- Kaspersky Secure Mobility Management help
- What's new
- Working in MMC-based Administration Console
- Key use cases
- About Kaspersky Secure Mobility Management
- Distribution kit
- About Kaspersky Endpoint Security for Android app
- About Kaspersky Device Management for iOS
- About the Kaspersky Endpoint Security for Android Administration Plug-in
- About the Kaspersky Device Management for iOS Administration Plug-in
- Hardware and software requirements
- Known issues and considerations
- Deployment
- Solution architecture
- Deployment scenarios for Kaspersky Endpoint Security for Android
- Deployment scenarios for iOS MDM profile
- Preparing the Administration Console for deployment of the integrated solution
- Configuring Administration Server settings for connection of mobile devices
- Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server
- Displaying the Mobile Device Management folder in the Administration Console
- Creating an administration group
- Creating a rule for device automatic allocating to administration groups
- Working with certificates of mobile devices
- Deploying mobile device management systems
- Scenario: Mobile Device Management deployment
- Enabling Mobile Device Management
- Deploying a system for management by using iOS MDM protocol
- iOS MDM Server deployment scenarios
- Simplified deployment scheme
- Deployment scheme involving Kerberos constrained delegation (KCD)
- Enabling support of Kerberos Constrained Delegation
- Installing iOS MDM Server
- Receiving an APNs certificate
- Renewing an APNs certificate
- Configuring a reserve iOS MDM Server certificate
- Installing an APNs certificate on an iOS MDM Server
- Configuring access to Apple Push Notification service
- Connecting KES devices to the Administration Server
- Disabling Mobile Device Management
- Installing Kaspersky Endpoint Security for Android
- Permissions
- Installation of Kaspersky Endpoint Security for Android on personal devices
- Installation of Kaspersky Endpoint Security for Android in device owner mode
- Installation of Kaspersky Endpoint Security for Android in device owner mode in a closed network
- Other methods of installation of Kaspersky Endpoint Security for Android
- Configuring synchronization settings
- Activating the Kaspersky Endpoint Security for Android app
- Installing an iOS MDM profile
- Installing administration plug-ins
- Updating a previous version of the application
- Removing Kaspersky Endpoint Security for Android
- Configuration and Management
- Getting Started
- Control
- Protection
- Configuring anti-malware protection on Android devices
- Protecting Android devices on the internet
- Protection of stolen or lost device data
- Configuring device unlock password strength
- Configuring a virtual private network (VPN)
- Configuring Firewall on Android devices (only Samsung)
- Protecting Kaspersky Endpoint Security for Android against removal
- Detecting device hacks (root)
- Configuring a global HTTP proxy on iOS MDM devices
- Adding security certificates to iOS MDM devices
- Adding a SCEP profile to iOS MDM devices
- Restricting SD card usage (only Samsung)
- Management of mobile devices
- Managing KES devices
- Managing iOS MDM devices
- Signing an iOS MDM profile by a certificate
- Adding a configuration profile
- Installing a configuration profile on a device
- Removing the configuration profile from a device
- Adding a provisioning profile
- Installing a provisioning profile to a device
- Removing a provisioning profile from a device
- Configuring managed apps
- Installing an app on a mobile device
- Removing an app from a device
- Installing and uninstalling apps on a group of iOS MDM devices
- Configuring roaming on an iOS MDM mobile device
- Viewing information about an iOS MDM device
- Disconnecting an iOS MDM device from management
- Configuring kiosk mode for iOS MDM devices
- Management of mobile device settings
- Configuring connection to a Wi-Fi network
- Configuring email
- Configuring device status in Kaspersky Security Center
- Managing app configurations
- Installing root certificates on Android devices
- Configuring notifications for Kaspersky Endpoint Security for Android
- Key features of mobile device management in MMC-based Administration Console
- Connecting iOS MDM devices to AirPlay
- Connecting iOS MDM devices to AirPrint
- Bypassing the Activation Lock on supervised iOS devices
- Configuring the Access Point Name (APN)
- Configuring the Android work profile
- Adding an LDAP account
- Adding a calendar account
- Adding a contacts account
- Configuring calendar subscription
- Managing web clips
- Setting wallpaper
- Adding fonts
- Working with commands for mobile devices
- Managing the app by using third-party EMM systems (Android only)
- Network load
- Participating in Kaspersky Security Network
- Data provision to third-party services
- Global acceptance of additional Statements
- Samsung KNOX
- Appendices
- Using the Kaspersky Endpoint Security for Android app
- App features
- Main window at a glance
- Status bar icon
- Device scan
- Running a scheduled scan
- Changing the Protection mode
- Anti-malware database updates
- Scheduled database update
- Things to do if your device gets lost or stolen
- Web Protection
- Get Certificate
- Synchronizing with Kaspersky Security Center
- Activating the Kaspersky Endpoint Security for Android app without Kaspersky Security Center
- Installing the app in device owner mode
- Installing root certificates on the device
- Enabling accessibility on Android 13 or later
- Enabling accessibility for the app on Android 13
- Updating the app
- Removing the app
- Applications with a briefcase icon
- KNOX app
- Using the Kaspersky Security for iOS app
- Working in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console
- About mobile device management in Kaspersky Security Center Web Console and Cloud Console
- Distribution kit
- Key features of mobile device management in Kaspersky Security Center Web Console and Cloud Console
- About the Kaspersky Endpoint Security for Android app
- About the Kaspersky Security for iOS app
- About the Kaspersky Security for Mobile (Devices) plug-in
- About the Kaspersky Security for Mobile (Policies) plug-in
- Hardware and software requirements
- Known issues and considerations
- Deploying a mobile device management solution in Kaspersky Security Center Web Console or Cloud Console
- Managing mobile devices in Kaspersky Security Center Web Console and Cloud Console
- Managing group policies
- Defining policy settings
- Configuring anti-malware protection
- Defining device unlock settings
- Configuring protection of stolen or lost device data
- Configuring app control
- Configuring compliance control of mobile devices with corporate security requirements
- Configuring user access to websites
- Configuring feature restrictions
- Protecting Kaspersky Endpoint Security for Android against removal
- Configuring synchronization of mobile devices with Kaspersky Security Center
- Kaspersky Security Network
- Exchanging information with Google Analytics for Firebase, Firebase Performance Monitoring, and Crashlytics
- Configuring notifications on mobile devices
- Detecting device hacks
- Defining licensing settings
- Configuring events
- Configuring events about the installation, update, and removal of apps on users' devices
- Network load
- About mobile device management in Kaspersky Security Center Web Console and Cloud Console
- Application licensing
- Comparison of solution features depending on the management tools
- Contact Technical Support
- Sources of information about the application
- Glossary
- Activating the application
- Activation code
- Administration group
- Administration Server
- Administrator's workstation
- Android work profile
- Anti-malware databases
- Apple Push Notification service (APNs) certificate
- Application management plug-in
- Certificate Signing Request
- Compliance control
- Device administrator
- End User License Agreement
- Group task
- IMAP
- Installation package
- iOS MDM device
- iOS MDM profile
- iOS MDM Server
- Kaspersky categories
- Kaspersky Private Security Network (KPSN)
- Kaspersky Security Center Administrator
- Kaspersky Security Center Web Server
- Kaspersky Security Network (KSN)
- Kaspersky update servers
- KES device
- Key file
- License
- License term
- Malware
- Manifest file
- Network Agent
- Phishing
- Policy
- POP3
- Provisioning profile
- Proxy server
- Quarantine
- SSL
- Standalone installation package
- Subscription
- Supervised device
- Unlock code
- Virtual Administration Server
- Information about third-party code
- Trademark notices
The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.
Connecting to an NDES/SCEP server
You can configure a connection to an NDES/SCEP server to obtain a certificate from a certificate authority (CA) using Simple Certificate Enrollment Protocol (SCEP). To do this, you need to set up a connection to the CA using SCEP and specify a certificate profile.
To add a connection to a certificate authority and specify a certificate profile:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
- In the policy Properties window, select the Device owner mode > NDES and SCEP section.
- In the Connection to certificate authority (CA) section, click Add.
The Connection to certificate authority dialog appears.
- Specify the following settings, and then click OK:
- Connection name
A unique connection name.
- Protocol type
A protocol version. Possible values:
- SCEP
- NDES (default)
- SCEP server URL
The URL of the SCEP server.
For NDES, the URL has the
http://<ServerName>/certsrv/mscep/mscep.dllformat. - Challenge phrase type
A type of challenge phrase required for authentication. Possible values:
- None - Does not require authentication data.
- Static - Requires entering an authentication phrase in the Static challenge phrase field. This is the default value.
- Static challenge phrase
Specifies the authentication phrase that is used to authenticate the device with the certificate with the SCEP server URL.
- Connection name
- In the Certificate profiles section, click Add.
The Certificate profile dialog appears.
- Specify the following certificate profile settings and click OK:
- Profile name
A unique certificate profile name.
- Certificate authority (CA)
A certificate authority that you created in the Connection to certificate authority (CA) section.
- Subject name
A unique identifier that is the subject of the certificate. It includes information about what is being certified, including common name, organization, organizational unit, country code, and so on. You can either enter the value or select it from the Available macros drop-down list.
- Private key length
A length of the certificate private key. Possible values:
- 1024
- 2048 (default)
- 4096
- Private key type
A type of the certificate private key. Possible values:
- Signature (default)
- Encryption
- Signature and encryption
- Renew certificate automatically
If the check box is selected, the certificate will be automatically reissued to the device before this certificate expires. The Renew certificate before it expires (in days) field also becomes available. In this field, you need to specify the number of days before the expiration date when the certificate will be reissued.
If the check box is cleared, the certificate will not be renewed automatically.
The check box is cleared by default.
- Renew certificate before it expires (in days)
The number of days remaining until the certificate's expiration date during which a renewed certificate will be issued to the device. For example, you can specify 90 days in this field. A renewed certificate will be issued 90 days before the current certificate expires.
This option is available and is required to be specified if the Renew certificate automatically check box is selected.
The default value is not set.
- Subject Alternative Names (SAN)
An alternative name that represents the certificate subject name. You can specify multiple subject alternative names. To do this, click Add, and then specify the SAN type and SAN value options.
- Profile name
- Click Apply to save the changes you have made.
Manage connections and certificate profiles
You can later edit or remove the added connections and certificate profile.
To edit a connection or certificate profile:
- Select the needed connection or certificate profile in the corresponding section.
- Click Edit, make the required changes, and click OK.
- Click Apply to save the changes you have made.
After you edit the certificate profile in policy settings, the corresponding certificate on the device is deleted automatically during the next synchronization with Administration server and a new certificate is installed.
To remove a connection or certificate profile:
- Select the needed connection or certificate profile in the corresponding section.
- Click Delete, and then click OK.
If you remove a certificate authority connection, all certificate profiles that use this connection are also removed.
- Click Apply to save the changes you have made.
After you delete the certificate profile in policy settings, the corresponding certificate on the device will be deleted automatically during the next synchronization with Administration server.