDM Server by multiple virtual Servers
- Receiving an APNs certificate
- Renewing an APNs certificate
- Configuring a reserve iOS MDM Server certificate
- Installing an APNs certificate on an iOS MDM Server
- Configuring access to Apple Push Notification service
- Connecting KES devices to the Administration Server
- Integration with Public Key Infrastructure
- Deploying a system for management using iOS MDM protocol
- Installing Kaspersky Endpoint Security for Android
- Activating the Kaspersky Endpoint Security for Android app
- Installing an iOS MDM profile
- Installing administration plug-ins
- Updating a previous version of the application
- Removing Kaspersky Endpoint Security for Android
- Disconnecting an iOS MDM device from management
- Configuration and Management
- Getting Started
- Protection
- Configuring anti-virus protection on Android devices
- Protecting Android devices on the internet
- Protection of stolen or lost device data
- Configuring device unlock password strength
- Configuring a virtual private network (VPN)
- Configuring Firewall on Android devices (only Samsung)
- Protecting Kaspersky Endpoint Security for Android against removal
- Detecting device hacks (root)
- Configuring a global HTTP proxy on iOS MDM devices
- Adding security certificates to iOS MDM devices
- Adding a SCEP profile to iOS MDM devices
- Restricting SD card usage (only Samsung)
- Control
- Management
- Configuring connection to a Wi-Fi network
- Configuring email
- Installing root certificates on Android devices
- Configuring notifications for Kaspersky Endpoint Security for Android
- Connecting iOS MDM devices to AirPlay
- Connecting iOS MDM devices to AirPrint
- Bypassing the Activation Lock on supervised iOS devices
- Configuring the Access Point Name (APN)
- Configuring the Android work profile
- Adding an LDAP account
- Adding a calendar account
- Adding a contacts account
- Configuring calendar subscription
- Adding web clips
- Adding fonts
- Device owner mode
- Commands for mobile devices
- Managing the app using third-party EMM systems (Android only)
- Network load
- Participating in Kaspersky Security Network
- Data provision to third-party services
- Global acceptance of additional Statements
- Samsung KNOX
- Appendices
- Using the Kaspersky Endpoint Security for Android app
- App features
- Main window at a glance
- Status bar icon
- Device scan
- Running a scheduled scan
- Changing the Protection mode
- Anti-virus database updates
- Scheduled database update
- Things to do if your device gets lost or stolen
- Web Protection
- Get Certificate
- Synchronizing with Kaspersky Security Center
- Activating the Kaspersky Endpoint Security for Android app without Kaspersky Security Center
- Installing the app in device owner mode
- Installing root certificates on the device
- Enabling accessibility on Android 13 or later
- Enabling accessibility for the app on Android 13
- Updating the app
- Removing the app
- Applications with a briefcase icon
- KNOX app
- Using the Kaspersky Security for iOS app
- Working in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console
- About mobile device management in Kaspersky Security Center Web Console and Cloud Console
- Distribution kit
- Key features of mobile device management in Kaspersky Security Center Web Console and Cloud Console
- About the Kaspersky Endpoint Security for Android app
- About the Kaspersky Security for iOS app
- About the Kaspersky Security for Mobile (Devices) plug-in
- About the Kaspersky Security for Mobile (Policies) plug-in
- Hardware and software requirements
- Known issues and considerations
- Deploying a mobile device management solution in Kaspersky Security Center Web Console or Cloud Console
- Managing mobile devices in Kaspersky Security Center Web Console and Cloud Console
- Managing group policies
- Defining policy settings
- Configuring anti-virus protection
- Defining device unlock settings
- Configuring protection of stolen or lost device data
- Configuring app control
- Configuring compliance control of mobile devices with corporate security requirements
- Configuring user access to websites
- Configuring feature restrictions
- Protecting Kaspersky Endpoint Security for Android against removal
- Configuring synchronization of mobile devices with Kaspersky Security Center
- Kaspersky Security Network
- Exchanging information with Google Analytics for Firebase, Firebase Performance Monitoring, and Crashlytics
- Configuring notifications on mobile devices
- Detecting device hacks
- Defining licensing settings
- Configuring events
- Configuring events about the installation, update, and removal of apps on users' devices
- Network load
- About mobile device management in Kaspersky Security Center Web Console and Cloud Console
- Application licensing
- Comparison of solution features depending on the management tools
- Contact Technical Support
- Sources of information about the application
- Glossary
- Activating the application
- Activation code
- Administration group
- Administration Server
- Administrator's workstation
- Android work profile
- Anti-virus databases
- Apple Push Notification service (APNs) certificate
- Application management plug-in
- Certificate Signing Request
- Compliance control
- Device administrator
- End User License Agreement
- Group task
- IMAP
- Installation package
- iOS MDM device
- iOS MDM profile
- iOS MDM Server
- Kaspersky categories
- Kaspersky Private Security Network (KPSN)
- Kaspersky Security Center Administrator
- Kaspersky Security Center Web Server
- Kaspersky Security Network (KSN)
- Kaspersky update servers
- Key file
- License
- License term
- Manifest file
- Network Agent
- Phishing
- Policy
- POP3
- Provisioning profile
- Proxy server
- Quarantine
- SSL
- Standalone installation package
- Subscription
- Supervised device
- Unlock code
- Virus
- Information about third-party code
- Trademark notices
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Restricting Android features on devices
You can restrict Android operating system features in device owner mode. For example, you can restrict factory reset, changing credentials, use of Google Play and Google Chrome, file transfer over USB, changing location settings, and manage system updates.
You can restrict Android features in the Feature restrictions section.
To open the Feature restrictions section:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device owner mode > Feature restrictions section.
Restrict device features
On the Device Features tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit factory reset
Selecting or clearing this check box specifies whether the device user is allowed to perform a factory reset from device settings.
This check box is cleared by default.
- Prohibit screen sharing, recording, and screenshots
Selecting or clearing this check box specifies whether the device user is allowed to take screenshots, record and share the device screen.
This check box is cleared by default.
- Prohibit changing language (Android 9.0 or later)
Selecting or clearing the check box specifies whether the device user is allowed to change the device language.
This restriction is supported on devices with Android 9.0 or later.
This check box is cleared by default.
- Prohibit changing date, time, and time zone (Android 9.0 or later)
Selecting or clearing the check box specifies whether the device user is allowed to change date, time, and time zone in Settings.
This restriction is supported on devices with Android 9.0 or later.
This check box is cleared by default.
- Prohibit adding and removing Google accounts
Selecting or clearing the check box specifies whether the device user is allowed to add and remove Google accounts.
This check box is cleared by default.
- Prohibit adjusting volume and mute device
Restricts volume adjustment and muting the device.
If the check box is selected, the device user can't adjust the volume and the device is muted.
If the check box is cleared, the device user can adjust the volume and the device is unmuted.
Anti-Theft can play a sound on the device disregarding of this restriction. The restriction is disabled to allow to play the sound, and then re-enabled.
This check box is cleared by default.
- Prohibit outgoing phone calls
Selecting or clearing this check box specifies whether the device user is allowed to make outgoing phone calls on this device.
This check box is cleared by default.
- Prohibit sending and receiving SMS messages
Selecting or clearing this check box specifies whether the device user is allowed to send and receive SMS messages on this device.
This check box is cleared by default.
- Prohibit changing credentials
Selecting or clearing this check box specifies whether the device user is allowed to change user credentials in the operating system.
This check box is cleared by default.
- Prohibit keyguard features
Restricts the use of keyguard features on the device.
If the check box is selected, the following settings become enabled:
- Prohibit keyguard camera
- Prohibit keyguard notifications
- Prohibit keyguard trust agents
If the check box is cleared, keyguard features can't be prohibited.
If a password, PIN, or lock pattern is set after the keyguard features have been disabled, they will be re-enabled. If no password, PIN, or unlock pattern is set on device, keyguard is disabled.
This check box is cleared by default.
- Prohibit keyguard camera
Selecting or clearing the check box specifies whether the device user is prohibited to use camera when the device is locked.
This check box is available only if the Prohibit keyguard features check box is selected. Otherwise, the Prohibit keyguard camera check box is cleared and disabled.
This check box is cleared by default.
- Prohibit keyguard notifications
Selecting or clearing the check box specifies whether notifications are prohibited when the device screen is locked.
This check box is available only if the Prohibit keyguard features check box is selected. Otherwise, the Prohibit keyguard notifications check box is cleared and disabled.
This check box is cleared by default.
- Prohibit keyguard trust agents
Selecting or clearing this check box specifies whether trusted apps are prohibited when the device screen is locked. Trusted apps are apps that allow the device user to unlock the device without a password, PIN, or fingerprint.
This check box is available only if the Prohibit keyguard features check box is selected. Otherwise, the Prohibit keyguard trust agents check box is cleared and disabled.
This check box is cleared by default.
- Prohibit adjusting brightness (Android 9.0 or later)
Selecting or clearing the check box specifies whether the device user is allowed to adjust brightness on the mobile device.
This restriction is supported on devices with Android 9.0 or later.
This check box is cleared by default.
- Force screen on when plugged in to AC charger (Android 6.0 or later)
Selecting or clearing the check box specifies if the device screen will be on while the device is charging with an AC charger.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
- Force screen on when plugged in to USB charger (Android 6.0 or later)
Selecting or clearing of the check box specifies whether the device screen will be on while the device is charging via a USB charger.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
- Force screen on when plugged in to wireless charger (Android 6.0 or later)
Selecting or clearing this check box specifies whether the device screen will be on while the device is charging via a wireless charger.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
- Prohibit changing wallpaper (Android 7.0 or later)
Selecting or clearing the check box specifies whether the device user is allowed to change the wallpaper on the mobile device.
This restriction is supported on devices with Android 7.0 or later.
This check box is cleared by default.
- Prohibit status bar (Android 6.0 or later)
Preventing the status bar from being displayed.
If the check box is selected, the status bar is not displayed on the device. Notifications and quick settings accessible via the status bar are also blocked.
If the check box is cleared, the status bar can be displayed on the device.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
- Prohibit adding users
Selecting or clearing the check box specifies whether the device user is allowed to add new users.
This check box is selected by default. If device owner mode was enrolled via a QR code, the restriction is enabled and can't be disabled.
The restriction can be disabled only on devices that meet the following requirements:
- The device owner mode was enrolled via the
adb.exeinstallation package. - The device must support multiple users.
- The device owner mode was enrolled via the
- Prohibit removing users
Selecting or clearing the check box specifies whether the device user is allowed to remove users.
This check box is selected by default. If device owner mode was enrolled via a QR code, the restriction can't be disabled.
The restriction can be disabled only on devices that meet the following requirements:
- The device owner mode was enrolled via the
adb.exeinstallation package. - The device must support multiple users.
- The device owner mode was enrolled via the
- Prohibit safe boot (Android 6.0 or later)
Selecting or clearing this check box specifies whether the device user is allowed to boot the device in safe mode.
The restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
Restrict app features
On the Apps tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit use of camera
Selecting or clearing the check box specifies whether the device user is allowed to use all cameras on the device.
If the check box is selected, our solution usually blocks the camera. However, for Asus and OnePlus devices, the camera app icon is completely hidden when the check box is selected.
This check box is cleared by default.
- Prohibit camera toggle (Android 12.0 or later)
Preventing the device user from toggling the camera.
If the check box is selected, the device user cannot block the camera access via the system toggle.
If the check box is cleared, the device user is allowed to use the camera toggle.
The restriction is supported on devices with Android 12.0 or later.
This check box is cleared by default.
- Prohibit use of Google Play
Selecting or clearing the check box specifies whether the device user is allowed to use Google Play.
This check box is cleared by default.
- Prohibit use of Google Chrome
Preventing use of Google Chrome.
If the check box is selected, the device user cannot start Google Chrome or configure it in system settings.
If the check box is cleared, the device user is allowed to use Google Chrome on the device.
The check box is cleared by default.
- Prohibit use of Google Assistant
Selecting or clearing the check box specifies whether the device user is allowed to use Google Assistant on the device.
This check box is cleared by default.
- Prohibit installation of apps from unknown sources
Selecting or clearing the check box specifies whether the device user is allowed to install apps from unknown sources.
This check box is cleared by default.
- Prohibit modification of apps in Settings
Preventing modifying apps in Settings.
If the check box is selected, the device user is disallowed to perform the following actions:
- Uninstalling apps
- Disabling apps
- Clearing app caches
- Clearing app data
- Force stopping apps
- Clearing app defaults
If the check box is cleared, the device user is allowed to modify apps in Settings.
This check box is cleared by default.
- Prohibit installation of apps
Selecting or clearing the check box specifies whether the device user is allowed to install apps on the device.
This check box is cleared by default.
- Prohibit uninstallation of apps
Selecting or clearing the check box specifies whether a device user is allowed to uninstall apps from this device.
This check box is cleared by default.
- Prohibit disabling app verification
Selecting or clearing the check box specifies whether the device user is allowed to disable app verification.
This check box is cleared by default.
Restrict storage features
On the Storage tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit debugging features
Preventing use of debugging features.
If the check box is selected, the device user cannot use USB debugging features and developer mode.
If the check box is cleared, the device user is allowed to enable and access debugging features and developer mode.
This check box is cleared by default.
- Prohibit mounting physical external media
Selecting or clearing the check box specifies whether the device user is allowed to mount physical external media, such as SD cards and OTG adapters.
This check box is cleared by default.
- Prohibit file transfer over USB
Selecting or clearing this check box specifies whether the device user is allowed to transfer files over USB.
This check box is cleared by default.
- Prohibit backup service (Android 8.0 or later)
Selecting or clearing the check box specifies whether the device user is allowed to enable or disable the backup service.
The restriction is supported on devices with Android 8.0 or later.
This check box is cleared by default.
Restrict network features
On the Network tab of the Feature restrictions section, you can enable or disable the following features:
- Prohibit use of Wi-Fi
Selecting or clearing the check box specifies whether the device user is allowed to use Wi-Fi and configure it in Settings.
This check box is cleared by default.
- Prohibit changing Wi-Fi settings
Selecting or clearing the check box specifies whether the device user is allowed to configure Wi-Fi access points via Settings. The restriction does not affect Wi-Fi tethering settings.
This check box is cleared by default.
- Prohibit changing pre-configured Wi-Fi networks
Selecting or clearing the check box specifies whether the device user is allowed to change Wi-Fi configurations added by the administrator in the Wi-Fi section.
This check box is cleared by default.
- Prohibit airplane mode (Android 9.0 or later)
Selecting or clearing the check box specifies whether the device user is allowed to enable airplane mode on the device.
This restriction is supported on devices with Android 9.0 or later.
This check box is cleared by default.
- Prohibit use of Bluetooth (Android 8.0 or later)
Preventing use of Bluetooth.
If the check box is selected, the device user cannot turn on and configure Bluetooth via Settings.
If the check box is cleared, the device user is allowed to use Bluetooth.
The restriction is supported on devices with Android 8.0 and later. For earlier versions of Android, select the Prohibit use of Bluetooth check box in the Device Management section.
This check box is cleared by default.
- Prohibit changing Bluetooth settings
Selecting or clearing the check box specifies whether the device user is allowed to configure Bluetooth via Settings.
This check box is cleared by default.
- Prohibit outgoing data sharing over Bluetooth (Android 8.0 or later)
Selecting or clearing the check box specifies whether outgoing Bluetooth data sharing is allowed on the device.
The restriction is supported on devices with Android 8.0 or later.
This check box is cleared by default.
- Prohibit changing VPN settings
Preventing changing VPN settings.
If the check box is selected, the device user cannot configure a VPN in Settings and VPNs are prohibited from starting.
If the check box is cleared, the device user is allowed to modify a VPN in Settings.
This check box is cleared by default.
- Prohibit resetting network settings (Android 6.0 or later)
Selecting or clearing the check box specifies whether the device user is allowed to reset network settings in Settings.
This restriction is supported on devices with Android 6.0 or later.
This check box is cleared by default.
- Prohibit changing mobile network settings
Selecting or clearing the check box specifies whether the device user is allowed to change mobile network settings.
This check box is cleared by default.
- Prohibit use of cellular data while roaming (Android 7.0 or later)
Selecting or clearing the check box specifies whether the device user is allowed to use cellular data while roaming.
If the check box is selected, the device can't update anti-virus databases and synchronize with the Administration Server while in roaming.
To allow anti-virus database update while roaming, this check box should be cleared and the Allow database update while roaming check box in the Database update section should be selected.
To allow device synchronization with the Administration Server while roaming, this check box should be cleared and the Do not synchronize while roaming check box in the Synchronization section should be also cleared.
This restriction is supported on devices with Android 7.0 or later.
This check box is cleared by default.
- Prohibit use of Android Beam via NFC
Selecting or clearing the check box specifies whether beaming out data from apps via NFC is allowed on the device. However, the device user can enable or disable NFC.
This check box is cleared by default.
- Prohibit use of tethering
Selecting or clearing the check box specifies whether the device user is allowed to configure tethering and hotspots.
This check box is cleared by default.
Restrict location services
On the Location Services tab of the Feature restrictions section, you can configure the following settings:
- Prohibit use of location
Preventing turning location on and off.
If the check box is selected, the device user cannot turn location on or off. Search in Anti-Theft mode becomes unavailable.
If the check box is cleared, the device user can turn location on or off.
This check box is cleared by default.
If both the Prohibit use of location and Prohibit changing location settings (Android 9.0 and later) check boxes are selected, location is disabled and the device user cannot enable it.
- Prohibit changing location settings (Android 9.0 or later)
Preventing changing location settings.
If the check box is selected, the device user cannot change location settings or disable location.
If the check box is cleared, the device user can change location settings.
The restriction is supported on devices with Android 9.0 or later.
This check box is cleared by default.
If both the Prohibit use of location and Prohibit changing location settings (Android 9.0 and later) check boxes are selected, location is disabled and the device user cannot enable it.
Restrict system updates
Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.
On the Updates tab of the Feature restrictions section, you can configure the following settings:
- Set system update policy
Type of system update policy.
If the check box is selected, one of the following system update policies is set:
- Install updates automatically. Installs system updates immediately without user interaction. This option is selected by default.
- Install updates during daily window. Installs system updates during a daily maintenance window without user interaction.
The administrator also needs to set the start and end of the daily maintenance window in the Start time and End time fields respectively.
- Postpone updates for 30 days. Postpones the installation of system updates for 30 days.
After the specified period, the operating system prompts the device user to install the updates. The period is reset and starts again if a new system update is available.
If the check box is cleared, a system update policy is not set.
This check box is selected by default.
Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.
- System update freeze periods (Android 9.0 and later)
The System update freeze periods (Android 9.0 and later) block lets you set one or more freeze periods of up to 90 days during which system updates will not be installed on the device. When the device is in a freeze period, it behaves as follows:
- The device does not receive any notifications about pending system updates.
- System updates are not installed.
- The device user cannot check for system updates manually.
To add a freeze period, click Add period and enter the start and end of the freeze period in the Start time and End time fields respectively.
Note: Each freeze period can be at most 90 days long, and the interval between adjacent freeze periods must be at least 60 days.
The restriction is supported on devices with Android 9.0 and later.
Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.