[Topic 254248]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Kaspersky Secure Mobility Management help

[Topic 180199]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

What's new

Version 3.0

In this release, we added some features to the plug-in of MMC-based Administration Console for managing Android devices via Kaspersky Endpoint Security for Android app:

• Android 14 is now supported.
• You can manage app configurations for devices in device owner mode or with created Android work profile. The feature is available for any apps that support app configuration settings.
• New features for device owner mode:
  • Automatic deletion of detected malicious apps.
  • New restrictions for Android operating system features. These restrictions include:
    • Adding, enabling, and disabling Wi-Fi networks.
    • Sharing pre-configured Wi-Fi networks.
    • Using Wi-Fi Direct.
    • Sharing location.
    • Switching user.
    • Allowing content capture.
    • Using ambient display.
    • Unmuting and disabling microphone.
• New features for Android work profile:
  • Blocking of detected malicious apps.
  • Management of Google Chrome settings.
  • Management of Exchange ActiveSync settings for Gmail.
• New features for Compliance Control:
  • New actions when a user's account is disabled in Active Directory:
    • Wipe corporate data.
    • Reset to factory settings.
• New features for Web Protection:
  • Support of Yandex Browser.
• New commands for Android devices:
  • Wipe app data.
  • Wipe data of all apps.
• New features for certificates:
  • Ability to automatically issue VPN and mail certificates on device connection to Kaspersky Security Center.
• Other improvements:
  • New synchronization periods (1 minute and 5 minutes) were added for configuring the synchronization of mobile devices with Kaspersky Security Center by schedule.
  • For devices running Android 7 and later, it is possible to set an image as a wallpaper for a home screen and a lock screen in the policy settings.
  • In device owner mode and Android work profile, the Prohibit screen sharing, recording, and screenshots restriction now controls capturing the content of the device screen for artificial intelligence purposes.

This release also includes the following new features in the plug-in of MMC-based Administration Console for managing iOS MDM devices:

• Kiosk mode for iOS MDM devices.
• You can manage the configuration of apps. This feature is available for all managed apps that support app configuration settings.
• New conditions for Compliance Control:
  • Check whether the additional device SIM card has been inserted.
• New feature restrictions for supervised devices:
  • Modification of eSIM settings.
  • Using Find My Device and Find My Friends in the Find My app.
  • AirPrint (credentials storage, discovery of AirPrint printers, using a trusted TLS certificate).
• New features for certificates:
  • Ability to automatically issue VPN and mail certificates on device connection to Kaspersky Security Center.
• Other improvements:
  • Our solution now fully supports iOS 17 and iPadOS 17.

[Topic 216447]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Working in MMC-based Administration Console

This Help section describes protection and management of mobile devices by using the MMC-based Administration Console of Kaspersky Security Center.

[Topic 84084]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Key use cases

[Topic 91308]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Kaspersky Secure Mobility Management

Kaspersky Secure Mobility Management is an integrated solution for protecting and managing corporate mobile devices as well as personal mobile devices used by company employees for corporate purposes.

Kaspersky Secure Mobility Management includes the following components:

• Kaspersky Endpoint Security for Android mobile app

  The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

• Kaspersky Endpoint Security for Android Administration Plug-in

  The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center.

• Kaspersky Device Management for iOS Administration Plug-in

  The Kaspersky Device Management for iOS Administration Plug-in lets you define the configuration settings for devices connected to Kaspersky Security Center via the iOS MDM protocol (hereinafter referred to as "iOS MDM devices"), without using the iPhone Configuration Utility.

The administration plug-ins are integrated into the Kaspersky Security Center remote administration system. The administrator can use a single Administration Console of Kaspersky Security Center to manage all mobile device on the corporate network as well as client computers and virtual systems. After you connect mobile devices to the Administration Server, they become managed. The administrator can remotely monitor managed devices.

The Kaspersky Endpoint Security for Android mobile app may also operate as part of the Kaspersky Endpoint Security Cloud remote administration system. For more details on working with apps through Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud Online Help.

The Kaspersky Endpoint Security for Android mobile app can also operate as part of third-party EMM solutions of AppConfig Community participants.

[Topic 214493]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Distribution kit

The Kaspersky Secure Mobility Management distribution kit may include various components, depending on the chosen application version.

Kaspersky Security Center

• ksc_14_<version>_full_<language>.exe

  Kaspersky Security Center installer. This is a special version that is customized specially for Kaspersky Secure Mobility Management.

• ksc_14_<version>_Console_<language>.exe

  Installer of MMC-based Administration Console. This is a special version that is customized specially for Kaspersky Secure Mobility Management.

  You can install Administration Console on another device and manage Kaspersky Security Center Administration Server remotely.

Mobile device management in MMC-based Administration Console

• klcfginst.exe

  Installer of Kaspersky Endpoint Security for Android Administration Plug-in.

• klmdminst.exe

  Installer of Kaspersky Device Management for iOS Administration Plug-in.

Mobile device management in Kaspersky Security Center Web Console

• on_prem_ksm_devices_<version>.zip

  Archive that contains the files required for the installation of the Kaspersky Security for Mobile (Devices) plug-in:

  • plugin.zip

    Archive that contains the Kaspersky Security for Mobile (Devices) plug-in.

  • signature.txt

    File that contains the signature for the Kaspersky Security for Mobile (Devices) plug-in.

• on_prem_ksm_policies_<version>.zip

  Archive that contains the files required for the installation of the Kaspersky Security for Mobile (Policies) plug-in:

  • plugin.zip

    Archive that contains the Kaspersky Security for Mobile (Policies) plug-in.

  • signature.txt

    File that contains the signature for the Kaspersky Security for Mobile (Policies) plug-in.

Mobile device management in Kaspersky Security Center Cloud Console

To manage mobile device in Kaspersky Security Center Cloud Console, you do not need to download a distribution package. You only need to create an account in Kaspersky Security Center Cloud Console. For more information about creating an account, please refer to Kaspersky Security Center Cloud Console Help.

File of the Kaspersky Endpoint Security for Android app

kesandroid10<version><languages>.apk—Android package file of the Kaspersky Endpoint Security for Android app.

File of Corporate App Catalog

Install_<version>.exe—Distribution package of Corporate App Catalog. The package includes the following components:

• Corporate App Catalog
• Corporate App Catalog Management Console
• Apache server

For more information about installing Corporate App Catalog, please refer to Corporate App Catalog Help.

Auxiliary files

• sc_package_<languages>.exe

  Self-extracting archive that contains the files required for installing the Kaspersky Endpoint Security for Android app by creating installation packages:

  • adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll

    Files required for creating installation packages.

  • installer.ini

    Configuration file that contains Administration Server connection settings.

  • kesandroid10<version><languages>.apk

    Android package file of the Kaspersky Endpoint Security for Android app.

  • kmlisten.exe

    Utility for delivering installation packages through the administrator's computer.

  • kmlisten.ini

    Configuration file that contains the settings for the kmlisten.exe utility.

  • kmlisten.kpd

    Application description file.

  If you create an installation package with the sc_package.exe archive in the Kaspersky Security Center version earlier than 14.2, the installation of Kaspersky Endpoint Security for Android app will fail on devices running Android 10 or later. To avoid this issue, please upgrade to Kaspersky Security Center 14.2 or contact Technical Support to receive an appropriate version of the archive.

Documentation

• Help for Kaspersky Secure Mobility Management.

[Topic 99558]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats.

Kaspersky Endpoint Security for Android app includes the following components:

• Anti-Malware. It allows you to detect and neutralize threats on your device by using the anti-malware databases and the Kaspersky Security Network cloud service. Anti-Malware includes the following components:
  • Protection. Detects threats in open files, scans new apps, and prevents device infection in real time.
  • Scan. It is started on demand for the entire file system, only for installed apps, or a selected file or folder.
  • Update. Update allows you to download new anti-malware databases for the application.
• Anti-Theft. This component protects information on the device against unauthorized access in case the device is lost or stolen. This component lets you send the following commands to the device:
  • Locate to get the coordinates of the device's location.
  • Alarm to make the device sound a loud alarm.
  • Mugshot to make the device take pictures with the frontal camera if someone attempts to unlock it.
  • Wipe corporate data to protect sensitive company information.
• Web Protection. This component blocks malicious sites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal confidential data of the user (for example, passwords to online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Protection also supports website filtering by categories defined in Kaspersky Security Network cloud service. This allows the administrator to restrict user access to certain categories of web pages (for example, web pages from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).
• App Control. This component lets you install recommended and required apps to your device via a direct link to the distribution package or a link to Google Play. App Control lets you remove blocked apps that violate corporate security requirements.
• Compliance Control. This component lets you check managed devices for compliance with corporate security requirements and impose restrictions on certain functions of non-compliant devices.

You can also install the Kaspersky Endpoint Security for Android app in device owner mode. This will give you full control over company-owned Android devices and let you configure a wide range of device settings. In device owner mode, you can:

• Restrict Android operating system features.
• Configure Google Chrome settings.
• Configure app startup settings in App Control.
• Limit the set of apps that are available to a device user in Kiosk mode.
• Configure Exchange ActiveSync settings for Gmail.
• Configure the connection to an NDES/SCEP server.
• Install root certificates on devices.

[Topic 136121]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About Kaspersky Device Management for iOS

Kaspersky Device Management for iOS ensures protection and control of mobile devices that are connected to Kaspersky Security Center and includes device management features, such as:

• Password protection. This feature allows you to set password complexity requirements so that users use complex passwords compliant with corporate password policy.
• Network management. This feature allows you to add approved VPN and Wi-Fi networks or restrict access to others.
• Wipe corporate data. In case the device is lost or stolen, you can send the Wipe command to it to protect sensitive company information.
• Web Protection. This component blocks malicious sites designed to spread malicious code. Web Protection also blocks fake (phishing)  websites designed to steal confidential data of the user (for example, passwords to online banking or e-money systems) and access the user's financial info. Web Protection scans websites before you open them using the Kaspersky Security Network cloud service. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Protection also supports website filtering by categories defined in Kaspersky Security Network cloud service. This allows the administrator to restrict user access to certain categories of web pages (for example, web pages from the "Gambling, lotteries, sweepstakes" or "Internet communication" categories).
• Application restrictions. This component lets you control whether device native apps, such as iTunes, Safari, or Game Center can be used on a supervised device.
• Feature restrictions. This component allows to check managed devices for compliance with the corporate security requirements and impose restrictions on certain functions of non-compliant devices.
• Compliance Control. This component monitors iOS MDM devices for compliance with corporate security requirements and takes actions in case of non-compliance. Compliance control is based on a list of rules. Each rule includes the following components:
  • Status (whether the rule is enabled or disabled).
  • Device check criteria (for example, absence of the specified apps or operating system version).
  • Actions performed on the device in case of non-compliance (for example, wipe corporate data or send an email message to the user).

[Topic 89640]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Endpoint Security for Android Administration Plug-in

The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center. The Kaspersky Endpoint Security for Android Administration Plug-in can be used to:

• Create group security policies for mobile devices.
• Remotely configure the operating settings of the Kaspersky Endpoint Security for Android app on users' mobile devices.
• Receive reports and statistics on the operation of the Kaspersky Endpoint Security for Android mobile app on users' devices.

The Kaspersky Endpoint Security for Android Administration Plug-in is installed by default when deploying Kaspersky Security Center. The plug-in does not require individual installation.

[Topic 89639]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About the Kaspersky Device Management for iOS Administration Plug-in

The Administration Plug-in of Kaspersky Device Management for iOS provides an interface for managing mobile devices connected by means of the iOS MDM protocol through the Administration Console of Kaspersky Security Center. The Kaspersky Device Management for iOS Administration Plug-in can be used to do the following:

• Create group security policies for mobile devices.
• Remotely configure devices connected by using the iOS MDM protocol (hereinafter referred to as "iOS MDM devices").

For more details on connecting mobile devices to Kaspersky Security Center by using the iOS MDM protocol, please refer to the "Managing iOS MDM devices" section.

The Kaspersky Device Management for iOS Administration Plug-in is installed by default when deploying Kaspersky Security Center. The plug-in does not require separate installation.

[Topic 102017]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Hardware and software requirements

This section lists the hardware and software requirements for the administrator's computer that is used to deploy the apps on mobile devices, as well as the mobile device operating systems supported by Kaspersky Secure Mobility Management.

Hardware and software requirements for the administrator's computer

To deploy the comprehensive solution Kaspersky Secure Mobility Management, the administrator's computer must meet the hardware requirements of Kaspersky Security Center. For more details on using the hardware requirements of Kaspersky Security Center, please refer to Kaspersky Security Center Help.

To work with the Administration Plug-in of Kaspersky Endpoint Security for Android, the Administration Console of Kaspersky Security Center version 12 or later must be installed on the administrator's computer.

To work with the Kaspersky Device Management for iOS Administration Plug-in, the administrator's computer must meet the following software requirements:

• Administration Console of Kaspersky Security Center 12 or later
• iOS MDM Server component
• Instruction set of version SSE2 or more recent version

To deploy the Kaspersky Endpoint Security for Android mobile app via the Administration Server, the administrator's computer must meet the following software requirements:

• Kaspersky Security Center 12 or later
• Administration Plug-in for Kaspersky Endpoint Security for Android

There are no software requirements for the administrator's computer when the Kaspersky Endpoint Security for Android mobile app is deployed from the relevant online stores.

The Kaspersky Endpoint Security for Android mobile app can also be used as part of the Kaspersky Endpoint Security Cloud remote administration system (Version 6.0 and above). For more details on working with apps through Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud Help.

The Kaspersky Endpoint Security for Android mobile app can function within third-party EMM systems:

• VMware AirWatch 9.3 or later
• MobileIron 10.0 or later
• IBM MaaS360 10.68 or later
• Microsoft Intune 1908 or later
• SOTI MobiControl 14.1.4 (1693) or later

Hardware and software requirements for the user's mobile device to support installation of the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app has the following hardware and software requirements:

• Smartphone or tablet with a screen resolution of 320x480 pixels or higher
• 65 MB of free disk space in the main memory of the device
• Android 5.0 or later (including Android 12L, excluding Go Edition)
• x86, x86-64, Arm5, Arm6, Arm7, or Arm8 processor architecture

The app can be installed only to the main memory of the device.

Hardware and Software Requirements for an iOS MDM Profile

For an iOS MDM profile, the device must meet the following hardware and software requirements:

• iOS 10–17 or iPadOS 13–17
• Internet connection

[Topic 153756]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Known issues and considerations

The following known issues are non-critical for the operation of the solution.

Known issues when installing apps

• Kaspersky Endpoint Security for Android is installed only in the main memory of the device.
• On devices running Android 7.0, an error may occur during attempts to disable administrator rights for Kaspersky Endpoint Security for Android in device settings if Kaspersky Endpoint Security for Android is prohibited from overlaying on other windows. This issue is caused by a well-known defect in Android 7.
• Kaspersky Endpoint Security for Android on devices running Android 7.0 or later does not support multi-window mode.
• Kaspersky Endpoint Security for Android does not work on Chromebook devices running the Chrome operating system.
• Kaspersky Endpoint Security for Android does not work on devices running Android (Go edition) operating systems.
• When using the Kaspersky Endpoint Security for Android app with third-party EMM systems (for example, VMWare AirWatch), only the Anti-Malware and Web Protection components are available. The administrator can configure the settings of Anti-Malware and Web Protection in the EMM system console. In this case, notifications about app operation are available only in the interface of the Kaspersky Endpoint Security for Android app (Reports).

Known issues when upgrading the app version

• You can upgrade Kaspersky Endpoint Security for Android only to a more recent version of the app. Kaspersky Endpoint Security for Android cannot be downgraded to an older version.
• To upgrade Kaspersky Endpoint Security for Android using a standalone installation package, installation of apps from unknown sources must be allowed on the user's mobile device.
• You can update through Google Play if Kaspersky Endpoint Security for Android was installed from Google Play. If the app was installed using another method, you cannot update through Google Play.
• You can update through Kaspersky Security Center if Kaspersky Endpoint Security for Android was installed through Kaspersky Security Center. If the app was installed from Google Play, you cannot update the app through Kaspersky Security Center.
• After you upgrade administration plug-ins to Technical Release 33, the Kaspersky Endpoint Security for Android app must also be upgraded to Technical Release 33. Otherwise, you will not be able to activate Samsung KNOX on some of your users' devices.

Known issues in Anti-Malware operation

• Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
• For additional analysis of a device for new threats whose information has not yet been added to anti-malware databases, you must enable the use of Kaspersky Security Network. Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to Kaspersky online knowledge base with information about the reputation of files, web resources, and software. To use KSN, the mobile device must be connected to the internet.
• In some cases, updating anti-malware databases from the Administration Server on a mobile device may fail. In this case, run the anti-malware database update task on the Administration Server.
• On some devices, Kaspersky Endpoint Security for Android does not detect devices connected over USB OTG. It is not possible to run a malware scan on such devices.
• On devices running Android 11 or later, the Kaspersky Endpoint Security for Android app can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.
• On devices running Android 11 or later, the user must grant the "Allow access to manage all files" permission.
• On devices running Android 7.0 or later, the configuration window for the malware scan run schedule might be incorrectly displayed (management elements are not shown). This issue is caused by a well-known defect in Android 7.
• On devices running Android 7.0, real-time protection in the extended mode does not detect threats in files that are stored on an external SD card.
• On devices running Android 6.0, Kaspersky Endpoint Security for Android does not detect the downloading of a malicious file to the device memory. A malicious file may be detected by Anti-Malware when the file is run, or during a malware scan of the device. This issue is caused by a well-known defect in Android 6.0. To ensure device security, it is recommended to configure scheduled malware scans.

Known issues in Web Protection operation

• Web Protection on Android devices is supported by Google Chrome, HUAWEI Browser, Samsung Internet Browser, and Yandex Browser only.
• The Custom Tabs feature is supported by Google Chrome, HUAWEI Browser, and Samsung Internet Browser.
• Web Protection for HUAWEI Browser, Samsung Internet Browser, and Yandex Browser does not block sites on a mobile device if the work profile is used and Web Protection is enabled only for the work profile.
• Kaspersky Endpoint Security in the work profile scans only the website domain in HTTPS traffic. Malicious and phishing websites may remain unblocked if the app installed in the work profile. If the domain is trusted, Web Protection can skip a threat (for example, https://trusted.domain.com/phishing/). If the domain is untrusted, Web Protection blocks malicious and phishing websites.
• For Web Protection to work, you must enable the use of Kaspersky Security Network. Web Protection blocks websites based on the KSN data on the reputation and category of websites.
• Forbidden websites may remain unblocked by Web Protection on devices running Android 6.0 with Google Chrome version 51 (or any earlier version) installed if the website is opened in the following ways (this issue is caused by a well-known defect in Google Chrome):
  • From search results.
  • From the bookmarks list.
  • From search history.
  • Using the web address autocomplete function.
  • Opening the website in a new tab in Google Chrome.
• Forbidden websites may remain unblocked in Google Chrome version 50 (or any earlier version) if the website is opened from Google search results while the Merge Tabs and Apps feature is enabled in the browser settings. This issue is caused by a well-known defect in Google Chrome.
• Websites from blocked categories may remain unblocked in Google Chrome if the user opens them from third-party apps, for example, from an IM client app. This issue is related to how the Accessibility service works with the Chrome Custom Tabs feature.
• Forbidden websites may remain unblocked in Samsung Internet Browser if the user opens them in background mode from the context menu or from third-party apps, for example, from an IM client app.
• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of Web Protection.
• On some Xiaomi devices, the "Display pop-up window" and "Display pop-up windows while running in the background" permissions should be granted for Web Protection to work.
• When entering a website address in Web Protection settings, adhere to the following rules:
  • For Android devices, specify the address in regular expressions format (for example, https://example.com.*).
  • For iOS MDM devices, specify the HTTP or HTTPS data transport protocol (for example, http://www.example.com).
• Allowed websites may be blocked in Samsung Internet Browser in the Only listed websites are allowed Web Protection mode when the page is refreshed. Websites are blocked if a regular expression contains advanced settings (for example, ^https?://example.com/pictures/). It is recommended to use regular expressions without additional settings (for example, ^https?://example.com).
• If Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android does not block search in the Google Search widget. Instead, it blocks user access to the search results.
• In a work profile, if Web Protection is set to All websites are blocked, Kaspersky Endpoint Security for Android endlessly reloads the Google Chrome home page, blocks the browser, and interferes with the device.
• To make sure that the Kaspersky Endpoint Security for Android app allows or blocks access to the specified website in all supported versions of Google Chrome, HUAWEI Browser, Samsung Internet Browser, or Yandex Browser, include the same URL twice, once with the HTTP protocol (e.g., http://example.com) and once with the HTTPS protocol (e.g., https://example.com). As an alternative, you can use regular expressions.
• In Yandex Browser and Samsung Internet Browser, malicious and phishing websites may remain unblocked. This is because only the website domain is scanned, and if it is trusted, Web Protection can skip a threat.

Known issues in Anti-Theft operation

• For timely delivery of commands to Android devices, the app uses the Firebase Cloud Messaging (FCM) service. If FCM is not configured, commands will be delivered to the device only during synchronization with Kaspersky Security Center according to the schedule defined in the policy, for example, every 24 hours.
• To lock a device, Kaspersky Endpoint Security for Android must be set as the device administrator.
• To lock devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some devices, Anti-Theft commands may fail to execute if Battery Saver mode is enabled on the device. This defect has been confirmed on Alcatel 5080X.
• To locate devices running Android 10.0 or later, the user must grant the "All the time" permission to device location.
• To take a mugshot with devices running Android 11.0 or later, the user must grant the "While using the app" permission to access the camera.

Known issues in App Control operation

• Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. This does not apply to device owner mode.
• For App Control (app categories) to work, you must enable the use of Kaspersky Security Network. App Control determines the category of an app based on data that is available in KSN. To use KSN, the mobile device must be connected to the internet. For App Control, you can add individual apps to the lists of blocked and allowed apps. In this case, KSN is not required.
• When configuring App Control, it is recommended to clear the Block system apps check box. Blocking system apps may lead to problems in device operation.
• On iOS MDM devices, if you specify allowed apps in the list of apps allowed to be installed, all apps except system apps and those added to the list of allowed apps will be hidden on the device screen.
• On some HUAWEI and Honor personal devices, apps from allowed categories may be blocked and apps from forbidden categories may remain unblocked. This is because the category for some apps from App Gallery cannot be correctly defined.

Known issues when configuring certificates in iOS MDM policy

• When you add a certificate to an iOS MDM policy and attempt to save or close the policy, MMC-based Administration Console of Kaspersky Security Center may crash, but the certificate is saved to the policy settings.

Known issues when configuring email

• Remote configuration of a mailbox is available only on the following devices:
  • iOS MDM devices.
  • Samsung devices (Exchange ActiveSync).
  • Android devices with the TouchDown mail client installed.

    In previous versions of Kaspersky Endpoint Security for Android, you can use Kaspersky Security Center to remotely configure TouchDown profile settings on a user's device. TouchDown support has been discontinued in Kaspersky Endpoint Security for Android Service Pack 4. For more detail, refer to the Symantec technical support website.

    After upgrading the Kaspersky Endpoint Security for Android Administration Plug-in, the TouchDown settings in the policy are hidden but saved. When new devices are connected, TouchDown settings will be configured after the policy is applied.

    After the policy is modified and saved, TouchDown settings will be deleted. The TouchDown settings on a user's devices will be cleared after a policy is applied.

Known issues when configuring device unlock password strength

• On devices running Android 10.0 or later, Kaspersky Endpoint Security resolves the password strength requirements into one of the system values: medium or high.

  If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.

  If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.

• On devices running Android 10.0 or later, using a fingerprint to unlock the screen can be managed for work profile only.
• On devices running Android 7.1.1, if the unlock password does not meet the corporate security requirements (Compliance Control), the Settings system app may function improperly when an attempt is made to change the unlock password through Kaspersky Endpoint Security for Android. The issue is caused by a well-known defect in Android 7.1.1. In this case, to change the unlock password, use the Settings system app only.
• On some devices running Android 6.0 or later, an error may occur when screen unlock password is entered, if device data is encrypted. This issue is related to specific features of the Accessibility service with MIUI firmware.
• On some HUAWEI devices, an issue message about too simple screen unlocking method appears, and the user must set a PIN code that is compliant with policy requirements. For more details about setting a correct PIN code on HUAWEI devices, please refer to Configuring a strong unlock password for an Android device.

Known issues when configuring Wi-Fi

• On devices running Android version 8.0 or later, settings of the proxy server for Wi-Fi cannot be redefined with the policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.
• On supervised iOS MDM devices, if you select the Force connection to allowed Wi-Fi networks only (supervised only, iOS 14.5+) check box when configuring feature restrictions, the current Wi-Fi connection will be interrupted even if it belongs to the allowed Wi-Fi networks list. This is due to iOS operating system specifics. The user must reconnect to the Wi-Fi network manually.

Known issues when configuring APN

• Remote configuration of APN is available only on iOS MDM devices or Samsung devices.
• Configure APN for iOS MDM devices in the Cellular communications section. The APN section is out of date. Before configuring the APN settings, make sure that the Apply on device check box in the APN section is cleared.

Known issues with Firewall

• Use of Firewall is available only on Samsung devices.

Known issues when configuring VPN

• Remote configuration of VPN is available only on the following devices:
  • iOS MDM devices.
  • Samsung devices.
• When you set up a VPN connection for selected domains in Safari, if you change the Connect automatically option, the changes are not applied on the device. The Connect automatically check box is selected by default and we recommend against changing it if you want to activate a VPN automatically for specified domains.

Known issues with App removal protection

• Kaspersky Endpoint Security for Android must be set as the device administrator.
• To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature.
• On some Xiaomi and HUAWEI devices, Kaspersky Endpoint Security for Android removal protection does not work. This issue is caused by the specific features of MIUI 7 and 8 firmware on Xiaomi and EMUI firmware on HUAWEI.

Known issues when configuring device restrictions

• On devices running Android 10.0 or later, prohibiting the use of Wi-Fi networks is not supported.
• On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

Known issues when sending commands to mobile devices

• On devices running Android 12 or later, if the user granted the "Use approximate location" permission, the Kaspersky Endpoint Security for Android app first tries to get the precise device location. If this is not successful, the approximate device location is returned only if it was received not more than 30 minutes earlier. Otherwise, the Locate device command fails.
• The Locate device command does not work on Android devices if Google Location Accuracy is disabled in settings. Please be aware that not all Android devices come with this location setting.
• If you send the Enable Lost Mode command to a supervised iOS MDM device without a SIM card and this device is restarted, the device won't be able to connect to Wi-Fi and receive the Disable Lost Mode command. This is a specific feature of iOS devices. To avoid this issue, you can either send the command only to devices with a SIM card, or insert a SIM card into the locked device to allow it to receive the Disable Lost Mode command over the mobile network.

Known issues with Android work profile

• If you create an Android work profile by using a policy, the user must grant the "Allow access to manage all files" permission to Kaspersky Endpoint Security for Android that is installed on the devices running Android 11 or later and that is related to the work profile.
• The Prohibit activation of USB debugging mode Android work profile function does not work on devices with Android 13. This is caused by an issue in Android 13.
• On some Xiaomi devices with Android work profile, the work profile may be unlocked by a fingerprint only if you set the Period of inactivity before the device screen locks value after setting a fingerprint as the screen unlocking method.

Known issues with specific devices

• On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must grant Kaspersky Endpoint Security for Android an autostart permission or manually add it to the list of apps that are started when the operating system starts. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted. In addition, if the device has been locked, you cannot use a command to unlock the device. You can unlock the device only by using a one-time unlock code.
• On certain devices (for example, Meizu and Asus) running Android 6.0 or later, after encrypting data and restarting the Android device, you must enter a numeric password to unlock the device. If the user uses a graphic password to unlock the device, you must convert the graphic password to a numeric password. For more details about converting a graphic password into a numeric password, please refer to the Technical Support website of the mobile device manufacturer. This issue is related to the operation of the Accessibility Features service.
• On some HUAWEI devices running Android 5.Х, after Kaspersky Endpoint Security for Android is set as an Accessibility feature, an incorrect message about the lack of appropriate rights may be displayed. To hide this message, enable the app as a protected app in the device settings.
• On some HUAWEI devices running Android 5.X or 6.X, when Battery Saver mode is enabled for Kaspersky Endpoint Security for Android, the user can manually terminate the app. The user device becomes unprotected after that. This issue is due to some features of HUAWEI software. To restore the device protection, run Kaspersky Endpoint Security for Android manually. It is recommended to disable Battery Saver mode for Kaspersky Endpoint Security for Android in the device settings.
• On HUAWEI devices with EMUI firmware running Android 7.0, the user can hide the notification regarding the protection status of Kaspersky Endpoint Security for Android. This issue is due to some features of HUAWEI software.
• On some Xiaomi devices, the user can use the Foreground Services Task Manager to stop Kaspersky Endpoint Security for Android from running in the background. This issue is due to some features of Xiaomi software.
• On some Xiaomi devices, when setting the password length to more than 5 characters in a policy, the user will be prompted to change the screen unlock password instead of the PIN code. You cannot set a PIN code that has more than 5 characters. This issue is due to some features of Xiaomi software.
• On Xiaomi devices with MIUI firmware running Android 6.0, the Kaspersky Endpoint Security for Android icon may be hidden in the status bar. This issue is due to some features of Xiaomi software. It is recommended to allow the display of notification icons in Notifications settings.
• On some Nexus devices running Android 6.0.1, the privileges required for proper operation cannot be granted through the Quick Start Wizard of Kaspersky Endpoint Security for Android. This issue is caused by a well-known defect in Security Patch for Android by Google. To ensure proper operation, the required privileges must be manually granted in the device settings.
• On certain Samsung devices running Android 7.0 or later, when the user attempts to configure unsupported methods for unlocking the device (for example, a graphical password), the device may be locked if the following conditions are met: Kaspersky Endpoint Security for Android removal protection is enabled and screen unlock password strength requirements are set. To unlock the device, you must send a special command to the device.
• On certain Samsung devices, it is impossible to block the use of fingerprints for unlocking the screen.
• Web Protection cannot be enabled on some Samsung devices, if the device is connected to a 3G/4G network, has Battery Saver mode enabled and restricts background data. It is recommended to disable the function that restricts background processes in Battery Saver settings.
• On certain Samsung devices, if the unlock password does not comply with corporate security requirements, Kaspersky Endpoint Security for Android does not block the use of fingerprints for unlocking the screen.
• After executing Anti-Theft commands (such as Locate, Device Lock, Unlock, and Mugshot), the mobile certificate and the VPN certificate may be deleted on some Samsung devices. The certificates have to be reinstalled to continue. This issue occurs due to the Mobile Device Fundamentals Protection Profile (MDFPP) security standard.
• On some Honor and HUAWEI devices, you cannot restrict the use of Bluetooth. When Kaspersky Endpoint Security for Android attempts to restrict the use of Bluetooth, the operating system shows a notification containing the options to reject or allow this restriction. The user can reject this restriction and continue to use Bluetooth.
• On some Samsung devices, after Kaspersky Endpoint Security is installed or updated from a standalone installation package, KNOX MDM profile activation is unavailable.
• On Blackview devices, the user can clear the memory for the Kaspersky Endpoint Security for Android app. As a result, the device protection and management are disabled, all defined settings become ineffective, and the Kaspersky Endpoint Security for Android app is removed from the Accessibility features. This is because this vendor's devices provide the customized Recent screens app with elevated privileges. This app can override Kaspersky Endpoint Security for Android settings and cannot be replaced because it is part of the Android operating system.
• On some Google Pixel devices running Android 11 or earlier, the Kaspersky Endpoint Security for Android app crashes immediately after the start. This is caused by an issue in Android.
• On some TECNO and OnePlus devices, the user can unlock the device using face scanning, even if this biometric unlock method is prohibited by the policy.
• On some devices (for example, Xiaomi, Tecno, Realme) running Android 9.0 or later, when you select the Prohibit changing language check box in device owner mode, the user still can change the language, and no warning message appears.
• On some Sony and Google Pixel devices running Android 13 or later, the Kaspersky Endpoint Security Help, which has information about enabling accessibility is displayed incorrectly.
• On Samsung Galaxy S23 and S24 series devices Real-Time Protection may not work.

Known issues in app operation on Android 13

• On Android 13, the user can use the Foreground Services Task Manager to stop Kaspersky Endpoint Security from running in the background. This is caused by a well-known issue in Android 13.
• On Android 13, the permission to send notifications is requested when the initial app configuration begins. This is due to specifics of the Android 13 operating system.

Known issues when adding web clips

• The maximum number of web clips that can be added to an Android device depends on the device type. When this number is reached, web clips are no longer added to the Android device.

Known issues in device owner mode

• Some device owner mode features and control options may not work properly on Xiaomi devices (including Redmi and POCO) due to vendor specifics.
  • Restricting Android features may not work on Xiaomi, Redmi, and POCO devices for the following control options:
    • Prohibit modification of apps in Settings
    • Prohibit uninstallation of apps
  • Other issues:
    • When installing the Kaspersky Endpoint Security for Android app in device owner mode on Xiaomi devices running Android 12, the app does not start automatically once the device setup completes. Please start the app manually.
    • When setting up permissions for Kaspersky Endpoint Security for Android on Xiaomi MI A3 devices running stock Android 11, you may need to provide the Accessibility permission twice for the settings to apply. After Allow is selected, you may be redirected to the Accessibility permission request again. Please turn the switch to OFF and then to ON again to apply the changes and continue the setup.
    • Kaspersky Endpoint Security for Android removal protection feature may not work on some Xiaomi devices. This issue is caused by the specifics of MIUI 7 and 8 firmware on Xiaomi.
• On certain devices running Android 10 or earlier, if you select the Prohibit modification of apps in Settings check box when configuring restrictions for apps, the user still can clear app defaults and stop apps in app settings. This is due to Android operating system specifics.
• Managing update settings on mobile devices is vendor-specific. On some Android devices, the restriction on manual installation of operating system updates may work incorrectly.
• The Kaspersky Endpoint Security for Android app can't be installed in device owner mode on the following devices: Honor 30i (Android 10), HUAWEI y8p, HUAWEI Y5 (Android 8), HUAWEI Mate 40 PRO (Android 10), Xiaomi Redmi 4X (Android 7.1), Honor 5c (Android 7.0, EMUI 5.0). This is due to the device firmware specifics: the QR code scanner is not available after the device is reset to factory settings.
• On devices with Android 10, location permissions are automatically set to Allow only while using the app instead of Allow all the time and can't be changed by the administrator or users. This issue is caused by a well-known bug in Android 10.
• The Prohibit screen capture restriction does not block the device user from capturing the device settings screen.
• On some Samsung and Xiaomi devices, the Prohibit file transfer over USB restriction does not block the device user from transferring files via Android Debug Bridge (ADB).

Known issues in kiosk mode

• On iOS MDM devices running iOS 17 and iPadOS 17, if the Auto-Rotate Screen check box is cleared in Kiosk mode settings, screen orientation still changes automatically when the device is rotated.

Known issues with app configurations

• The Set Restricted Mode for YouTube, Enforce at least moderate restricted mode, Do not enforce restricted mode settings do not work for Google Chrome. This issue is caused by a well-known defect in Google Chrome.

[Topic 136255]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment

This Help section is intended for specialists who install Kaspersky Secure Mobility Management, as well as for specialists who provide technical support to organizations that use Kaspersky Secure Mobility Management.

[Topic 98741]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Solution architecture

Kaspersky Secure Mobility Management includes the following components:

• Kaspersky Endpoint Security for Android mobile app

  The Kaspersky Endpoint Security for Android app ensures protection of mobile devices against web threats, viruses, and other programs that pose threats. It supports interaction between the mobile device and the Kaspersky Security Center Administration Server using Firebase Cloud Messaging.

• Kaspersky Endpoint Security for Android Administration Plug-in

  The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center.

• Kaspersky Device Management for iOS Administration Plug-in

  The Administration Plug-in of Kaspersky Device Management for iOS provides an interface for managing mobile devices connected by means of the iOS MDM protocol through the Administration Console of Kaspersky Security Center.

The architecture of the Kaspersky Secure Mobility Management integrated solution is shown in the figure below.

The architecture of Kaspersky Secure Mobility Management

For details on Administration Console, Administration Server, and iOS MDM Server, please refer to Kaspersky Security Center Help.

[Topic 99483]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scenarios for Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be deployed on mobile devices within the corporate network in several ways. You can use the most suitable deployment scenario for your organization or combine several deployment scenarios.

For details on deploying Kaspersky Endpoint Security for Android in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

Deploying Kaspersky Endpoint Security for Android via Kaspersky Security Center on personal devices

For personal devices, you can deploy Kaspersky Endpoint Security for Android via Kaspersky Security Center by using the following methods:

• Deliver messages with the link to download the app from Google Play (recommended)
• Deliver messages with the link to download the app installation package from Kaspersky Security Center

Deployment of Kaspersky Endpoint Security for Android using Google Play consists in sending messages containing the Google Play link to users of devices from the Administration Console.

To deploy Kaspersky Endpoint Security for Android via the installation package, do the following:

1. Create and configure an app installation package.
2. Create a standalone installation package.
3. Send messages with the link to download a standalone installation package to users of Android devices. Mass mailing is available.

The user installs Kaspersky Endpoint Security for Android on a mobile device after receiving the message with the link. No additional preparations are needed to begin using the app.

When deploying the app via the installation package downloaded from Kaspersky Security Center, the "Blocked by Play Protect" message may appear on the device. The issue is caused by the installation package signing certificate being different from the one specified in Google Play. The user should continue the installation by choosing Install anyway. If OK is selected, the installation process will be interrupted and the device will be reset to factory settings.

Deploying Kaspersky Endpoint Security for Android via Kaspersky Security Center on company-owned devices (device owner mode)

For company-owned devices (device owner mode), you can deploy Kaspersky Endpoint Security for Android via Kaspersky Security Center by using the following methods:

• Deliver the QR code with the link to download the app from Kaspersky website
• Deliver the QR code with the link to download the app installation package from Kaspersky Security Center

To deploy Kaspersky Endpoint Security for Android in device owner mode via the app from Kaspersky website, do the following:

1. Create a QR code for app installation from the Administration Console.
2. Pre-configure the mobile device and install Kaspersky Endpoint Security for Android using the QR code.

To deploy Kaspersky Endpoint Security for Android in device owner mode via the app installation package, do the following:

1. Create and configure an app installation package.
2. Create a standalone installation package.
3. Create a QR code for app installation via the installation package.
4. Pre-configure the mobile device and install Kaspersky Endpoint Security for Android using the QR code.

   When deploying the app via the installation package downloaded from Kaspersky Security Center, after the device is reset to factory settings and the QR code is scanned, the Blocked by Play Protect message may appear on the device. The issue is caused by the installation package signing certificate being different from the one specified in Google Play. The user should continue the installation by choosing Install anyway. If OK is selected, the installation process will be interrupted and the device will be reset to factory settings.

Deploying Kaspersky Endpoint Security for Android from Google Play

Kaspersky Endpoint Security for Android is installed from Google Play independently by the users of devices. Users download the mobile app distribution package from Google Play and install the app on devices. After the app has been installed on the device, you need to make additional preparations before you can begin using it: configure the settings of the connection to the Administration Server and install a mobile certificate.

Deploying Kaspersky Endpoint Security for Android via KNOX Mobile Enrollment

Deployment of Kaspersky Endpoint Security for Android consists of adding a KNOX MDM profile to mobile devices. The KNOX MDM profile contains a link to an app deployed on the Kaspersky Security Center Web Server or another server. After the app is installed on the mobile device, you must also install a mobile certificate.

You can read about installation through KNOX Mobile Enrollment in the Samsung KNOX section.

[Topic 141784]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scenarios for iOS MDM profile

An iOS MDM profile is a profile that contains the settings for connecting mobile devices running iOS to Kaspersky Security Center. After installation of an iOS MDM profile and synchronization with Kaspersky Security Center, the device becomes a managed device. Mobile devices are managed through the Apple Push Notification service (APNs).

Using an iOS MDM profile, you can do the following:

• Remotely configure the settings of iOS MDM devices by using group policies.
• Send device lock and data wipe commands.
• Remotely install Kaspersky apps and other third-party apps.

An iOS MDM profile can be deployed on mobile devices within the corporate network in several ways. You can use the most suitable deployment scenario for your organization or combine several deployment scenarios.

Before deploying an iOS MDM profile, you must deploy a mobile device management system.

For details on deploying an iOS MDM profile in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

Deploying an iOS MDM profile via Kaspersky Security Center

Deployment of an iOS MDM profile via Kaspersky Security Center can be carried out by sending messages containing a link to download the iOS MDM profile. Mass mailing is available.

The user installs the iOS MDM profile to a mobile device after receiving the message with a link to the Kaspersky Security Center Web Server. No additional preparations for the iOS MDM profile are required.

[Topic 99201]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Preparing the Administration Console for deployment of the integrated solution

This section provides instructions on preparing the Administration Console for deployment of the integrated solution.

[Topic 89678]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Administration Server settings for connection of mobile devices

In order for mobile devices to be able to connect to the Administration Server, before installing the Kaspersky Endpoint Security mobile app, configure the mobile device connection settings in the Administration Server properties.

To configure Administration Server settings for connecting mobile devices:

1. In the context menu of the Administration Server, select Properties.

   The Administration Server settings window opens.

2. Configure the Administration Server ports that will be used by mobile devices:
   1. Select Administration server connection settings → Additional ports.
   2. Select the Open port for mobile devices check box.
   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices check box is cleared or the wrong connection port is specified, mobile devices will not be able to connect to the Administration Server.

   4. In the Port for mobile device activation field, specify the port to be used by mobile devices to connect to the Administration Server for activation of the Kaspersky Endpoint Security for Android app.

      Port 17100 is used by default.

   5. Click OK.
3. If necessary, replace the certificate used by devices to connect to the Administration Server:

   By default, the certificate that has been created during the Administration Server installation is used. Replace this certificate with a different one or reissue the certificate.

   1. Select the Certificates section.
   2. Define the required settings.
4. Specify a reserve Administration Server certificate.

   You need to specify a reserve Administration Server certificate to meet the security requirements of your organization and maintain a continuous connection between managed devices and the Administration Server. A reserve certificate is not issued by default.

5. Click Save to save the changes you have made to the settings and exit the Administration Server properties window.

After you configure the mobile device connection settings, you can install the Kaspersky Endpoint Security app on mobile devices and connect them to the Administration Server by using the specified settings.

[Topic 245223]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host
2. Configure the connection gateway on Kaspersky Security Center Administration Server

This article contains an overview of the scenario. For detailed instructions, please refer to the Kaspersky Security Center documentation.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway and click Properties.
   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.
   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on Administration Server.

[Topic 89684]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Displaying the Mobile Device Management folder in the Administration Console

By displaying the Mobile Device Management folder in the Administration Console, you can view the list of mobile devices managed by the Administration Server, configure the mobile device management settings, and install certificates on mobile devices of users.

To enable the display of the Mobile Device Management folder in the Administration Console:

1. In the context menu of the Administration Server, select View → Configuring interface.
2. In the window that opens, select the Display Mobile Device Management check box.
3. Click OK.

The Mobile Device Management folder is displayed in the Administration Console tree after the Administration Console is restarted.

[Topic 89688]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

To perform centralized configuration of the Kaspersky Endpoint Security for Android app installed on the users' mobile devices, the group policies must be applied to the devices.

To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices using a group policy.

To create administration group, follow the steps below:

1. In the console tree, select the Managed devices folder.
2. In the workspace of the Managed devices folder or subfolder, select the Devices tab.
3. Click the New group  button.

   This opens the window in which you can create a new group.

4. In the Group name window type the group name and click OK.

A new administration group folder with the specified name appears in the console tree. For more detailed information on use of administration groups, see Kaspersky Security Center Help.

[Topic 89691]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a rule for device automatic allocating to administration groups

You can centrally administer the settings of Kaspersky Endpoint Security for Android app installed on users' mobile devices only if the devices belong to a previously created administration group for which a group policy has been configured.

If the rule to automatically allocate mobile devices detected on the network to the administration group is not configured, during the first synchronization of the device with the Administration Server, the device is automatically sent to the Administration Console in the Advanced → Device discovery → Domains → KES10 folder (KES10 is used by default). A group policy does not apply to this device.

To create the rule for automatic allocating of mobile devices to administration group, follow the steps below:

1. In the console tree, select the Unassigned devices folder.
2. From the context menu of the Unassigned devices folder, select Properties.

   The Properties: Unassigned devices window appears.

3. In the Move devices section, click Add to start the process of creating a rule for automatically allocating devices to an administration group.

   The New rule window appears.

4. Type the rule name.
5. Specify the administration group to which mobile devices should be allocated after the Kaspersky Endpoint Security for Android mobile app has been installed on them. To do so, click Browse to the right of the Group to move devices to field and select the group in the window that appears.
6. In the Apply rule section, select Run once for each device.
7. Select the Move only devices not added to administration groups check box to prevent allocating to the selected group the mobile devices that were allocated to other administration groups when applying the rule.
8. Select the Enable rule check box, so that the rule can be applied to newly detected devices.
9. Open the Applications section and do the following:
   1. Select the Operating system version check box.
   2. Select one or several types of operating systems of the devices to be allocated to the specified group: Android or iOS.
10. Click OK.

The newly created rule is displayed in the list of device allocation rules in the Move devices section in the properties window of the Unassigned devices folder.

According to the rule, Kaspersky Security Center allocates all devices that meet the specified requirements from the Unassigned devices folder to the selected group. The mobile devices which were earlier allocated to the Unassigned devices folder can also be allocated to the required administration group of the Managed devices folder manually. For more detailed information on administration groups management and actions with undistributed devices, see Kaspersky Security Center Help.

[Topic 89284]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Working with certificates of mobile devices

This section contains information about how to work with certificates of mobile devices. The section contains instructions on how to install certificates on users' mobile devices and how to configure certificate issuance rules. The section also contains instructions on how to integrate the application with the public keys infrastructure and how to configure the support of Kerberos.

[Topic 274364]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Reissuing the mobile Administration Server certificate

You need to specify a reserve Administration Server certificate to meet the security requirements of your organization and maintain a continuous connection between managed devices and the Administration Server. A reserve certificate is not issued by default.

We recommend that you specify a reserve certificate when installing the Administration Server or no later than 30 days before the expiration of the existing certificate. The exact expiration time is available in the Valid to field of the certificate settings (in the context menu of the Administration Server, select Properties → Administration server connection settings → Certificates).

The maximum validity period of any Administration Server certificate does not exceed 397 days.

The reserve certificate is delivered to the device during synchronization and becomes the main certificate immediately after the existing certificate expires. If the certificate expires and no reserve has been specified, the connection between the Administration Server and Kaspersky Endpoint Security on managed devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall Kaspersky Endpoint Security on each of the managed devices.

To reissue the Administration Server certificate with delayed activation (to use a certificate as a reserve one):

1. In the console tree, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window, select Administration server connection settings → Certificates.
3. If you plan to continue using the certificate issued by Kaspersky Security Center:
   1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
   2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.

         It is recommended to specify a certificate activation period of at least 30 days so that all devices have time to receive the certificate. Please note that the specified period must be greater than the period for synchronizing devices with the Administration Server. For more information about configuring settings for device synchronization with the Administration Server, see the Configuring synchronization settings section.

      3. Click OK.
      4. In the confirmation window, click Yes.

   Alternatively, if you plan to use your own custom certificate:

   1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
   2. Select the Other certificate option and click Browse.
   3. In the Certificate window that opens, in the Certificate type field, select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
   4. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.
   5. In the Certificate window, click OK.
   6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

To immediately reissue the Administration Server certificate (not recommended if you have any managed mobile devices):

Do not select Immediately if you have any managed mobile devices. If you select this option, the connection with all managed devices will be lost, since the new certificate will not be delivered to devices, and the previously existing certificate will no longer be valid.

1. In the console tree, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window, select Administration server connection settings → Certificates.
3. If you plan to continue using the certificate issued by Kaspersky Security Center:
   1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
   2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select Immediately.
   3. Click OK.
   4. In the confirmation window, click Yes.

   Alternatively, if you plan to use your own custom certificate:

   1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
   2. Select the Other certificate option and click Browse.
   3. In the Certificate window that opens, in the Certificate type field select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
   4. In the Activation term group of settings, select Immediately.
   5. In the Certificate window, click OK.
   6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

For more information about certificates, please refer to the Kaspersky Security Center Help.

[Topic 89730]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a certificate of mobile devices

Expand all | Collapse all

You can create the following types of certificates on a user's mobile device:

• Mobile certificates for identifying the mobile device
• Mail certificates for configuring the corporate mail on the mobile device
• VPN certificate for configuring access to a virtual private network on the mobile device

To create a certificate of mobile devices:

1. In the console tree, select the Mobile Device Management → Certificates folder.
2. In the workspace of the Certificates folder, click the Add certificate button to start the Certificate Installation Wizard.
3. In the Certificate type window of the Wizard, specify the type of certificate that must be installed on the user's mobile device:
   • Mobile certificate

     This certificate is needed for identifying the mobile device.

   • Mail certificate

     This certificate is needed for configuring the corporate mail on the mobile device.

   • VPN certificate

     This certificate is needed for configuring access to a virtual private network on the mobile device.

4. In the Selecting device type window of the Wizard, Specify the type of the operating system on the device:
   • iOS MDM device

     Select this option if you want to install a certificate on a mobile device that is connected to the iOS MDM Server by using iOS MDM protocol.

   • KES device managed by Kaspersky Security for Mobile

     Select this option if you want to install a certificate on a KES device. In this case, the certificate will be used for user identification upon every connection to the Administration Server.

   • KES device connected to Administration Server without user certificate authentication

     Select this option if you want to install a certificate on a KES device using no certificate authentication. In this case, at the final step of the wizard, in the User notification method window you must select the user authentication type used at every connection to the Administration Server.

   This window is displayed only if you selected Mail certificate or VPN certificate as the certificate type.

5. In the User selection window of the Wizard, select users, user groups, or Active Directory user groups for which you want to create the certificate.
6. In the Certificate source window of the Wizard, select the method by which the certificate is created.
   • To create a certificate automatically by using Administration Server tools, select Issue certificate through Administration Server tools.
   • To assign a previously created certificate to a user, select the Specify certificate file option. Click the Browse button to open the Certificate window and specify the certificate file in it.
7. In the Certificate publishing settings window of the Wizard, select the Do not notify the user about a new certificate check box if you do not want to notify the user about certificate creation. In this case, the User notification method window will not be displayed.
8. In the User notification method window of the Wizard, configure the settings of mobile device user notification about certificate creation using a text message or via email.

   This window is not displayed if you selected iOS MDM device as the device type or if you selected the Do not notify the user about a new certificate option.

   1. In the Authentication method field, specify the user authentication type:
      • Credentials (domain or alias)

        In this case, the user employs the domain password or the password of a Kaspersky Security Center internal user to receive a new certificate.

      • One-time password

        In this case, the user receives a one-time password that will be sent by email or by SMS. This password must be entered to receive a new certificate.

        This option changes to Password if you enabled (selected) the Allow the device multiple receipts of a single certificate (only for devices with Kaspersky security applications for mobile devices installed) option in the Certificate publishing settings window.

      This field is displayed if you selected Mobile certificate in the Certificate type window or if you selected KES device connected to Administration Server without user certificate authentication as the device type.

   2. Select the user notification option:
      • Show authentication password after the wizard finishes

        If you select this option, the user name, user name in Security Account Manager (SAM), and password for certificate retrieval for each of the selected users will be displayed at the final step of the Certificate installation wizard. Configuration of user notification about an installed certificate will be unavailable.

        When you add certificates for multiple users, you can save the provided credentials to a file by clicking the Export button at the last step of the Certificate installation wizard.

        This option is unavailable if you selected Credentials (domain or alias) at the User notification method step of the Certificate installation wizard.

      • Notify user of new certificate

        If you select this option, you can configure user notification about a new certificate.

        • By email

          In this group of settings, you can configure user notification about installation of a new certificate on his or her mobile device using email messages. This notification method is only available if the SMTP Server is enabled.

          Click the Edit message link to view and edit the notification message, if necessary.

        • By SMS

          In this group of settings, you can configure the user notification about using SMS to install a certificate on mobile devices. This notification method is only available if SMS notification is enabled.

          Click the Edit message link to view and edit the notification message, if necessary.

9. In the Generating the certificate window of the Wizard, click Done to finish the Certificate Installation Wizard.

After the wizard finishes, a certificate is created and added to the list of the user's certificates; in addition, a notification is sent to the user, providing the user with a link for downloading and installing the certificate on the mobile device. You can delete and reissue certificates, as well as view their properties.

[Topic 89286]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring certificate issuance rules

The certificates are used for the device authentication on the Administration Server. All managed mobile devices must have certificates. You can configure how the certificates are issued.

To configure certificate issuance rules:

1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace of the Certificates folder, click the Add certificate button to open the Certificate issuance rules window.
3. Proceed to the section with the name of a certificate type:

   Issuance of mobile certificates—To configure the issuance of certificates for the mobile devices.

   Issuance of mail certificates—To configure the issuance of mail certificates.

   Issuance of VPN certificates—To configure the issuance of VPN certificates.

4. In the Issuance settings section, configure the issuance of the certificate:
   • Specify the certificate term in days.
   • Select a certificate source (Administration Server or Certificates are specified manually).

     Administration Server is selected as the default source of certificates.

   • Specify a certificate template (Default template, Other template).

     Configuration of templates is available if the Integration with PKI section features the integration with Public Key Infrastructure enabled.

5. For VPN and mail certificates if the integration with the PKI is configured, enable and configure automatic issuance of the certificate on device connection to Kaspersky Security Center.

   To do so, in the Automatic issuance of <certificate type> certificate on device connection section, select the Issue for KES devices managed by Kaspersky Secure Mobility Management and/or Issue for iOS MDM devices check boxes.

   If you selected the Issue for iOS MDM devices check box, select the tag for the certificate issuance from the drop-down list. The following tags are available: Certificate template 1, Certificate template 2, or Certificate template 3.

   You can configure the further use of the selected tag for the certificate issuance in the following sections:

   • If the Issuance of mail certificates section has been selected in the Certificate issuance rules window:
     • In the properties of the Email account for iOS MDM devices.
     • In the properties of the Exchange ActiveSync account for iOS MDM devices.
   • If the Issuance of VPN certificates section has been selected in the Certificate issuance rules window:
     • In the properties of the VPN network for iOS MDM devices.
6. In the Automatic Updates settings section, configure automatic updates of the certificate:
   • In the Renew when certificate is to expire in (days) field, specify how many days before expiration the certificate must be renewed.
   • To enable automatic updates of certificates, select the Reissue certificate automatically if possible check box.

   A mobile certificate can be renewed manually only.

7. In the Password protection section, enable and configure the use of a password when decrypting certificates.

   Password protection is only available for mobile certificates.

   1. Select the Prompt for password during certificate installation check box.
   2. Use the slider to define the maximum number of symbols in the password for encryption.
8. Click OK.

[Topic 92526]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Integration with Public Key Infrastructure

Integration with Public Key Infrastructure (hereinafter referred to as PKI) is primarily intended for simplifying the issuance of domain user certificates by Administration Server. Following integration, certificates are issued automatically.

The minimum supported PKI server version is Windows Server 2008.

The administrator can assign a domain certificate for a user in Administration Console. This can be done by using one of the following methods:

• Assign the user a special (customized) certificate from a file in the Certificate installation wizard.
• Perform integration with PKI and assign PKI to act as the source of certificates for a specific type of certificates or for all types of certificates.

General principle of integration with PKI for issuance of domain user certificates

Please note the following:

• The settings of integration with PKI provide you the possibility to specify the default template for all types of certificates. Note that the rules for issuance of certificates (available in the workspace of the Mobile Device Management / Certificates folder by clicking the Configure certificate issuance rules button) allow you to specify an individual template for every type of certificates.
• A special Enrollment Agent (EA) certificate must be installed on the device with Administration Server, in the certificates repository of the account under which integration with PKI is performed. The Enrollment Agent (EA) certificate is issued by the administrator of the domain's CA (Certificate Authority).

The account under which integration with PKI is performed must meet the following criteria:

• It is a domain user.
• It is a local administrator of the device with Administration Server from which integration with PKI is initiated.
• It has the right to Log On As Service.
• The device with Administration Server installed must be run at least once under this account to create a permanent user profile.

To create a permanent user profile, log on at least once under the configured user account on the device with Administration Server installed. In this user's certificate repository on the Administration Server device, install the Enrollment Agent certificate provided by domain administrators.

Configuring integration with PKI

To configure integration with the public keys infrastructure:

1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace, click the Certificate type button to open the Integration with PKI section of the Certificate issuance rules window.

   The Integration with PKI section of the Certificate issuance rules window opens.

3. Select the Integrate issuance of certificates with PKI check box.
4. In the Account field, specify the name of the user account to be used for integration with the public key infrastructure.
5. In the Password field, enter the domain password for the account.
6. In the Certificate template name in PKI system list, select the certificate template that will be used for the issuance of certificates to domain users.

   A dedicated service is run in Kaspersky Endpoint Security under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.

7. Click OK to save the settings.

Following integration, certificates are issued automatically.

[Topic 64428]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying mobile device management systems

This section describes the deployment of mobile device management systems by using the iOS MDM and Kaspersky Endpoint Security protocols.

[Topic 179492]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Scenario: Mobile Device Management deployment

This section provides a scenario for configuring the Mobile Device Management feature in Kaspersky Security Center.

Prerequisites

Make sure that you have a license that grants access to the Mobile Device Management feature.

Stages

Deployment of the Mobile Device Management feature proceeds in stages:

1. Preparing the ports

   Make sure that port 13292 is available on the Administration Server. This port is required for connecting mobile devices. Also, you may want to make port 17100 available. This port is only required for the activation proxy server for managed mobile devices; if managed mobile devices have internet access, you do not have to make this port available.

2. Enabling Mobile Device Management

   You can enable Mobile Device Management when you are running the Administration Server quick start wizard or later.

3. Specifying the external address of the Administration Server

   You can specify the external address when you run the Administration Server quick start wizard or later. If you did not select Mobile Device Management for installation and did not specify the address in the installation wizard, specify the external address in the installation package properties.

4. Adding mobile devices to the Managed devices group

   Add the mobile devices to the Managed devices group so that you can manage these devices through policies. You can create a moving rule in one of the steps of the Administration Server quick start wizard. You can also create the moving rule later. If you do not create such a rule, you can add mobile devices to the Managed devices group manually.

   You can add mobile devices to the Managed devices group directly, or you can create a subgroup (or multiple subgroups) for them.

   At any time afterward, you can connect any new mobile device to the Administration Server using the Mobile device connection wizard.

5. Creating a policy for mobile devices

   To manage mobile devices, create a policy (or multiple polices) for them in the group where these devices belong. You can change the settings of this policy at any time afterward.

Results

Upon completion of the scenario, you can manage Android and iOS devices by using Kaspersky Security Center. You can work with certificates of mobile devices and send commands to mobile devices.

[Topic 148239]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Enabling Mobile Device Management

Expand all | Collapse all

To manage mobile devices, you must enable Mobile Device Management. If you did not enable this feature in the quick start wizard of Kaspersky Security Center, you can enable it later. Mobile Device Management requires a license.

Enabling Mobile Device Management is only available on the primary Administration Server.

To enable Mobile Device Management:

1. In the console tree, select the Mobile Device Management folder.
2. In the workspace of the folder, click the Enable Mobile Device Management button. This button is only available if you have not enabled Mobile Device Management before.

   The Additional components page of the Administration Server quick start wizard is displayed.

3. Select Enable Mobile Device Management in order to manage mobile devices.
4. On the Select application activation method page, activate the application by using a key file or activation code.

   Management of mobile devices will not be possible until you activate the Mobile Device Management feature.

5. On the Proxy server settings to gain access to the Internet page, select the Use proxy server check box if you want to use a proxy server when connecting to the internet. When this check box is selected, the fields become available for entering settings. Specify the settings for proxy server connection.
6. On the Check for updates for plug-ins and installation packages page, select one of the following options:
   • Check whether plug-ins and installation packages are up to date

     Starting the check of up-to-date status. If the check detects outdated versions of some plug-ins or installation packages, the wizard prompts you to download up-to-date versions to replace the outdated ones.

   • Skip check

     Continuing work without checking whether plug-ins and installation packages are up-to-date. You can select this option if, for example, you have no internet access or if you want to proceed with the outdated version of the application for some reason.

     Skipping the check of updates for plug-ins may result in improper functioning of the application.

7. On the Latest plug-in versions available page, download and install the latest versions of plug-ins in the language that your application version requires. Updating the plug-ins does not require a license.

   After you install the plug-ins and packages, the application checks whether all plug-ins required for proper functioning of mobile devices have been installed. If outdated versions of some plug-ins are detected, the wizard prompts you to download up-to-date versions to replace the outdated ones.

8. On the Mobile device connection settings page, set up the Administration Server ports.

When the wizard completes, the following changes will be made:

• The Kaspersky Endpoint Security for Android policy will be created.
• The Kaspersky Device Management for iOS policy will be created.
• Ports will be opened on the Administration Server for mobile devices.

[Topic 64664]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying a system for management by using iOS MDM protocol

Kaspersky Endpoint Security allows you to manage mobile devices running iOS. iOS MDM devices refer to iOS mobile devices that are connected to an iOS MDM Server and managed by an Administration Server.

Connection of mobile devices to an iOS MDM Server is performed in the following sequence:

1. The administrator installs iOS MDM Server on the selected client device.
2. The administrator retrieves an Apple Push Notification Service (APNs) certificate.

   The APNs certificate allows Administration Server to connect to the APNs server to send push notifications to iOS MDM devices.

3. The administrator installs the APNs certificate on the iOS MDM Server.
4. The administrator creates an iOS MDM profile for the user of the iOS mobile device.

   The iOS MDM profile contains a collection of settings for connecting iOS mobile devices to Administration Server.

5. The administrator issues a shared certificate to the user.

   The shared certificate is required to confirm that the mobile device is owned by the user.

6. The user clicks the link sent by the administrator and downloads an installation package to the mobile device.

   The installation package contains a certificate and an iOS MDM profile.

   After the iOS MDM profile is downloaded and the iOS MDM device is synchronized with the Administration Server, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree.

7. The administrator adds a configuration profile on the iOS MDM Server and installs the configuration profile on the mobile device after it is connected.

   The configuration profile contains a collection of settings and restrictions for the iOS MDM device, for example, settings for installation of applications, settings for the use of various features of the device, email and scheduling settings. A configuration profile allows you to configure iOS MDM mobile devices in accordance with the organization's security policies.

8. If necessary, the administrator adds provisioning profiles on the iOS MDM Server and then installs these provisioning profiles on mobile devices.

   Provisioning profile is a profile that is used for managing applications distributed in ways other than through App Store. A provisioning profile contains information about the license; it is linked to a specific application.

[Topic 92514]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

iOS MDM Server deployment scenarios

The number of copies of iOS MDM Server to be installed can be selected either based on available hardware or on the total number of mobile devices covered.

Please keep in mind that the recommended maximum number of mobile devices for a single installation of Kaspersky Device Management for iOS is 50,000 at most. In order to reduce the load, the entire pool of devices can be distributed among several servers that have iOS MDM Server installed.

Authentication of iOS MDM devices is performed through user certificates (any profile installed on a device contains the certificate of the device owner). Thus, two deployment schemes are possible for an iOS MDM Server:

• Simplified scheme
• Deployment scheme involving Kerberos constrained delegation (KCD)

[Topic 92515]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Simplified deployment scheme

When deploying an iOS MDM Server under the simplified scheme, mobile devices connect to the iOS MDM web service directly. In this case, user certificates issued by Administration Server can only be applied for devices authentication. Integration with Public Key Infrastructure (PKI) is impossible for user certificates.

[Topic 92516]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scheme involving Kerberos constrained delegation (KCD)

The deployment scheme with Kerberos constrained delegation (KCD) requires the Administration Server and the iOS MDM Server to be located on the internal network of the organization.

This deployment scheme provides for the following:

• Integration with Microsoft Forefront TMG
• Use of KCD for authentication of mobile devices
• Integration with the PKI for applying user certificates

When using this deployment scheme, you must do the following:

• In Administration Console, in the settings of the iOS MDM web service, select the Ensure compatibility with Kerberos constrained delegation check box.
• As the certificate for the iOS MDM web service, specify the customized certificate that was defined when the iOS MDM web service was published on TMG.
• User certificates for iOS devices must be issued by the Certificate Authority (CA) of the domain. If the domain contains multiple root CAs, user certificates must be issued by the CA that was specified when the iOS MDM web service was published on TMG.

  You can ensure that the user certificate is in compliance with the this CA-issuance requirement by using one of the following methods:

  • Specify the user certificate in the New iOS MDM profile wizard and in the Certificate installation wizard.
  • Integrate the Administration Server with the domain's PKI and define the corresponding setting in the rules for issuance of certificates:
    1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
    2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
    3. In the Integration with PKI section, configure integration with the Public Key Infrastructure.
    4. In the Issuance of mobile certificates section, specify the source of certificates.

Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:

• The iOS MDM web service is running on port 443.
• The name of the device with TMG is tmg.mydom.local.
• The name of device with the iOS MDM web service is iosmdm.mydom.local.
• The name of external publishing of the iOS MDM web service is iosmdm.mydom.global.

Service Principal Name for http/iosmdm.mydom.local

In the domain, you have to register the service principal name (SPN) for the device with the iOS MDM web service (iosmdm.mydom.local):

setspn -a http/iosmdm.mydom.local iosmdm

Configuring the domain properties of the device with TMG (tmg.mydom.local)

To delegate traffic, trust the device with TMG (tmg.mydom.local) to the service that is defined by the SPN (http/iosmdm.mydom.local).

To trust the device with TMG to the service defined by the SPN (http/iosmdm.mydom.local), the administrator must perform the following actions:

1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with TMG installed (tmg.mydom.local).
2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
3. Add the SPN (http/iosmdm.mydom.local) to the Services to which this account can present delegated credentials list.

Special (customized) certificate for the published web service (iosmdm.mydom.global)

You have to issue a special (customized) certificate for the iOS MDM web service on the FQDN iosmdm.mydom.global and specify that it replaces the default certificate in the settings of iOS MDM web service in Administration Console.

Please note that the certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).

Publishing the iOS MDM web service on TMG

On TMG, for traffic that goes from a mobile device to port 443 of iosmdm.mydom.global, you have to configure KCD on the SPN (http/iosmdm.mydom.local), using the certificate issued for the FQDN (iosmdm.mydom.global). Please note that publishing, and the published web service must share the same server certificate.

[Topic 89288]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Enabling support of Kerberos Constrained Delegation

The application supports usage of Kerberos Constrained Delegation.

To enable support of Kerberos Constrained Delegation:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.
5. In the properties window of the iOS MDM Server, select the Settings section.
6. In the Settings section, select the Ensure compatibility with Kerberos constrained delegation check box.
7. Click OK.

[Topic 64668]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing iOS MDM Server

To install iOS MDM Server on a client device:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. Click the Install iOS MDM Server button.

   The iOS MDM Server Deployment wizard starts. Proceed through the wizard by using the Next button.

3. On the Select installation package step of the wizard, select the iOS MDM Server installation package that you want to install.

   If there is no suitable package in the list, click the New button and create the required package.

4. If necessary, on the Selecting Network Agent installation package for combined installation step of the wizard, keep the Install Network Agent together with this application check box, and then select the Network Agent version that you want to install.
   Network Agent

   A Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications that are installed on a specific network node (workstation or server).

   is needed for the iOS MDM Server to connect to Kaspersky Security Center. You can skip this step if Network Agent is already installed on the device where you plan to install the iOS MDM Server.

5. On the Connection settings step of the wizard, in the External port for connection to iOS MDM field, specify an external port for connecting mobile devices to the iOS MDM service.

   External port 5223 is used by mobile devices for communication with the APNs server. Make sure that port 5223 is open in the firewall for connection with the address range 17.0.0.0/8.

   Port 443 is used for connection to iOS MDM Server by default. If port 443 is already in use by another service or application, it can be replaced with, for example, port 9443.

   The iOS MDM Server uses external port 2197 to send notifications to the APNs server.

   APNs servers run in load-balancing mode. Mobile devices do not always connect to the same IP addresses to receive notifications. The 17.0.0.0/8 address range is reserved for Apple, and it is therefore recommended to specify this entire range as an allowed range in Firewall settings.

6. If you want to configure interaction ports for application components manually, select the Set up local ports manually option, and then specify values for the following settings:
   • Port for connection to Network Agent

     In this field, specify a port for connecting the iOS MDM service to Network Agent. The default port number is 9799.

   • Local port to connect to iOS MDM service

     In this field, specify a local port for connecting Network Agent to the iOS MDM service. The default port number is 9899.

   It is recommended to use default values.

7. Under iOS MDM Server address, specify the address of the client device on which iOS MDM Server is to be installed.

   This address will be used for connecting managed mobile devices to the iOS MDM service. The client device must be available for connection of iOS MDM devices.

   You can specify the address of a client device in any of the following formats:

   • Use device FQDN

     The fully qualified domain name (FQDN) of the device will be used.

   • Use this address

     Specify the specific address of the device manually.

   Please avoid adding the URL scheme and the port number in the address string: these values will be added automatically.

8. On the Select devices for installation step of the wizard, select the devices on which you want to install the iOS MDM Server.
9. On the Move to list of managed devices step of the wizard, select whether you want to move the devices to any administration group after Network Agent installation.

   This option is applicable if you selected one or more unassigned devices on the previous step. If you selected only managed devices, skip this step.

10. Define other settings of the wizard. For detailed information about the remote installation of apps, please refer to Kaspersky Security Center help.

When the wizard finishes, iOS MDM Server is installed on the selected devices. The iOS MDM Server is displayed in the Mobile Device Management folder in the console tree.

The wizard proceeds to the Install APNs certificate step. If you do not want to manage the certificate right now, you can create a certificate or install an already existing certificate later.

[Topic 64900]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Receiving an APNs certificate

If you already have an APNs certificate, please consider renewing it instead of creating a new one. When you replace the existing APNs certificate with a newly created one, the Administration Server loses the ability to manage the currently connected iOS mobile devices.

When the Certificate Signing Request (CSR) is created at the first step of the APNs Certificate Wizard, its private key is stored in the RAM of your device. Therefore, all the steps of the wizard must be completed within a single session of the application.

To receive an APNs certificate:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings, click the Request new button.

   The Request new APNs certificate wizard starts.

6. Create a Certificate Signing Request (hereinafter referred to as CSR):
   1. Click the Create CSR button.
   2. In the Create CSR window that opens, specify a name for your request, the names of your company and department, your city, region, and country.
   3. Click the Save button and specify a name for the file to which your CSR will be saved.

   The private key of the certificate is saved in the device memory.

7. Use your CompanyAccount to send the file with the CSR you have created to Kaspersky to be signed.

   Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows using Mobile Device Management.

   After your online request is processed, you will receive a CSR file signed by Kaspersky.

8. Send the signed CSR file to Apple Inc. website, using a random Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

   After your CSR is processed in Apple Inc., you will receive the public key of the APNs certificate. Save the file on disk.

9. Export the APNs certificate together with the private key created when generating the CSR, in PFX file format:
   1. In the Request new APNs certificate wizard, click the Complete CSR button.
   2. In the Open window, choose a file with the public key of the certificate received from Apple Inc. as the result of CSR processing, and then click the Open button.

      The certificate export process starts.

   3. In the next window, enter the private key password and click OK.

      This password will be used for the APNs certificate installation on the iOS MDM Server.

   4. In the Save APNs certificate window that opens, specify a file name for APNs certificate, choose a folder, and then click Save.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PFX format. After this, you can install the APNs certificate on the iOS MDM Server.

[Topic 159855]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Renewing an APNs certificate

To renew an APNs certificate:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings click the Renew button.

   The Renew APNs certificate wizard starts.

6. Create a Certificate Signing Request (hereinafter referred to as CSR):
   1. Click the Create CSR button.
   2. In the Create CSR window that opens, specify a name for your request, the names of your company and department, your city, region, and country.
   3. Click the Save button and specify a name for the file to which your CSR will be saved.

   The private key of the certificate is saved in the device memory.

7. Use your CompanyAccount to send the file with the CSR you have created to Kaspersky to be signed.

   Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows using Mobile Device Management.

   After your online request is processed, you will receive a CSR file signed by Kaspersky.

8. Send the signed CSR file to Apple Inc. website, using a random Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

   After your CSR is processed in Apple Inc., you will receive the public key of the APNs certificate. Save the file on disk.

9. Request the public key of the certificate. To do this, perform the following actions:
   1. Proceed to Apple Push Certificates portal. To log in to the portal, use the Apple Id received at the initial request of the certificate.
   2. In the list of certificates, select the certificate whose APSP name (in "APSP: <number>" format) matches the APSP name of the certificate used by iOS MDM Server and click the Renew button.

      The APNs certificate is renewed.

   3. Save the certificate created on the portal.
10. Export the APNs certificate together with the private key created when generating the CSR, in PFX file format:
    1. In the Renew APNs certificate wizard, click the Complete CSR button.
    2. In the Open window, choose a file with the public key of the certificate, received from Apple Inc. as the result of CSR processing, and click the Open button.

       The certificate export process will start.

    3. In the next window, enter the private key password and click OK.

       This password will be used for the APNs certificate installation on the iOS MDM Server.

    4. In the Renew APNs certificate window that opens, specify a file name for APNs certificate, choose a folder, and then click Save.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PFX format.

[Topic 210607]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a reserve iOS MDM Server certificate

The iOS MDM Server functionality enables you to issue a reserve certificate. This certificate is intended for use in iOS MDM profiles, to ensure seamless switching of managed iOS devices after the iOS MDM Server certificate expires.

If your iOS MDM Server uses a default certificate issued by Kaspersky, you can issue a reserve certificate (or specify your own custom certificate as reserve) before the iOS MDM Server certificate expires. By default, the reserve certificate is automatically issued 60 days before the iOS MDM Server certificate expiration. The reserve iOS MDM Server certificate becomes the main certificate immediately after the iOS MDM Server certificate expiration. The public key is distributed to all managed devices through configuration profiles, so you do not have to transmit it manually.

To issue an iOS MDM Server reserve certificate or specify a custom reserve certificate:

1. In the console tree, in the Mobile Device Management folder, select the Mobile Device Servers subfolder.
2. In the list of Mobile Device Servers, select the relevant iOS MDM Server, and on the right pane, click the Configure iOS MDM Server button.
3. In the iOS MDM Server settings window that opens, select the Certificates section.
4. In the Reserve certificate block of settings, do one of the following:
   • If you plan to continue using a self-signed certificate (that is, the one issued by Kaspersky):
     1. Click the Issue button.
     2. In the Activation date window that opens, select one of the two options for the date when the reserve certificate must be applied:
        • If you want to apply the reserve certificate at the time of expiration of the current certificate, select the When current certificate expires option.
        • If you want to apply the reserve certificate before the current certificate expires, select the After specified period (days) option. In the entry field next to this option, specify the duration of the period after which the reserve certificate must replace the current certificate.

        The validity period of the reserve certificate that you specify cannot exceed the validity term of the current iOS MDM Server certificate.

     3. Click the OK button.

     The reserve iOS MDM Server certificate is issued.

   • If you plan to use a custom certificate issued by your certification authority:
     1. Click the Add button.
     2. In the File Explorer window that opens, specify a certificate file in the PEM, PFX, or P12 format, which is stored on your device, and then click the Open button.

     Your custom certificate is specified as the reserve iOS MDM Server certificate.

You have a reserve iOS MDM Server certificate specified. The details of the reserve certificate are displayed in the Reserve certificate block of settings (certificate name, issuer name, expiration date, and the date the reserve certificate must be applied, if any).

[Topic 64666]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing an APNs certificate on an iOS MDM Server

After you receive the APNs certificate, you must install it on the iOS MDM Server.

To install the APNs certificate on the iOS MDM Server:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings click the Install button.
6. Select the PFX file that contains the APNs certificate.
7. Enter the password of the private key specified when exporting the APNs certificate.

The APNs certificate will be installed on the iOS MDM Server. The certificate details will be displayed in the properties window of the iOS MDM Server, in the Certificates section.

[Topic 92518]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring access to Apple Push Notification service

To ensure a proper functioning of the iOS MDM web service and timely responses of mobile devices to the administrator's commands, you need to specify an Apple Push Notification Service certificate (hereinafter referred to as APNs certificate) in the iOS MDM Server settings.

Interacting with Apple Push Notification (hereinafter referred to as APNs), the iOS MDM web service connects to the external address api.push.apple.com through port 2197 (outbound). Therefore, the iOS MDM web service requires access to port TCP 2197 for the range of addresses 17.0.0.0/8. From the iOS device side is access to port TCP 5223 for the range of addresses 17.0.0.0/8.

If you intend to access APNs from the iOS MDM web service side through a proxy server, you must perform the following actions on the device with the iOS MDM web service installed:

1. Add the following strings to the registry:
   • For 32-bit operating systems:

   HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset "ApnProxyHost"="<Proxy Host Name>" "ApnProxyPort"="<Proxy Port>" "ApnProxyLogin"="<Proxy Login>" "ApnProxyPwd"="<Proxy Password>"

   • For 64-bit operating systems:

   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset "ApnProxyHost"="<Proxy Host Name>" "ApnProxyPort"="<Proxy Port>" "ApnProxyLogin"="<Proxy Login>" "ApnProxyPwd"="<Proxy Password>"

2. Restart the iOS MDM web service.

[Topic 92520]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting KES devices to the Administration Server

Depending on the method used for connection of devices to the Administration Server, two deployment schemes are possible for Kaspersky Device Management for iOS for KES devices:

• Scheme of deployment with direct connection of devices to the Administration Server
• Scheme of deployment involving Forefront Threat Management Gateway (TMG)

[Topic 92521]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Direct connection of devices to the Administration Server

KES devices can connect directly to port 13292 of the Administration Server.

Depending on the method used for authentication, two options are possible for connection of KES devices to the Administration Server:

• Connecting devices with a user certificate
• Connecting devices without a user certificate

Connecting a device with a user certificate

When connecting a device with a user certificate, that device is associated with the user account to which the corresponding certificate has been assigned through Administration Server tools.

In this case, two-way SSL authentication (mutual authentication) will be used. Both the Administration Server and the device will be authenticated with certificates.

Connecting a device without a user certificate

When connecting a device without a user certificate, that device is associated with none of the user's accounts on the Administration Server. However, when the device receives any certificate, the device will be associated with the user to which the corresponding certificate has been assigned through Administration Server tools.

When connecting that device to the Administration Server, one-way SSL authentication will be applied, which means that only the Administration Server is authenticated with the certificate. After the device retrieves the user certificate, the type of authentication will change to two-way SSL authentication (2-way SSL authentication, mutual authentication).

[Topic 92523]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Scheme for connecting KES devices to the Server involving Kerberos constrained delegation (KCD)

The scheme for connecting KES devices to the Administration Server involving Kerberos constrained delegation (KCD) provides for the following:

• Integration with Microsoft Forefront TMG.
• Use of Kerberos Constrained Delegation (hereinafter referred to as KCD) for authentication of mobile devices.
• Integration with Public Key Infrastructure (hereinafter referred to as PKI) for applying user certificates.

When using this connection scheme, please note the following:

• The type of connection of KES devices to TMG must be "two-way SSL authentication", that is, a device must connect to TMG through its proprietary user certificate. To do this, you need to integrate the user certificate into the installation package of Kaspersky Endpoint Security for Android, which has been installed on the device. This KES package must be created by the Administration Server specifically for this device (user).
• You must specify the special (customized) certificate instead of the default server certificate for the mobile protocol:
  1. In the Administration Server properties window, in the Settings section, select the Open port for mobile devices check box and select Add certificate in the drop-down list.
  2. In the window that opens, specify the same certificate that was set on TMG when the point of access to the mobile protocol was published on the Administration Server.
• User certificates for KES devices must be issued by the Certificate Authority (CA) of the domain. Keep in mind that if the domain includes multiple root CAs, user certificates must be issued by the CA, which has been set in the publication on TMG.

  You can make sure the user certificate is in compliance with the above-described requirement, using one of the following methods:

  • Specify the special user certificate in the New package wizard and in the Certificate installation wizard.
  • Integrate the Administration Server with the domain's PKI and define the corresponding setting in the rules for issuance of certificates:
    1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
    2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
    3. In the Integration with PKI section, configure integration with the Public Key Infrastructure.
    4. In the Issuance of mobile certificates section, specify the source of certificates.

Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:

• Point of access to the mobile protocol on the Administration Server is set up on port 13292.
• The name of the device with TMG is tmg.mydom.local.
• The name of the device with Administration Server is ksc.mydom.local.
• Name of the external publishing of the point of access to the mobile protocol is kes4mob.mydom.global.

Domain account for Administration Server

You must create a domain account (for example, KSCMobileSrvcUsr) under which the Administration Server service will run. You can specify an account for the Administration Server service when installing the Administration Server or through the klsrvswch utility. The klsrvswch utility is located in the installation folder of Administration Server.

A domain account must be specified by the following reasons:

• The feature for management of KES devices is an integral part of Administration Server.
• To ensure a proper functioning of Kerberos Constrained Delegation (KCD), the receive side (i.e., the Administration Server) must run under a domain account.

Service Principal Name for http/kes4mob.mydom.local

In the domain, under the KSCMobileSrvcUsr account, add an SPN for publishing the mobile protocol service on port 13292 of the device with Administration Server. For the kes4mob.mydom.local device with Administration Server, this will appear as follows:

setspn -a http/kes4mob.mydom.local:13292 mydom\KSCMobileSrvcUsr

Configuring the domain properties of the device with TMG (tmg.mydom.local)

To delegate traffic, you must trust the device with TMG (tmg.mydom.local) to the service defined by the SPN (http/kes4mob.mydom.local:13292).

To trust the device with TMG to the service defined by the SPN (http/kes4mob.mydom.local:13292), the administrator must perform the following actions:

1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with TMG installed (tmg.mydom.local).
2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
3. In the Services to which this account can present delegated credentials list, add the SPN http/kes4mob.mydom.local:13292.

Special (customized) certificate for the publishing (kes4mob.mydom.global)

To publish the mobile protocol of Administration Server, you must issue a special (customized) certificate for the FQDN kes4mob.mydom.global and specify it instead of the default server certificate in the settings of the mobile protocol of Administration Server in Administration Console. To do this, in the properties window of the Administration Server, in the Settings section select the Open port for mobile devices check box and then select Add certificate in the drop-down list.

Please note that the server certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).

Configuring publication on TMG

On TMG, for traffic that goes from the mobile device side to port 13292 of kes4mob.mydom.global, you have to configure KCD on the SPN (http/kes4mob.mydom.local:13292), using the server certificate issued for the FQND kes4mob.mydom.global. Please note that publishing and the published access point (port 13292 of the Administration Server) must share the same server certificate.

[Topic 92525]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Using Google Firebase Cloud Messaging

To ensure timely delivery of commands to KES devices managed by the Android operating system, Kaspersky Security Center uses the mechanism of push notifications. Push notifications are exchanged between KES devices and Administration Server through Google Firebase Cloud Messaging (hereinafter referred to as FCM). In Kaspersky Security Center Administration Console, you can specify the Google Firebase Cloud Messaging settings to connect KES devices to the service.

To retrieve the settings of Google Firebase Cloud Messaging, you must have a Google account.

To enable the use of FCM:

1. In Administration Console, select the Mobile Device Management node, and the Mobile devices folder.
2. In the context menu of the Mobile devices folder, select Properties.
3. In the folder properties, select the Google Firebase Cloud Messaging settings section.
4. In the Sender ID and Server key fields, specify the FCM settings: SENDER_ID and API Key.

At the next synchronization with Administration Server, KES devices managed by Android operating systems will be connected to Google Firebase Cloud Messaging.

You can edit the Google Firebase Cloud Messaging settings by clicking the Reset settings button.

FCM service runs in the following address ranges:

• From the KES device's side, access is required to ports 443 (HTTPS), 5228 (HTTPS), 5229 (HTTPS), and 5230 (HTTPS) of the following addresses:
  • google.com
  • fcm.googleapis.com
  • android.apis.google.com
  • All of the IP addresses listed in Google's ASN of 15169
• From the Administration Server side, access is required to port 443 (HTTPS) of the following addresses:
  • fcm.googleapis.com
  • All of the IP addresses listed in Google's ASN of 15169

If the proxy server settings (Advanced / Configuring Internet access) have been specified in the Administration Server properties in Administration Console, they will be used for interaction with FCM.

Configuring FCM: retrieving SENDER_ID and API Key

To configure FCM:

1. Register on Google portal.
2. Go to Developers portal.
3. Create a new project by clicking the Create Project button, specify the project's name, and specify the ID.
4. Wait for the project to be created.

   On the first page of the project, in the upper part of the page, the Project Number field shows the relevant SENDER_ID.

5. Go to the APIs & auth / APIs section and enable Google Firebase Cloud Messaging for Android.
6. Go to the APIs & auth / Credentials section and click the Create New Key button.
7. Click the Server key button.
8. Impose restrictions (if any), click the Create button.
9. Retrieve the API Key from the properties of the newly created key (Server key field).

Google Firebase Cloud Messaging is configured.

[Topic 148249]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Disabling Mobile Device Management

Disabling Mobile Device Management is only available on the primary Administration Server.

To disable Mobile Device Management:

1. In the console tree, select the Mobile Device Management folder.
2. In the workspace of this folder, click the Add iOS mobile device link.

   The Additional components page of the Administration Server quick start wizard is displayed.

3. Select Do not enable Mobile Device Management if you do not want to manage mobile devices any longer.
4. Click OK.

Previously connected mobile devices will not be able to connect to Administration Server. The port for mobile device connection and the port for mobile device activation will be closed automatically.

Policies that were created for Kaspersky Endpoint Security for Android and Kaspersky Device Management for iOS will not be deleted. The certificate issuance rules will not be modified. The plug-ins that have been installed will not be removed. The moving rule for mobile devices will not be deleted.

After you re-enable Mobile Device Management on managed mobile devices, you may have to reinstall mobile apps that are required for mobile device management.

[Topic 141433]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing Kaspersky Endpoint Security for Android

This section describes the methods for deploying Kaspersky Endpoint Security for Android on a corporate network.

[Topic 150051]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Permissions

For all features of apps, Kaspersky Endpoint Security for Android prompts the user for the required permissions. Kaspersky Endpoint Security for Android prompts for the mandatory permissions while completing the Setup Wizard, as well as after installation prior to using individual features of apps. It is impossible to install Kaspersky Endpoint Security for Android without providing the mandatory permissions.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts in the device settings. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

On devices running Android 11 or later or Android 6-10 with Google Play services, you must disable the Remove permissions if app isn't used system setting. Otherwise, after the app is not used for a few months, the system automatically resets the permissions that the user granted to the app.

Permissions requested by Kaspersky Endpoint Security for Android

[Topic 141434]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation of Kaspersky Endpoint Security for Android on personal devices

Kaspersky Endpoint Security for Android is installed on the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center Help.

Expand all | Collapse all

You can install the Kaspersky Endpoint Security for Android app on devices through Kaspersky Security Center by using one of the following methods:

• Download the app from Google Play (recommended method)

  The user will receive a link to Google Play. The app can be installed by following the standard installation procedure on the Android platform. Additional configuration of Kaspersky Endpoint Security for Android after installation is not required.

  Some HUAWEI and Honor devices do not have Google services and therefore an access to apps in Google Play. If some users of HUAWEI and Honor devices cannot install the app from Google Play, they should be instructed to install the app from HUAWEI App Gallery.

  The link contains the following data:

  • Kaspersky Security Center synchronization settings.
  • Mobile certificate.
  • Indicator of acceptance of the Terms and Conditions of the End User License Agreement for Kaspersky Endpoint Security for Android and additional Statements. If the administrator accepts the terms of License Agreement and additional Statements in the Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.
• Download the app installation package from Kaspersky Security Center

  The app's installation package will be downloaded from the Kaspersky Security Center server. The app will also be updated through Kaspersky Security Center using policy settings. You can also choose this method if mobile devices in your company have no access to the internet.

  For this method, perform the pre-configuring steps below:

  1. Create and configure an app installation package.
  2. Create a standalone installation package.

  When deploying the app via the installation package downloaded from Kaspersky Security Center, after the device is reset to factory settings and the QR code is scanned, the Blocked by Play Protect message may appear on the device. The issue is caused by the installation package signing certificate being different from the one specified in Google Play. The user should continue the installation by choosing Install anyway. If OK is selected, the installation process will be interrupted and the device will be reset to factory settings.

To install Kaspersky Endpoint Security for Android through Kaspersky Security Center on personal devices:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select Android.
4. In the Device type section, select Personal device.

   Kaspersky Security Center checks for administration plug-in updates. If Kaspersky Security Center detects updates, you can install the new version of the administration plug-in. When the administration plug-in is updated, you can accept the Terms and Conditions of the End User of the License Agreement (EULA) and additional Statements for Kaspersky Endpoint Security for Android. If the administrator accepts the License Agreement and additional Statements in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app. This feature is available in Kaspersky Security Center version 12.

5. On the Method to install Kaspersky Endpoint Security for Android on devices page, select one of two options:
   • Download the app from Google Play (recommended default option)
   • Download the app installation package from Kaspersky Security Center if Google Play cannot be used for some reason or you need a specific version of the app (for example, for device owner mode)
6. On the Select users page of the Wizard, select one or more users for installation of Kaspersky Endpoint Security for Android to their mobile devices.

   If a user is not in the list, you can add a new user account without exiting the New Mobile Device Connection Wizard.

7. On the Certificate source page of the Wizard, select the source of the certificate for protection of data transfer between Kaspersky Endpoint Security for Android and Kaspersky Security Center:
   • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
   • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the Wizard. This option cannot be used if you want to install Kaspersky Endpoint Security for Android to several mobile devices. A separate certificate must be created for each user.
8. On the User notification method page of the Wizard, select the channel used to forward the app installation link:
   • To send the link by email, select Send link to Kaspersky Endpoint Security and configure the settings in the By email section. Make sure that the email address is specified in the settings of user accounts.
   • To install Kaspersky Endpoint Security for Android using a QR code, select Show link to installation package and scan the QR code using the camera of the mobile device.
   • If none of the listed methods are suitable for you, select Show link to installation package → Copy to copy the link for installing Kaspersky Endpoint Security for Android to the clipboard. Use any available method to deliver the app installation link. You can also use other methods of installation of Kaspersky Endpoint Security for Android.
9. Click Finish to close the New Mobile Device Connection Wizard.

After installing Kaspersky Endpoint Security for Android on users' mobile devices, you will be able to configure the settings for devices and apps by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

[Topic 241804]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation of Kaspersky Endpoint Security for Android in device owner mode

Expand all | Collapse all

Device owner mode is the device operation mode for company-owned Android devices. This mode lets you have full control over the entire device and configure a wide range of device functions.

Kaspersky Security Center lets you install the Kaspersky Endpoint Security for Android app in device owner mode by generating a QR code for app installation on the device.

Kaspersky Endpoint Security for Android is installed on the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center Help.

Ways to install the app

The Kaspersky Endpoint Security for Android app can be installed via a QR code in one of the following ways:

• Download the app from Kaspersky website

  Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated using Google Play or HUAWEI AppGallery.

• Download the app installation package from Kaspersky Security Center

  The app's installation package will be downloaded from the Kaspersky Security Center server. The app will also be updated through Kaspersky Security Center using policy settings. You can also choose this method if mobile devices in your company have no access to the internet.

  For this method, follow the steps below before generating a QR-code:

  1. Create and configure an app installation package.
  2. Create a standalone installation package.

     When deploying the app via the installation package downloaded from Kaspersky Security Center, after the device is reset to factory settings and the QR code is scanned, the Blocked by Play Protect message may appear on the device. The issue is caused by the installation package signing certificate being different from the one specified in Google Play. The user should continue the installation by choosing Install anyway. If OK is selected, the installation process will be interrupted and the device will be reset to factory settings.

Generating QR code for app installation

To generate a QR code for app installation in device owner mode:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select Android.
4. In the Device type section, select Company-owned device (device owner mode).
5. In the Network for downloading the Kaspersky Endpoint Security app section, select one of the following options:
   • Prompt the user to select a Wi-Fi network on the device

     If you choose this option, the device user will be prompted to connect to any available Wi-Fi network for downloading the app.

     This option is selected by default.

   • Use only the specified Wi-Fi network (Android 9.0+)

     If you choose this option, the device will try to automatically connect to the network that you have specified. This option is supported on Android 9.0 or later.

     Be sure to correctly specify all the network parameters. Otherwise, if any parameter is incorrect or the network is not available, the installation process will be interrupted and the device will be reset to the factory settings.

     To configure the connection for the required Wi-Fi network, click the Specify network button. In the Wi-Fi network for downloading Kaspersky Endpoint Security window, specify the following parameters:

     • Service set identifier (SSID)

       Specifies a name of a wireless network with an access point (SSID). The wireless network name should not be longer than 32 characters.

     • Hidden network

       Specifies whether the selected network broadcasts its SSID.

       The checkbox is cleared by default.

     • Network protection

       Specifies a wireless network security type. Possible values:

       • Open - If selected, the network is not protected (default).
       • WEP (Android 9 or earlier) - If selected, the network is protected using the WEP protocol. This option requires entering a password for accessing the network and applies only to Android 9 and earlier.
       • WPA2 PSK - If selected, the network is protected using the WPA 2 PSK security protocol. This option requires entering a password for accessing the network.
     • Password (will be sent in unencrypted form)

       Specifies a password for accessing a wireless network protected using a WEP or WPA2 PSK protocol. The password will be sent in QR code.

     • Do not use proxy server

       Specifies that proxy server is not used (default).

     • Use proxy server

       Specifies the use of proxy server. If this option is selected, you need to provide proxy server address and port. You can also specify a list of sites for which the proxy will be bypassed.

     • Proxy server address

       Specifies the IP address or the symbol name (web-address) of the proxy server. The maximum number of symbols is 256.

     • Proxy server port

       Specifies the port number of the proxy server. The value should be in the interval between 0 and 65536.

     • Do not use proxy server for addresses

       Specifies addresses of websites for which the proxy server should not be used.

       For example, you can enter the address example.com. In this case, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

     • PAC file URL

       A URL to a proxy auto-configuration (PAC) file for the Wi-Fi network.

   • Try to use mobile data (Android 8.0+)

     If you choose this option, the device will try to use mobile data to download the app. If the device does not have a SIM card, or the mobile network is not available, the user will be prompted to select any available Wi-Fi network.

     This option is supported on Android 8.0 or later.

6. In the Additional section, select the Enable all system apps check box if you want system apps to be active on the device. If the check box is cleared, all system apps are disabled.
7. Click Next.

   Kaspersky Security Center checks for administration plug-in updates. If Kaspersky Security Center detects updates, you can install the new version of the administration plug-in. When the administration plug-in is updated, you can accept the Terms and Conditions of the End User of the License Agreement (EULA) and additional Statements for Kaspersky Endpoint Security for Android. If the administrator accepts the License Agreement and additional Statements in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

8. On the Method to install Kaspersky Endpoint Security for Android on devices in device owner mode page, select an installation method:
   • Download the app from Kaspersky website
   • Download the app installation package from Kaspersky Security Center

     If you choose this option, leave the Allow HTTP use for app download in device owner mode check box selected to ensure the app is downloaded. Otherwise, the app will be downloaded via HTTPS only if the Kaspersky Security Center Web Server certificate was issued by a trusted certificate authority.

   For more details about these methods, see the Ways to install the app section above.

9. On the Select users page of the Wizard, select one or more users for installation of Kaspersky Endpoint Security for Android to their mobile devices.

   If a user is not in the list, you can add a new user account without exiting the New Mobile Device Connection Wizard.

10. On the Certificate source page of the Wizard, select the source of the certificate for protection of data transfer between Kaspersky Endpoint Security for Android and Kaspersky Security Center:
    • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
    • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the Wizard. This option cannot be used if you want to install Kaspersky Endpoint Security for Android to several mobile devices. A separate certificate must be created for each user.
11. On the User notification method page, select the method used to forward the QR code for the app installation:
    • Select Show QR code in wizard to scan the QR code with the camera of the mobile device on which you want to install Kaspersky Endpoint Security for Android.
    • Select Send QR code to user to send the QR code by email to users of your organization. If you select this method, specify email addresses. Make sure that the email address is specified in the user account settings in Kaspersky Security Center. The users then need to scan the QR code using the camera of their mobile device to install the app.
12. On the Result page, verify the information and save the QR code.
13. Click Finish to close the New Mobile Device Connection Wizard.

Additional configuration on the Android device is required to install Kaspersky Endpoint Security for Android in device owner mode.

After installing Kaspersky Endpoint Security for Android on users' mobile devices, you will be able to configure the settings for devices and apps by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

[Topic 259471]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installation of Kaspersky Endpoint Security for Android in device owner mode in a closed network

When deploying Kaspersky Endpoint Security for Android in device owner mode via QR code on devices with pre-installed Google Mobile Services (GMS), their connectivity to certain Google endpoints via Wi-Fi networks is checked. If a Wi-Fi network has no access to the internet, the connectivity check fails and the deployment finishes with an error.

To avoid the connectivity check, you can deploy the Kaspersky Endpoint Security for Android app in device owner mode in a closed network by using a Proxy Auto-Configuration (PAC) file.

To use a PAC file for Kaspersky Endpoint Security for Android app deployment:

1. Create a PAC file (for example, proxy.pac) with the following contents:

   function FindProxyForURL(url, host) {
   return "DIRECT";
   }

2. Publish the created PAC file on a resource which will be available within the closed network (for example, on the IIS Web server).

   Save the link to the PAC file (for example, https://intranet.mycompany.com/files/proxy.pac).

3. Make sure the APK file of the Kaspersky Endpoint Security for Android app being deployed is available within the closed network. To do this, use one of the methods below:
   • Download the app installation package from the Kaspersky Security Center server. If the server is accessible, the installation packages will be available there.
   • Download the APK installation file from the Kaspersky website and upload it to the closed network.

     Choose the general version of the app as a source.

4. Generate the QR code for app installation in device owner mode and forward it to the user by following the instructions of the New Mobile Device Connection Wizard.

   When connecting the device to Kaspersky Security Center, you will be asked to specify the network for downloading the Kaspersky Endpoint Security for Android app. At this step, configure the use of the previously created PAC file for network connection by linking it to the Wi-Fi network settings on a device. To do this, use one of the methods below:

   • In the Network for downloading the Kaspersky Endpoint Security for Android section, choose Prompt the user to select a Wi-Fi network on the device. While deploying the app, the user will need to specify the link to the PAC file (step 2) in the network settings while choosing a Wi-Fi network on the device. After the connection is established, the user will be able to continue the device setup and activate the app by following the instructions of the app's Initial Configuration Wizard.
   • In the Network for downloading the Kaspersky Endpoint Security for Android section, choose Use only the specified Wi-Fi network (Android 9.0+), click the Specify network button, insert the link to the previously created PAC file (step 2) in the PAC file URL field, and then click OK.

   If the APK installation file has been downloaded from the Kaspersky website (step 3), you need to change the link in the QR code by specifying the closed network link address.

   For more information about configuring the Kaspersky Endpoint Security for Android app in device owner mode, please refer to the Installing the app in device owner mode section.

   When deploying the app via the installation package downloaded from Kaspersky Security Center, after the device is reset to factory settings and the QR code is scanned, the Blocked by Play Protect message may appear on the device. The issue is caused by the installation package signing certificate being different from the one specified in Google Play. The user should continue the installation by choosing Install anyway. If OK is selected, the installation process will be interrupted and the device will be reset to factory settings.

The Kaspersky Endpoint Security for Android app is installed on the device in device owner mode in a closed network.

[Topic 209663]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Other methods of installation of Kaspersky Endpoint Security for Android

You can install Kaspersky Endpoint Security for Android using a link to your own web server or instruct the users to install the app manually.

[Topic 209665]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Manual installation from Google Play or HUAWEI AppGallery

Users can manually install Kaspersky Endpoint Security for Android from Google Play or HUAWEI AppGallery. The app can be installed by following the standard installation procedure of the Android platform. Users use their own Google accounts to install the application.

For details on the procedure of installing Kaspersky Endpoint Security for Android from Google Play, see the Google technical support website.

For details on the procedure of installing Kaspersky Endpoint Security for Android from HUAWEI AppGallery, see the HUAWEI Support website.

Some HUAWEI and Honor devices do not have Google services and therefore an access to apps in Google Play. If some users of HUAWEI and Honor devices cannot install the app from Google Play, they should be instructed to install the app from HUAWEI App Gallery.

After installing Kaspersky Endpoint Security for Android from Google Play or HUAWEI AppGallery, you must prepare the app for use. The process of preparing the app for use includes the following steps:

1. The administrator sends the settings of mobile device synchronization with the Administration Server (server address and port number) using any available method (for example, by sending an email message).
2. The user can configure the settings of mobile device synchronization with the Administration Server during operation of the Initial Configuration Wizard or in the Kaspersky Endpoint Security for Android settings.
3. The administrator creates a mobile certificate for the mobile device user.
4. The user receives an automatic notification with a prompt to install the mobile certificate. When installation is confirmed, the mobile certificate is installed on the mobile device.

Internet access should be enabled on the mobile device for synchronization with the Administration Server.

See the "Configuring synchronization settings" section for details on how to configure the settings of mobile device synchronization with the Administration Server and receive a mobile certificate.

During the next synchronization of the mobile device with Administration Server, the user's mobile device on which Kaspersky Endpoint Security for Android is installed is moved to the Advanced → Device discovery → Domains folder in the administration group that was specified during installation of the application (the default group is KES10). You can move a mobile device to the administration group that you created in the Managed devices folder either manually or using automatic allocation rules.

This installation method is convenient if you want to install a specific version of Kaspersky Endpoint Security for Android.

To install Kaspersky Endpoint Security for Android by using a link to your own web server:

1. Create an installation package and configure its settings.

   The installation package is a set of files created for remote installation of the Kaspersky app through Kaspersky Security Center.

2. Create a standalone installation package.

   A standalone installation package is the installation file of a mobile app that contains the settings of the app connection to the Administration Server and an indicator of acceptance of the Terms and Conditions of the End User License Agreement (EULA) for the Kaspersky Endpoint Security for Android. It is created on the basis of the Kaspersky Endpoint Security for Android installation package. The standalone installation package is a special case of an installation package.

The user will receive a link to the web server hosting the standalone installation package for Kaspersky Endpoint Security for Android. To install the app, the user must run the APK file. Additional configuration of Kaspersky Endpoint Security for Android after installation is not required.

To install Kaspersky Endpoint Security for Android using a link to your own web server, installation of apps from unknown sources must be allowed on the user's mobile device.

[Topic 89690]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating and configuring an installation package

The Kaspersky Endpoint Security for Android installation package is the sc_package.exe self-extracting archive. The archive includes files required for installing mobile app on devices:

• adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll – Set of files required for installing Kaspersky Endpoint Security for Android.
• installer.ini – Configuration file that contains the Administration Server connection settings.
• KES10_xx_xx_xxx.apk – Setup file for Kaspersky Endpoint Security for Android.
• kmlisten.exe – Utility for delivering the application installation package through a the workstation.
• kmlisten.ini – Configuration file that contains the settings for the installation package delivery utility.
• kmlisten.kpd – Application description file.

To create the Kaspersky Endpoint Security for Android installation package:

1. In the console tree, select the Advanced → Remote installation → Installation packages folder.
2. In the workspace of the Installation packages  folder, click the Create installation package button.

   The Installation Package Creation Wizard starts. Follow the instructions of the Wizard.

3. In the Select installation package type window of the Wizard, click the Create installation package for Kaspersky application button.
4. In the Defining installation package name window of the Wizard, enter the installation package name to be displayed in the workspace of the Installation packages folder.
5. In the Select application installation package for installation window of the Wizard, select the sc_package.exe self-extracting archive included in the distribution kit.

   If you have already unpacked the archive, choose the application description file, kmlisten.kpd. The application name and the version number appear in the entry field.

   If you create an installation package with the sc_package.exe archive in the Kaspersky Security Center version earlier than 14.2, the installation of Kaspersky Endpoint Security for Android app will fail on devices running Android 10 or later. To avoid this issue, please upgrade to Kaspersky Security Center 14.2 or contact Technical Support to receive an appropriate version of the archive.

6. In the Accept EULA window of the Wizard, read, understand, and accept the terms and conditions of the End User License Agreement.

   You must accept the terms and conditions of the End User License Agreement for creating the installation package. If you accept the terms of License Agreement in the Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

   If you decide to stop the protection of the mobile devices, you can uninstall Kaspersky Endpoint Security for Android app and revoke your End User License Agreement (EULA) for the app. To learn more about revoking EULA, please refer to Kaspersky Security Center Help.

After the Wizard finishes, the created installation package appears in the Installation packages folder workspace. The installation packages are stored in the Packages folder, in the public shared folder on the Administration Server.

To configure the installation package settings:

1. In the console tree, select the Advanced → Remote installation → Installation packages folder.
2. In the context menu of the Kaspersky Endpoint Security for Android installation package, select Properties.
3. On the Settings tab, specify the Administration Server connection settings for mobile devices and the name of the administration group to which the mobile devices will be added automatically after the first synchronization with the Administration Server. Follow the steps below:
   • In the Connection to the Administration Server section, in the Server address field, type the name of the Administration Server for mobile devices in the format that was used for installing Mobile devices support during the Administration Server deployment.

     Depending on the Administration Server name format for the Mobile devices support component, specify the DNS name or the IP address of the Administration Server. In the SSL port number field, specify the number of the port open on the Administration Server for connecting mobile devices. Port 13292 is used by default.

   • In the Allocation of computers to groups section, in the Group name field, type the name of the group to which mobile devices will be added after the first synchronization with the Administration Server (KES10 is used by default).

     The specified group will be automatically created in the Advanced → Device discovery → Domains folder.

   • In the Actions during installation section, select the Request email address check box if you want the app to ask users to provide their corporate email address when the app is started for the first time.

     The user's email address is used to form the name of the mobile device when it is added to the administration group.

4. To apply the specified settings, click Apply.

[Topic 89728]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a standalone installation package

To create a standalone installation package, follow the steps below:

1. In the console tree, select the Advanced → Remote installation → Installation packages folder.
2. Choose the installation package of Kaspersky Endpoint Security for Android.
3. In the context menu of the installation package, select Create a stand-alone installation package.

   The wizard that creates the standalone installation package will be started. Follow the instructions of the Wizard.

4. Configure ways in which the standalone installation package is distributed:
   • To distribute the path to the created standalone installation package among users via email, in the Further actions section click the link Email link to stand-alone installation package.

     The message editor window opens, and the text in the window contains the path to the shared folder with the standalone installation package.

   • To post the link to the created standalone installation package on your corporate website, click the link Sample HTML code for link publication on a website.

     A tmp file containing HTML_RJL links opens.

5. To publish the created standalone installation package on the Kaspersky Security Center Web Server and view the entire list of standalone packages for the selected installation package, in the Stand-alone installation package creation wizard window select the Open the stand-alone packages list check box.

After the wizard closes, the window List of standalone packages for the installation package <Installation package name> opens.

The List of standalone packages for the installation package <Installation package name> window contains the following information:

• A list of standalone installation packages.
• The network path to the shared folder in the Path field.
• The address of the standalone package on the Kaspersky Security Center Web Server in the URL field.

When sending email notifications, you can specify either the address in the URL field or the path in the Path field as a resource from which users can download the setup file of the app. When sending text message notifications to users, you have to specify the download link appearing in the URL field.

You are advised to copy the address of the created standalone package to clipboard and then paste the link to the required installation package into the email or text message notification for users.

[Topic 88051]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring synchronization settings

To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Mobile device synchronization with Kaspersky Security Center may be performed in the following ways:

• By schedule. Synchronization by schedule is performed by using the HTTP protocol. You can configure the synchronization schedule in the group policy settings. Modifications to group policy settings, commands and tasks will be performed when the device is synchronizing with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with the Kaspersky Security Center automatically every 6 hours.
• Forced. Forced synchronization is performed by using push notifications of the FCM service (Firebase Cloud Messaging). Forced synchronization is primarily intended for timely delivery of commands to a mobile device. It might be useful when a device is in battery saver mode, because in this case the app may perform tasks later than specified. If you want to use forced synchronization, make sure that the FCM settings are configured in Kaspersky Security Center.

To configure the settings of mobile device synchronization with the Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Synchronization section.
5. Select the frequency of synchronization in the Synchronize drop-down list.
6. To disable synchronization of a device with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.

   The device user can manually perform synchronization in the app settings ( → Settings → Synchronization → Synchronize).

7. To hide synchronization settings (server address, port and administration group) from the user in the app settings, clear the Show synchronization settings on device check box. It is impossible to modify hidden settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. You can manually synchronize the mobile device by using a special command. To learn more about working with commands for mobile devices, please refer to the "Sending commands" section.

[Topic 136294]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Activating the Kaspersky Endpoint Security for Android app

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Endpoint Security for Android app is fully functional, the Kaspersky Security Center license purchased by the organization must provide for the Mobile Device Management functionality. The Mobile Device Management functionality is intended for connecting mobile devices to Kaspersky Security Center and managing them.

For detailed information about the licensing of Kaspersky Security Center and licensing options, please refer to Kaspersky Security Center Help.

Activating the Kaspersky Endpoint Security for Android app on a mobile device is done by providing valid license information to the app. License information is delivered to the mobile device, together with the policy, when the device is synchronized with Kaspersky Security Center.

If the activation of the Kaspersky Endpoint Security for Android app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to the limited functionality mode. In this mode, most of the app components are not operational. When switched to the limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Therefore, if the activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the Kaspersky Endpoint Security for Android app on their devices manually.

To activate the Kaspersky Endpoint Security for Android app:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Licensing section.
5. In the Licensing section, open the Key drop-down list, and then select the required application activation key from the key storage of the Kaspersky Security Center Administration Server.

   The details of the app for which the license has been purchased are displayed in the field below.

6. Select the Activate with a key from Kaspersky Security Center storage check box.

   If the app was activated without a key stored in the Kaspersky Security Center storage, Kaspersky Secure Mobility Management replaces this key with the activation key selected in the Key drop-down list.

7. To activate the app on the user's mobile device, block changes to settings.
8. Click the Apply button to save the changes you have made.

   Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

[Topic 141488]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing an iOS MDM profile

This section describes the methods of deploying iOS MDM profiles on a corporate network.

Before deploying an iOS MDM profile, you must deploy a mobile device management system.

For details on deploying an iOS MDM profile in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

[Topic 135822]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

About iOS device management modes

You can deploy an iOS device management system in several different ways. The management mode depends on the owner of the mobile device (personal or corporate) and corporate security requirements. You can choose the management mode that is most suitable for the company, and use several modes at the same time.

Unsupervised devices

Unsupervised iOS devices are employees' personal devices that are connected to Kaspersky Security Center. In this mode, the user is allowed to use a personal Apple ID, work with any apps, and store personal data on the device. You can use a Kaspersky Device Management for iOS group policy to configure access to corporate resources, security settings, and other settings. By default, all iOS devices are unsupervised.

Supervised devices

Supervised iOS devices are corporate devices that are connected to Kaspersky Security Center. Initial configuration of the mobile device is performed in Apple Configurator. Apple Configurator is an application designed to prepare and configure iOS devices. Apple Configurator is installed on a computer running OS X. For more details about working with Apple Configurator, please refer to the Apple Technical Support website. You can use a Kaspersky Device Management for iOS group policy for further configuration. On supervised devices, you can access an extended selection of settings. For example, you can configure Global HTTP Proxy and additional restrictions (for example, blocked use of iMessage and Game Center), and you can block user account modifications.

To work with supervised and unsupervised iOS devices, the iOS MDM Server must have an APNs certificate installed, and an iOS MDM profile must be installed on the mobile devices of users.

[Topic 141792]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing via Kaspersky Security Center

The iOS MDM profile is installed to the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center Help.

To install an iOS MDM profile:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select iOS.
4. In the Selecting iOS MDM Server window of the Wizard, select an iOS MDM Server from the list.
5. In the Select users window of the Wizard, select one or several users for installation of the iOS MDM profile to their mobile devices.

   If the user is not in the list, you can add a new user account without exiting the New Mobile Device Connection Wizard.

6. In the Certificate source window of the Wizard, select the source of the certificate for protection of data transfer between the mobile device and Kaspersky Security Center:
   • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
   • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the Wizard. This option cannot be used if you want to install the iOS MDM profile to several mobile devices. A separate certificate must be created for each user.
7. In the User notification method window of the Wizard, select the channel used to forward the app installation link:
   • To send the link by email, select Send link to iOS MDM profile and configure the settings in the By email section. Make sure that the email address is specified in the settings of user accounts.
   • To install the iOS MDM profile using a QR code, select Show link to installation package and scan the QR code using the camera of the mobile device.
   • If none of the listed methods are suitable for you, select Show link to installation package → Copy to copy the iOS MDM profile installation link to the clipboard. Use any available method to deliver the app installation link.
8. Finish the New Mobile Device Connection Wizard.

After installing the iOS MDM profile to users' mobile devices, you will be able to configure the app settings by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

On mobile devices running iOS 12.1 or later, you must manually confirm installation of an iOS MDM profile on the mobile device. You must also grant permission for remote management of the device.

[Topic 98776]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing administration plug-ins

To manage mobile devices, the following administration plug-ins must be installed to the administrator's workstation:

• The Administration Plug-in of Kaspersky Endpoint Security for Android provides the interface for managing mobile devices and mobile apps installed on them through the Administration Console of Kaspersky Security Center.
• The Administration Plug-in of Kaspersky Device Management for iOS provides an interface for managing mobile devices connected by means of the iOS MDM protocol through the Administration Console of Kaspersky Security Center.

You can install administration plug-ins by using the following methods:

• Install an administration plug-in using Quick Start Wizard of Kaspersky Security Center.

  The application automatically prompts you to run the Quick Start Wizard after Administration Server installation, at the first connection to it. You can also start the Quick Start Wizard manually at any time.

  The Quick Start Wizard allows you to accept the Terms and Conditions of the End User License Agreement (EULA) for the Kaspersky Endpoint Security for Android app in Administration Console. If the administrator accepts the terms of the License Agreement in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app. For more details on the Quick Start Wizard for Kaspersky Security Center, please refer to Kaspersky Security Center Help.

• Install the administration plug-in using the list of available distribution packages in Administration Console of Kaspersky Security Center.

  The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.

• Download the distribution package from an external source and install the administration plug-in using the EXE file.

  For example, the distribution package of the administration plug-in can be downloaded on the Kaspersky website.

Installing administration plug-ins from the list in Administration Console

To install the administration plug-ins:

1. In the console tree, select Advanced → Remote installation → Installation packages.
2. In the workspace, select Additional actions → View current versions of Kaspersky applications.

   This opens the list of up-to-date versions of Kaspersky applications.

3. In the Mobile devices section, select the Kaspersky Endpoint Security for Android or Kaspersky Device Management for iOS plug-in.
4. Click Download distribution package button.

   A plug-in distribution will be downloaded to the computer memory (EXE file).

5. Run the EXE file and follow the instructions of the Installation Wizard.

Installing administration plug-ins from the distribution package

To install the Kaspersky Endpoint Security for Android Administration Plug-in,

Copy the plug-in installation file klcfinst.exe from the integrated solution distribution package and run it on the administrator's workstation.

The installation is performed by the Wizard, and you do not have to configure the settings.

To install the Kaspersky Device Management for iOS Administration Plug-in,

Copy the plug-in installation file klmdminst.exe from the integrated solution distribution package and run it on the administrator's workstation.

The installation is performed by the Wizard, and you do not have to configure the settings.

You can make sure that the administration plug-ins are installed by viewing the list of installed app administration plug-ins in the properties window of the Administration Server in the Advanced → Details of application management plug-ins installed section.

[Topic 136488]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Updating a previous version of the application

The application upgrade must meet the following requirements:

• The version of the Kaspersky Endpoint Security for Android Administration Plug-in and the version of the Kaspersky Endpoint Security for Android mobile app must match.

  You can view the build numbers of the versions of the Administration Plug-in and mobile app in the Release Notes for Kaspersky Secure Mobility Management.

• Make sure that Kaspersky Security Center satisfies the software requirements of Kaspersky Secure Mobility Management.
• The administration plug-ins of Kaspersky Endpoint Security for Android 10.0 Service Pack 2 (Build 10.6.0.1801) and Kaspersky Device Management for iOS 10.0 Service Pack 2 (Build 10.6.0.1767) and later versions can be automatically upgraded to the current version. Upgrades of earlier versions of administration plug-ins are not supported.

  To upgrade administration plug-ins of earlier versions, you must remove the installed administration plug-ins and group policies that were created with them. Then install the new versions of the administration plug-ins. For details on removing administration plug-ins, please visit the Kaspersky Technical Support website.

• Use the same version of Kaspersky Endpoint Security for Android on all mobile devices of the organization.

The terms and conditions of technical support for Kaspersky Secure Mobility Management versions are available on the Kaspersky Technical Support website.

To view the version and build number of administration plug-ins:

1. In the console tree in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window, select Advanced → Details of application management plug-ins installed.

The workspace displays information about installed administration plug-ins in the format <Plug-in name> <Version> <Build>.

You can view the version and build number of the Kaspersky Endpoint Security for Android app by using the following methods:

• If Kaspersky Endpoint Security for Android was installed with a standalone installation package, you can view the version and build number of the app in the package properties.
• If Kaspersky Endpoint Security for Android was installed through Google Play, you can view the build number in the app settings ( → About the app).

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality will not be available in the software in the U.S. territory from 12:00 AM Eastern Daylight Time (EDT) on September 10, 2024 in accordance with the restrictive measures.

[Topic 102240]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Upgrading the previous version of Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be updated in the following ways:

• Using Google Play. The mobile device user downloads the new version of the app from Google Play and installs it on the device.
• Using Kaspersky Security Center. You can remotely update the version of the app on the device using the Kaspersky Security Center remote administration system.

You can select the app update method that is most suitable for your organization. You can use only one update method.

Updating the app from Google Play

The app can be updated from Google Play by following the standard update procedure of the Android platform. The following conditions must be met in order for the app to be updated:

• The device user must have a Google account.
• The device must be linked to your Google account.
• The device must be connected to the internet.

After downloading the app from Google Play, Kaspersky Endpoint Security for Android checks the Terms and Conditions of the End User License Agreement (EULA). If the terms of the EULA are updated, the app sends a request to the Kaspersky Security Center. If the administrator accepts the EULA in Administration Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app. If the administrator uses an outdated version of the administration plug-in, Kaspersky Security Center prompts you to update the administration plug-in. When updating the administration plug-in, an administrator can accept the terms of the EULA in Administration Console for the Kaspersky Endpoint Security for Android.

You can update the app through Google Play if Kaspersky Endpoint Security for Android was installed from Google Play. If the app was installed using another method, you cannot update the app through Google Play.

Updating the app through Kaspersky Security Center

Kaspersky Endpoint Security for Android can be upgraded using Kaspersky Security Center after application of a group policy. In the group policy settings, you can select the Kaspersky Endpoint Security for Android standalone installation package of the version that meets the corporate security requirements.

You can update through Kaspersky Security Center if Kaspersky Endpoint Security for Android was installed through Kaspersky Security Center. If the app was installed from Google Play, you cannot update the app through Kaspersky Security Center.

To upgrade Kaspersky Endpoint Security for Android using a standalone installation package, installation of apps from unknown sources must be allowed on the user's mobile device. For details about installing apps without Google Play, please refer to the Android Help Guide.

To update the version of the app:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Additional section.
5. In the Upgrading Kaspersky Endpoint Security for Android section, click the Select button.

   This opens the Upgrading Kaspersky Endpoint Security for Android window.

6. In the list of Kaspersky Endpoint Security for Android standalone installation packages, select the package whose version meets the corporate security requirements.

   You can upgrade Kaspersky Endpoint Security for Android only to a more recent application version. Kaspersky Endpoint Security for Android cannot be upgraded to an older application version.

7. Click the Select button.

   A description of the selected standalone installation package is displayed in the Upgrading Kaspersky Endpoint Security for Android section.

8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The mobile device user is prompted to install the new version of the app. After the user gives consent, the new app version is installed on the mobile device.

[Topic 180201]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing an earlier version of Kaspersky Endpoint Security for Android

If you want to prevent automatic update of the app and use a specific version of Kaspersky Endpoint Security for Android, disable automatic update of the app in Google Play settings. For more detail, refer to the Google technical support website.

Automatic update of Kaspersky Endpoint Security for Android is available only if the app was installed from Google Play or through Kaspersky Security Center using the Google Play link. If the app was installed through Kaspersky Security Center using a link to your own web server (using the standalone installation package), automatic update is not available. In this case, you can use a group policy to manually update Kaspersky Endpoint Security for Android.

To install an earlier version of Kaspersky Endpoint Security for Android:

1. Remove Kaspersky Endpoint Security for Android from users' mobile devices.
2. Install Kaspersky Endpoint Security for Android through Kaspersky Security Center using a link to your own web server. To do so, you will need the installation package for the specific version. You can download the distribution package for earlier versions of Kaspersky Endpoint Security for Android on the Kaspersky Technical Support website.

For details on earlier versions of Kaspersky Endpoint Security for Android, please refer to the Help for the appropriate version of Kaspersky Secure Mobility Management.

[Topic 99183]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Upgrading previous versions of administration plug-ins

You can upgrade administration plug-ins by using the following methods:

• Install new version administration plug-in from the list of available distribution packages in Administration Console of Kaspersky Security Center.

  The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.

• Download the distribution package from an external source and install new version administration plug-in using the EXE file.

  To upgrade Kaspersky Endpoint Security for Android and Kaspersky Device Management for iOS Administration Plug-ins, you need to download the latest version of the application from the web page of Kaspersky Secure Mobility Management and run the Setup Wizard for each of the two plug-ins. Previous versions of plug-ins are removed automatically during operation of the Installation Wizard.

Kaspersky experts recommend using the same version of the app and administration plug-ins. If user upgrades the app from Google Play, the Kaspersky Security Center shows notification with a prompt to upgrade the administration plug-in.

When administration plug-ins are updated, the existing administration groups in the Managed devices folder and rules for the automatic allocation of devices from the Unassigned devices folder to these groups are saved. The existing group policies for mobile devices are also saved. New policy settings that implement the new functions of the Kaspersky Secure Mobility Management integrated solution will be added to the existing policies and will have the default values.

If new settings have been added or the default values have been changed in the new version of the administration plug-in, the changes will be applied only after a group policy is opened. Until the administrator opens a group policy, the settings of the previous version of the plug-in will be applied on mobile devices even if the plug-in version has been updated.

Upgrading from the list in Administration Console

To upgrade the administration plug-ins:

1. In the console tree, select Advanced → Remote installation → Installation packages.
2. In the workspace, select Additional actions → View current versions of Kaspersky applications.

   This opens the list of up-to-date versions of Kaspersky applications.

3. In the Mobile devices section, select the Kaspersky Endpoint Security for Android or Kaspersky Device Management for iOS plug-in.
4. Click Download distribution package button.

   A plug-in distribution will be downloaded to computer memory (EXE file). Run the EXE file. Follow the instructions of the Installation Wizard.

Upgrading from the distribution package

To upgrade the Kaspersky Endpoint Security for Android Administration Plug-in,

Copy the plug-in installation file klcfinst.exe from the integrated solution distribution package and run it on the administrator's workstation.

The installation is performed by the Wizard, and you do not need to configure the settings.

To upgrade the Kaspersky Device Management for iOS Administration Plug-in,

Copy the plug-in installation file klmdminst.exe from the integrated solution distribution package and run it on the administrator's workstation.

Plug-in installation is performed by the Wizard, and you do not need to configure the settings.

You can make sure that the administration plug-ins are upgraded by viewing the list of installed app administration plug-ins in the properties window of the Administration Server, in the Advanced → Details of application management plug-ins installed section.

[Topic 98987]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removing Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be removed in the following ways:

1. App removal by the user

   The user removes Kaspersky Endpoint Security for Android manually using the app interface. In order for users to be able to remove the app, app removal should be allowed in the policy applied to the device.

2. App removal by the administrator

   The administrator removes the app remotely using the Administration Console of Kaspersky Security Center. The app can be removed from a separate device or from several devices at once.

To remove Kaspersky Endpoint Security for Android from a device operating in device owner mode:

1. Send the Reset to factory settings command from Administration Console to the device. This command removes all device data and rolls back device settings to their factory values.
2. Manually remove the device from the list of managed devices in Administration Console.

   If the device is not removed from Administration Console, there can be problems with further installation of Kaspersky apps on this device.

[Topic 99000]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Remote app removal

You can remove Kaspersky Endpoint Security for Android from users' mobile devices remotely in the following ways:

• Using a group policy. This method is convenient if you want to remove the app from several devices at once.
• By configuring local app settings. This method is convenient if you want to remove the app from a separate device.

For information about removing Kaspersky Endpoint Security for Android from devices operating in device owner mode, see the App removal in device owner mode section below.

To remove the app by applying a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Additional section.
5. In the Removal of Kaspersky Endpoint Security for Android section, select the Remove Kaspersky Endpoint Security for Android from device check box.

   This setting doesn't apply to devices operating in device owner mode.

6. Click the Apply button to save the changes you have made.

As a result, Kaspersky Endpoint Security for Android is removed from mobile devices after synchronization with the Administration Server. Users of mobile devices receive a notification that the app has been removed.

To remove the app by configuring local settings:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. In the list of devices, select the device on which you want to remove the app.
3. Open the device properties window double-clicking.
4. Select Applications → Kaspersky Endpoint Security for Android.
5. Open the Kaspersky Endpoint Security properties window by double-clicking.
6. Select the Additional section.
7. In the Removal of Kaspersky Endpoint Security for Android section, select the Remove Kaspersky Endpoint Security for Android from device check box.

   This setting doesn't apply to devices operating in device owner mode.

8. Click the Apply button to save the changes you have made.

As a result, Kaspersky Endpoint Security for Android is removed from mobile device after synchronization with the Administration Server. The mobile device user receives a notification that the app has been removed.

App removal in device owner mode

To remove Kaspersky Endpoint Security for Android from a device operating in device owner mode:

1. In the console tree, select Mobile Device Management → Mobile devices.
2. In the list of devices, select the device on which you want to remove the app.
3. Right-click the device.
4. In the context menu, select Mobile Device Management → Reset to factory settings.

   The Reset to factory settings command is sent to the device. This command removes all device data and rolls back device settings to their factory values.

5. In the list of devices, right-click the device and select Delete.

   The device is removed from the list of managed devices in Administration Console.

   If the device is not removed from Administration Console, there can be problems with further installation of Kaspersky apps on this device.

[Topic 98994]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Permitting users to remove the app

To protect the app from removal on devices running Android 7.0 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

You can allow users to remove Kaspersky Endpoint Security for Android from their mobile devices in the following ways:

• Using a group policy. This method is convenient if you want to allow users to remove the app from several devices at once.
• Using local app settings. This method is convenient if you want to allow the user of a separate device to remove the app.

On devices operating in device owner mode, Kaspersky Endpoint Security for Android can be removed only by the administrator. For instructions, please refer to Remote app removal.

To allow removal of the app in a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Additional section.
5. In the Removal of Kaspersky Endpoint Security for Android section, set the Allow removal of Kaspersky Endpoint Security for Android check box.

   This setting doesn't apply to devices operating in device owner mode.

6. Click the Apply button to save the changes you have made.

As a result, removal of the app by users is allowed on mobile devices after synchronization with the Administration Server. The app removal button becomes available in the Kaspersky Endpoint Security for Android settings.

To allow removal of the app in the local app settings:

1. In the console tree, select Additional → Mobile Device Management → Mobile devices.
2. In the list of devices, select the device from which you want to allow app removal by the user.
3. Open the device properties window by double-clicking.
4. Select Applications → Kaspersky Endpoint Security for Mobile.
5. Open the Kaspersky Endpoint Security properties window by double-clicking.
6. Select the section Additional.
7. In the Removal of Kaspersky Endpoint Security for Android section, set the Allow removal of Kaspersky Endpoint Security for Android check box.

   This setting doesn't apply to devices operating in device owner mode.

8. Click the Apply button to save the changes you have made.

As a result, removal of the app by the user is allowed on the mobile device after synchronization with the Administration Server. The app removal button becomes available in the Kaspersky Endpoint Security for Android settings.

[Topic 98992]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App removal by the user

To independently remove Kaspersky Endpoint Security for Android from a mobile device, the user must do the following:

1. In the main window of Kaspersky Endpoint Security for Android, tap   → Uninstall the app.

   A confirmation prompt appears on the screen.

   If the Uninstall the app button is missing, this means that the administrator enabled protection against removal of Kaspersky Endpoint Security for Android or the device operates in device owner mode.

   On devices operating in device owner mode, Kaspersky Endpoint Security for Android can be removed only by the administrator. For instructions, please refer to Remote app removal.

2. Confirm removal of Kaspersky Endpoint Security for Android.

The Kaspersky Endpoint Security for Android app will be removed from the user's mobile device.

[Topic 136270]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuration and Management

This Help section is intended for specialists who administer Kaspersky Secure Mobility Management, as well as for specialists who provide technical support to organizations that use Kaspersky Secure Mobility Management.

[Topic 141535]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Getting Started

This section describes the actions that you are recommended to perform when getting started with Kaspersky Secure Mobility Management.

[Topic 100337]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Starting and stopping the application

Kaspersky Security Center automatically starts and stops administration plug-ins of Kaspersky Endpoint Security for Android and Kaspersky Device Management for iOS.

Kaspersky Endpoint Security for Android launches when the operating system starts up and protects the mobile device during the entire session. The user can stop the app by disabling all Kaspersky Endpoint Security for Android components. You can use group policies to configure user permissions to manage app components.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts (Security → Permissions → Autorun). If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

You must also disable Battery Saver mode for Kaspersky Endpoint Security for Android. This is necessary for the app to run in the background, such as running a scheduled malware scan or synchronizing the device with Kaspersky Security Center. This issue is attributable to the specific features of the embedded software of these devices.

[Topic 89688_1]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

To perform centralized configuration of the Kaspersky Endpoint Security for Android app installed on the users' mobile devices, the group policies must be applied to the devices.

To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices using a group policy.

To create administration group, follow the steps below:

1. In the console tree, select the Managed devices folder.
2. In the workspace of the Managed devices folder or subfolder, select the Devices tab.
3. Click the New group  button.

   This opens the window in which you can create a new group.

4. In the Group name window type the group name and click OK.

A new administration group folder with the specified name appears in the console tree. For more detailed information on use of administration groups, see Kaspersky Security Center Help.

[Topic 99958]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Group policies for managing mobile devices

A group policy is a package of settings for managing mobile devices that belong to an administration group and for managing mobile apps installed on the devices. You can create a group policy using the Policy Wizard.

You can use a policy to configure settings of both individual devices and a group of devices. For a group of devices, administration settings can be configured in the window of group policy properties. For an individual device, they can be configured in the window of local application settings. Individual management settings specified for one device may differ from the values of settings configured in the policy for a group to which this device belongs.

Each parameter represented in a policy has a "lock" attribute, which shows whether the setting is allowed for modification in the policies of nested hierarchy levels (for nested groups and secondary Administration Servers), in local application settings.

The values of settings configured in the policy and in local application settings are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings. If the user has specified other values of settings that have not been "locked", during the next synchronization of the device with the Administration Server the new values of settings are relayed to the Administration Server and saved in the local settings of the application instead of the values that had been previously specified by the administrator.

To keep corporate security of mobile devices up to date, you can monitor users' devices for compliance with the group management policy.

The security level indicator is displayed in the upper part of the group policy window. The security level indicator will help you configure the policy so as to ensure a high level of device protection. The protection level indicator status changes depending on the policy settings:

• High protection level – an appropriate level of device protection is provided. All protection components function according to the settings recommended by Kaspersky.
• Medium protection level – the protection level is lower than recommended. Some critical protection components are disabled (for example, Web Protection). Important issues are marked with the icon.
• Low protection level – there are problems that may lead to infection of the device and loss of data. Some critical protection components are disabled (for example, real-time protection of devices is disabled). Critical issues are marked with the icon.

For more details on managing policies and administration groups in the Administration Console of Kaspersky Security Center, please refer to Kaspersky Security Center Help.

[Topic 89890]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a group policy

This section describes the process of creating group policies for devices on which Kaspersky Endpoint Security for Android mobile app are installed and policies for iOS MDM devices.

Policies created for an administration group are shown in the group workspace in the Administration Console of Kaspersky Security Center on the Policies tab. The icon indicating the policy status (active / inactive) appears before the policy name. Several policies for different apps can be created in one group. Only one policy for each app can be active. When a new active policy is created, the previous active policy becomes inactive.

You can modify a policy after it is created.

To a policy for managing mobile devices:

1. From the console tree, select an administration group for which you want to create a policy.
2. In the workspace of the group, select the Policies tab.
3. Click the New policy link to start the Policy Wizard.

This starts the Policy Wizard.

Step 1. Choose an application for creating a group policy

At this step, select the application for which you want to create a group policy in the list of applications:

• Kaspersky Endpoint Security for Android – for devices using the Kaspersky Endpoint Security for Android mobile app.

It is recommended to create a separate policy for HUAWEI and Honor devices that do not have Google play services. This way you can send links to HUAWEI AppGallery to the users of all such devices.

• Kaspersky Device Management for iOS – for iOS MDM devices.

A policy for mobile devices can be created if the Kaspersky Endpoint Security for Android Administration Plug-in and the Kaspersky Device Management for iOS Administration Plug-in are installed on the administrator's desktop. If the plug-ins are not installed, the name of the relevant application does not appear in the list of applications.

Proceed to the next step of the Policy Wizard.

Step 2. Enter a group policy name

At this step, type the name for the new policy in the Name field. If you specify the name of an existing policy, it will have (1) added at the end automatically.

Proceed to the next step of the Policy Wizard.

Step 3. Create a group policy for the application

At this step, the Wizard prompts you to select the status of the policy:

• Active policy. The Wizard saves the created policy on the Administration Server. At the next synchronization of the mobile device with the Administration Server, the policy will be used on the device as the active policy.
• Inactive policy. The Wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to active state.

  Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.

Exit the Wizard.

[Topic 88051_1]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring synchronization settings

To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Mobile device synchronization with Kaspersky Security Center may be performed in the following ways:

• By schedule. Synchronization by schedule is performed by using the HTTP protocol. You can configure the synchronization schedule in the group policy settings. Modifications to group policy settings, commands and tasks will be performed when the device is synchronizing with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with the Kaspersky Security Center automatically every 6 hours.
• Forced. Forced synchronization is performed by using push notifications of the FCM service (Firebase Cloud Messaging). Forced synchronization is primarily intended for timely delivery of commands to a mobile device. It might be useful when a device is in battery saver mode, because in this case the app may perform tasks later than specified. If you want to use forced synchronization, make sure that the FCM settings are configured in Kaspersky Security Center.

To configure the settings of mobile device synchronization with the Kaspersky Security Center:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Synchronization section.
5. Select the frequency of synchronization in the Synchronize drop-down list.
6. To disable synchronization of a device with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.

   The device user can manually perform synchronization in the app settings ( → Settings → Synchronization → Synchronize).

7. To hide synchronization settings (server address, port and administration group) from the user in the app settings, clear the Show synchronization settings on device check box. It is impossible to modify hidden settings.
8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. You can manually synchronize the mobile device by using a special command. To learn more about working with commands for mobile devices, please refer to the "Sending commands" section.

[Topic 152432]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing revisions to group policies

Kaspersky Security Center lets you track group policy modifications. Every time you save changes made to a group policy, a revision is created. Each revision has a number.

You can manage revisions only for Kaspersky Endpoint Security for Android policies. You cannot manage revisions for a Kaspersky Device Management for iOS policy.

You can perform the following actions on group policy revisions:

• Compare a selected revision to the current one.
• Compare selected revisions.
• Compare a policy with a selected revision of another policy.
• View a selected revision.
• Roll back policy changes to a selected revision.
• Save revisions as a .txt file.

For more details about managing revisions of group policies and other objects (for example, user accounts), please refer to Kaspersky Security Center Help.

To view the history of group policy revisions:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Revision history section.

   A list of policy revisions is displayed. It contains the following information:

   • Policy revision number.
   • Date and time the policy was modified.
   • Name of the user who modified the policy.
   • Action performed on the policy.
   • Description of the revision made to policy settings.

[Topic 89954]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Removing a group policy

To remove a group policy:

1. In the console tree, select an administration group for which you want to remove a policy.
2. In the workspace of the administration group on the Policies tab select the policy you want to remove.
3. In the context menu of the policy, select Delete.

As a result, the group policy is deleted. Before the new group policy is applied, mobile devices belonging to the administration group continue to work with the settings specified in the policy that has been deleted.

[Topic 100347]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Restricting permissions to configure group policies

Kaspersky Security Center administrators can configure the access permissions of Administration Console users for different functions of the Kaspersky Secure Mobility Management integrated solution depending on the job duties of users.

In the Administration Console interface, you can configure access rights in the Administration Server properties window on the Security and User roles tabs. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes.

You can also configure user permissions specific to functional areas. Information about the correspondence between functional areas and policy tabs is given in Annex.

For each functional area, the administrator can assign the following permissions:

• Allow editing. The Administration Console user is allowed to change the policy settings in the properties window.
• Block editing. The Administration Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface.

For more details on managing user rights and roles in the Administration Console of Kaspersky Security Center, please refer to Kaspersky Security Center Help.

[Topic 136322]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Control

This section contains information about how to remotely monitor mobile devices in the Administration Console of Kaspersky Security Center.

[Topic 140646]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring restrictions

This section provides instructions on how to configure user access to the features of mobile devices.

[Topic 206026]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Special considerations for devices running Android version 10 and later

Android 10 introduced numerous changes and restrictions targeting API 29 or higher. Some of these changes affect the availability or functionality of some of the app's features. These considerations apply only to devices running Android 10 or later.

Ability to enable, disable, and configure Wi-Fi

• Wi-Fi networks can be added, deleted, and configured in the Administration Console of Kaspersky Security Center. When a Wi-Fi network is added to a policy, Kaspersky Endpoint Security receives this network configuration when it first connects to Kaspersky Security Center.
• When a device detects a network configured through Kaspersky Security Center, Kaspersky Endpoint Security prompts the user to connect to that network. If the user chooses to connect to the network, all of the settings configured through Kaspersky Security Center are automatically applied. The device then automatically connects to that network when in range, without showing further notifications to the user.
• If a user's device is already connected to another Wi-Fi network, sometimes the user may not be prompted to approve a network addition. In such cases, the user must turn Wi-Fi off and on again to receive the suggestion.
• When Kaspersky Endpoint Security suggests a user connect to a Wi-Fi network and the user refuses to do so, the app's permission to change the Wi-Fi state is revoked. Kaspersky Endpoint Security then cannot suggest connecting to Wi-Fi networks until the user grants the permission again by going to Settings → Apps & notifications → Special App access → Wi-Fi Control → Kaspersky Endpoint Security.
• Only open networks and networks encrypted with WPA2-PSK are supported. WEP and WPA encryption are not supported.
• If the password for a network previously suggested by the app is changed, the user must manually delete that network from the list of known networks. The device will then be able to receive a network suggestion from Kaspersky Endpoint Security and connect to it.
• When a device OS is updated from Android version 9 or earlier to Android version 10 or later, and/or Kaspersky Endpoint Security installed on a device running Android version 10 or later is updated, the networks that were previously added via Kaspersky Security Center cannot be modified or deleted through Kaspersky Security Center policies. The user, however, can manually modify or delete such networks in the device settings.
• On devices running Android 10, a user is prompted for the password during an attempt to connect manually to a protected suggested network. Automatic connection does not require entering the password. If a user's device is connected to some other Wi-Fi network, the user must first disconnect from that network to connect automatically to one of the suggested networks.
• On devices running Android 11, a user may manually connect to a protected network suggested by the app, without entering the password.
• When Kaspersky Endpoint Security is removed from a device, the networks previously suggested by the app are ignored.
• Prohibiting use of Wi-Fi networks is not supported.

Camera access

• On devices running Android 10, use of the camera cannot be completely prohibited. Prohibiting use of the camera for a work profile is still available.
• If a third-party app attempts to access the device's camera, that app will be blocked, and the user will be notified about the issue. However, the apps that use the camera while running in background mode cannot be blocked.
• When an external camera is disconnected from a device, a notification about the camera not being available may be displayed in some cases.

Managing screen unlock methods

• Kaspersky Endpoint Security now resolves the password strength requirements into one of the system values: medium or high.
  • If the password length required is 1 to 4 symbols, then the app prompts the user to set a medium-strength password. It must be either numeric (PIN), with no repeating or ordered (e.g. 1234) sequences; or alphanumeric. The PIN or password must be at least 4 characters long.
  • If the password length required is 5 or more symbols, then the app prompts the user to set a high-strength password. It must be either numeric (PIN), with no repeating or ordered sequences; or alphanumeric (password). The PIN must be at least 8 digits long; the password must be at least 6 characters long.
• Using a fingerprint to unlock the screen can be managed for a work profile only.

[Topic 90496]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring restrictions for Android devices

To keep an Android device secure, configure the Wi-Fi, camera, and Bluetooth usage settings on the device.

By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions.

To configure the Wi-Fi, camera, and Bluetooth usage restrictions on the device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Device Management section.
5. In the Restrictions section, configure usage of Wi-Fi, camera, and Bluetooth:
   • To disable the Wi-Fi module on the user's mobile device, select the Prohibit use of Wi-Fi check box.

     On devices running Android 10.0 or later, prohibiting the use of Wi-Fi networks is not supported.

   • To disable the camera on the user's mobile device, select the Prohibit use of camera check box.

     When camera usage is prohibited, the app displays a notification upon opening and then closes shortly after. On Asus and OnePlus devices, the notification is shown in full screen. The device user can tap the Close button to exit the app.

     On devices running Android 11 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, you will not be able to restrict use of the camera.

   • To disable Bluetooth on the user's mobile device, select the Prohibit use of Bluetooth check box.

     On Android 12 or later, the use of Bluetooth can be disabled only if the device user granted the Nearby Bluetooth devices permission. The user can grant this permission during the Initial Configuration Wizard or at a later time.

     On personal devices running Android 13 or later, the use of Bluetooth cannot be disabled.

6. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

[Topic 88187]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring iOS MDM device feature restrictions

To ensure compliance with corporate security requirements, configure restrictions on the operation of the iOS MDM device. For information about available restrictions, refer to the context help of the administration plug-in.

To configure iOS MDM device feature restrictions:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Features Restriction section.
5. In the Features restriction settings section, select the Apply settings on device check box.
6. Configure iOS MDM device feature restrictions.

   List of feature restrictions

   Delay software updates, in days (supervised only, iOS 11.3+)

   Allows delaying operating system updates on the device.

   If the check box is selected, the user can't access updates for the specified period. The default delay is 30 days. You can specify another period in the Specify the number of days from 1 to 90 field.

   If the check box is cleared, the user can update the software as soon as updates are available.

   The setting is available for mobile devices running iOS version 11 or later and iPadOS version 13.1 or later.

   This check box is cleared by default.

   Specify the number of days from 1 to 90

   Specifies the number of days to delay software updates. The default value is 30 days.

   This option is available if the Delay software updates, in days check box is selected.

   Allow use of camera

   Usage of the camera on the user's mobile device.

   If the check box is selected, the user is allowed to use the device camera.

   If the check box is cleared, the user device camera is disabled. The user cannot take photos, record videos, or use the FaceTime app. The camera icon on the device home screen is hidden.

   This check box is selected by default.

   Allow FaceTime (supervised only)

   Usage of the FaceTime app on the user's mobile device. This check box is available if the use of the device camera is allowed. This setting is available if the Allow use of camera check box is selected.

   If the check box is selected, the user can make and receive calls using FaceTime.

   If the check box is cleared, the FaceTime app is disabled on the user device. The user cannot make or receive video calls.

   This check box is selected by default.

   Allow screenshots and videos

   Capability to take a screenshot or video from the screen of the iOS MDM device.

   If the check box is selected, the user can take and save screenshots and videos from the screen of the mobile device.

   If the check box is cleared, the user cannot take and save screenshots and videos from the screen of the mobile device.

   This check box is selected by default.

   Allow screen observation by Classroom (supervised only)

   Capability for an instructor to view students' iPad screens using the Classroom application. For more details about the Classroom application, please visit the Apple Technical Support website.

   If the check box is selected, the instructor can view students' iPad screens in the Classroom application.

   If the check box is cleared, the instructor cannot view students' iPad screens in the Classroom application.

   This check box is selected by default.

   Allow modification of Personal Hotspot settings (supervised only, iOS 12.2+)

   If the check box is selected, the device user can modify Personal Hotspot settings.

   If the check box is cleared, the device user can't modify Personal Hotspot settings.

   The setting is available for mobile devices running iOS version 12.2 or later and iPadOS version 13.1 or later.

   This check box is selected by default.

   Allow access to USB devices in Files app (supervised only, iOS 13.1+)

   If the check box is selected, the user can access connected USB devices in the Files app.

   If the check box is cleared, access to connected USB devices in the Files app is blocked.

   The setting is available for mobile devices running iOS version 13.1 or later and iPadOS version 13.1 or later.

   This check box is selected by default.

   Enable USB Restricted Mode while device is locked (supervised only, iOS 11.4.1+)

   Specifies whether USB Restricted Mode is enabled when the device is locked.

   If the check box is selected, when locked, the device connection to USB drives is limited via USB Restricted Mode.

   If the check box is cleared, the device is allowed to connect to USB drives when locked.

   The setting is available for mobile devices running iOS version 11.4.1 or later and iPadOS version 13.1 or later.

   This check box is selected by default.

   Force Wi-Fi on (supervised only, iOS 13.0+)

   Specifies whether Wi-Fi on the managed device should be always on. The device can connect to any Wi-Fi network.

   If the check box is selected, Wi-Fi on the device is always on, even in flight mode. The user can't disable Wi-Fi in the device settings.

   If the check box is cleared, the user can disable Wi-Fi in the device settings.

   The setting is available for mobile devices running iOS version 13.0 or later and iPadOS version 13.1 or later.

   This check box is cleared by default.

   Force connection to allowed Wi-Fi networks only (supervised only, iOS 14.5+)

   Specifies whether the device can connect to allowed Wi-Fi networks only. This option is available if you add at least one Wi-Fi network to the list of Wi-Fi networks in the Wi-Fi section.

   If the check box is selected, the device connects to allowed Wi-Fi networks only. The user can't disable Wi-Fi in the device settings.

   If the check box is cleared, the user can connect to any Wi-Fi network.

   The setting is available for mobile devices running iOS version 14.5 or later and iPadOS version 13.1 or later.

   This check box is cleared by default.

   Allow creating VPN configurations (supervised only, iOS 11+)

   If the check box is selected, the user can create a VPN configuration on the managed device.

   If the check box is cleared, the user can't create a VPN configuration on the managed device.

   The setting is available for mobile devices running iOS version 11 or later and iPadOS version 13.1 or later.

   This check box is selected by default.

   Allow AirDrop (supervised only)

   Use of the AirDrop feature for transmitting user data from the iOS MDM device to other Apple devices.

   If the check box is selected, the user can use AirDrop to transmit data to other Apple devices.

   If the check box is cleared, the user cannot transmit data to other Apple devices using AirDrop.

   This check box is selected by default.

   Allow modification of eSIM settings (supervised only, iOS 11+)

   Selecting or clearing this check box specifies whether the device user can change carrier plan related settings.

   The restriction is supported on devices with iOS 11 and later.

   The check box is selected by default.

   Allow iMessage (supervised only)

   Usage of the iMessage service on the user's mobile device.

   If the check box is selected, the user can send and receive messages using the iMessage service.

   If the check box is cleared, the iMessage is not available on the mobile device. The user cannot send or receive messages via iMessage.

   This check box is selected by default.

   Allow Apple Music (supervised only)

   Listening to music on the user's mobile device using the Apple Music service.

   If the check box is selected, the user can listen to music on the mobile device in the Music app.

   If the check box is cleared, the Apple Music service is not available to the user.

   This check box is selected by default.

   Allow Radio in Apple Music (supervised only)

   Listening to the radio using the Apple Music service on the user's mobile device.

   If the check box is selected, the user can listen to the radio in the Music app on the mobile device.

   If the check box is cleared, the user cannot listen to the radio.

   This check box is selected by default.

   Allow modification of Bluetooth settings (supervised only, iOS 11+)

   If the check box is selected, the user can modify Bluetooth settings on the mobile device.

   If the check box is cleared, Bluetooth settings cannot be modified on the mobile device.

   The setting is available for mobile devices running iOS version 11 or later and iPadOS version 13.1 or later.

   This check box is selected by default.

   Allow use of NFC (supervised only, iOS 14.2+)

   If the check box is selected, the use of NFC is allowed.

   If the check box is cleared, the use of NFC is disabled.

   The setting is available for mobile devices running iOS version 14.2 or later.

   This check box is selected by default.

   Allow voice dialing on a locked device

   Use of the voice dialing function on a locked mobile device.

   If the check box is selected, the user can use voice commands to dial phone numbers on a locked mobile device.

   If the check box is cleared, the user cannot use voice commands to dial phone numbers on a locked mobile device.

   This check box is selected by default.

   Allow use of Siri

   Usage of the Siri app on the user's mobile device.

   If the check box is selected, the user can use voice commands of the Siri app on the mobile device.

   If the check box is cleared, the user cannot use voice commands of the Siri app on the mobile device.

   This check box is selected by default.

   Allow use of profanity filter (supervised only)

   This option enables the filtering of profanity while using the Siri app on the mobile device.

   If the check box is selected, profanity is filtered while the user uses the Siri app.

   If the check box is cleared, profanity is not filtered while the user uses the Siri app.

   This check box is selected by default.

   Allow when device is locked

   Use of Siri voice commands when the user's mobile device is locked. The user's mobile device has to be password-protected. This setting is available if the Allow use of Siri check box is selected.

   If the check box is selected, the user can use Siri voice commands on a locked mobile device.

   If the check box is cleared, the user cannot use Siri voice commands on a locked device.

   This check box is selected by default.

   Show user's content (supervised only)

   This option allows adding personal data of the user to Siri so they can be used in Siri voice commands (for example: "remind me to call wife when I get home") on the iOS MDM device. This setting is available if the Allow use of Siri check box is selected.

   If the check box is selected, the user can fill out a personal card in Siri settings and use this information in Siri voice commands.

   If the check box is cleared, the user is not allowed to add personal data to Siri.

   This check box is selected by default.

   Allow AirPrint (supervised only, iOS 11+)

   Selecting or clearing this check box specifies whether the device user can use AirPrint.

   The restriction is supported on devices with iOS 11 and later.

   The check box is selected by default.

   Allow storage of AirPrint credentials (supervised only, iOS 11+)

   Selecting or clearing this check box specifies whether the device user can store a keychain of user name and password for AirPrint.

   The restriction is supported on devices with iOS 11 and later.

   The check box is selected by default.

   Allow iBeacon discovery of AirPrint printers (supervised only, iOS 11+)

   Selecting or clearing this check box specifies whether iBeacon discovery of AirPrint printers is enabled. Disabling iBeacon discovery of AirPrint printers prevents spurious AirPrint Bluetooth beacons from getting information about network traffic.

   The restriction is supported on devices with iOS 11 and later.

   The check box is selected by default.

   Force AirPrint to use a trusted TLS certificate (supervised only, iOS 11+)

   Selecting or clearing this check box specifies whether a trusted certificate for TLS printing communication is required.

   The restriction is supported on devices with iOS 11 and later.

   The check box is cleared by default.

   Allow iBooks Store (supervised only)

   Access to iBooks Store from the iBooks app on the user's mobile device.

   If the check box is selected, the user can visit iBooks Store from the iBooks app installed on the device.

   If the check box is cleared, the user cannot visit iBooks Store from the iBooks app.

   This check box is selected by default.

   Allow installation of apps from Apple Configurator and iTunes (supervised only)

   The user can independently install apps on an iOS MDM device.

   If the check box is selected, the user can independently install or update apps on a mobile device from App Store using iTunes, Apple Configurator, or Kaspersky Device Management for iOS.

   If the check box is cleared, the user cannot install or update apps from App Store using iTunes, Apple Configurator, or Kaspersky Device Management for iOS on a mobile device. Installation and upgrade are available only for corporate apps. The App Store icon is hidden on the home screen of the iOS MDM device.

   This check box is selected by default.

   Allow installation of apps from App Store (supervised only)

   Capability to independently install apps to a mobile device from App Store. The check box is available if the Allow installation of apps from Apple Configurator and iTunes check box is selected.

   If the check box is selected, the user can independently install or update apps from App Store.

   If the check box is cleared, the user cannot install or update apps from App Store on the mobile device. The App Store icon is hidden on the home screen of the iOS MDM device.

   This check box is selected by default.

   Allow automatic loading of apps (supervised only)

   Use of the function for automatic loading of apps to the user's mobile device. The check box is available if the Allow installation of apps from Apple Configurator and iTunes and Allow installation of apps from App Store check boxes are selected.

   If the check box is selected, automatic loading of apps is available to the user (Settings > iTunes and App Store > Applications). After this function is enabled, the apps that the user acquired from App Store are automatically loaded to the user's other Apple devices.

   If the check box is cleared, the function for automatic loading of apps is disabled and unavailable.

   This check box is selected by default.

   Allow removing apps (supervised only)

   This option allows removing apps from the mobile device.

   If the check box is selected, the user can remove apps installed via App Store or iTunes from the device.

   If the check box is cleared, the user cannot remove apps installed via App Store or iTunes from the mobile device.

   This check box is selected by default.

   Allow In-App Purchases

   Use of the in-App Purchase system on the mobile device.

   If the check box is selected, the user can make purchases in apps installed on the mobile device.

   If the check box is cleared, the user cannot make purchases in apps installed on the mobile device.

   This check box is selected by default.

   Prompt for password for each purchase through iTunes Store

   Use of the restriction password for purchasing media content in iTunes Store.

   If the check box is selected, prior to making the first purchase via iTunes Store the user has to specify the restriction password in purchase restriction settings and subsequently use it for preventing accidental or unauthorized purchases. After the account has been verified when the user is making purchases, the restriction password does not have to be re-entered for another 15 minutes.

   If the check box is cleared, the user is not required to enter the restriction password before making purchases in iTunes Store.

   This check box is cleared by default.

   Allow iCloud backup

   Automatic data backup from the iOS MDM device to iCloud. Copies of data already stored in iCloud are not created during the backup process. Copies of media content that was received by synchronizing the device with a computer and not purchased from iTunes Store are not created either.

   If the check box is selected, the user can save backup copies of mobile device data in iCloud. Backup copies of data are saved in iCloud on a daily basis when the device is enabled, locked, and connected to a power source.

   If the check box is cleared, the user cannot save backup copies of mobile device data in iCloud.

   This check box is selected by default.

   Allow storing documents and data in iCloud (supervised only)

   Automatic backup of documents in iCloud. iCloud documents can be opened and edited on other devices on which the iCloud service is configured.

   If the check box is selected, the user can save documents in iCloud, open and edit them on other devices in applications that support iCloud (such as TextEdit).

   If the check box is cleared, the user is not allowed to save documents in iCloud.

   This check box is selected by default.

   Allow iCloud Keychain

   Automatic synchronization of the account credentials of an iOS MDM device user with other Apple devices of the user. Data to be synchronized is stored in iCloud Keychain. Data in iCloud Keychain is encrypted. iCloud Keychain makes it possible to save the following data in iCloud:

   • Website accounts
   • Bank card numbers and expiry dates
   • Wireless network passwords

   If the check box is selected, the user can synchronize data of accounts with other Apple devices of the user.

   If the check box is cleared, the user is not allowed to use iCloud Keychain on the mobile device.

   This check box is selected by default.

   Allow managed apps to store data in iCloud

   Creation of a backup copy of the data of managed apps in iCloud. Managed apps are corporate apps that are installed, configured, and managed with the aid of Kaspersky Device Management for iOS.

   If the check box is selected, the user can store the data of managed apps in iCloud.

   If the check box is cleared, the user cannot store corporate data in iCloud.

   This check box is selected by default.

   Allow backup of enterprise books

   Backup copying of enterprise books using iCloud or iTunes. You can provide access to enterprise books by placing them on the corporate web server.

   If the check box is selected, backup copying of enterprise books using iCloud or iTunes is available to the user.

   If the check box is cleared, backup copying of enterprise books is not available.

   This check box is selected by default.

   Allow synchronization of notes and highlights in enterprise books

   Capability to synchronize notes, bookmarks, and highlighted text in enterprise books using iCloud.

   If the check box is selected, the user can perform synchronization of notes, bookmarks, and highlights in enterprise books (Settings > iBooks > Sync bookmarks and notes). Changes will be available on all the user's Apple devices using iCloud.

   If the check box is cleared, notes, bookmarks and highlighted text will be available only on this mobile device.

   This check box is selected by default.

   Allow iCloud photo sharing

   Use of iCloud photo sharing on the iOS MDM device to grant other users access to photos and videos on the iCloud server. The other uses need to have the iCloud Photo Sharing feature configured.

   If the check box is selected, the iCloud Photo Sharing feature is available to the user. Users of other devices can view the user's photos and videos, leave comments, and add their own photos and videos. The user can also access data of other users on the iCloud server.

   If the check box is cleared, the iCloud Photo Sharing feature is not available to the user. The user cannot grant other uses access to the user's photos and videos on the iCloud server or access data of other users on the iCloud server.

   This check box is selected by default.

   Allow iCloud Media Library

   Use of the iCloud Media Library function for automatic uploading of photos and videos from the iOS MDM device to other Apple devices of the user.

   If the check box is selected, the iCloud Media Library function is available to the user when working with the Photo app.

   If the check box is cleared, the iCloud Media Library function is not available to the user. The user's photos and videos saved in the iCloud Media Library are removed from the iCloud server.

   This check box is selected by default.

   Allow My Photo Stream (disallowing may result in loss of data)

   Use of the Allow My Photo Stream feature for automatic uploading of photos and videos from the iOS MDM device to other Apple devices of the user. The photos and videos are stored in the My Photo Stream folder on the iCloud server for 30 days.

   If the check box is selected, the user has access to the My Photo Stream feature when using the iPhoto or Aperture apps.

   If the check box is cleared, the user is not allowed access to the My Photo Stream feature. The user's photos and videos saved in the My Photo Stream folder are removed from the iCloud server.

   This check box is selected by default.

   Allow automatic sync while roaming

   Automatic synchronization of user data when the iOS MDM device is roaming.

   If the check box is selected, the user can enable automatic data synchronization when the device is roaming. Enabling automatic synchronization in roaming can result in unexpected mobile service costs.

   If the check box is cleared, the user is not allowed to use automatic data synchronization when the device is roaming.

   This check box is selected by default.

   Enable encryption of backup copies

   Encryption of backup copies of iOS MDM device data in the iTunes app on the user's computer.

   Data of the Kaspersky Device Management for iOS configuration policy is not encrypted regardless of whether or not encryption of the backup copy of data is enabled.

   If the check box is selected, when a backup copy of mobile device data is created in the iTunes app, data is encrypted automatically and protected with a password. In this case, the user cannot encrypt backup copies of the device data in the iTunes app.

   If the check box is cleared, the user may choose whether or not to use encryption of backup copies of data in the iTunes app.

   This check box is cleared by default.

   Limit ad tracking

   Use of IFA (Identifier for advertisers) technology for keeping track of websites visited and apps launched on the iOS MDM device. IFA makes it possible to configure ad tracking on the mobile device according to the user's interests.

   If the check box is selected, IFA technology is disabled on the user's mobile device.

   If the check box is cleared, IFA technology is enabled on the mobile device and keeps track of websites visited and apps started in order to show targeted ads.

   This check box is cleared by default.

   Allow full reset (supervised only)

   Capability to wipe all data from the device and reset the device to its factory settings.

   If the check box is selected, the user can wipe all data from the device and reset it to factory settings (Settings > General > Reset > Wipe content and settings).

   If the check box is cleared, full reset to factory settings is not available.

   This check box is selected by default.

   Allow users to accept untrusted TLS certificates

   Use of untrusted TLS certificates for providing an encrypted communication channel between apps on the iOS MDM device (Mail, Contacts, Calendar, Safari) and corporate resources.

   If the check box is selected, the user may allow the use of an untrusted TLS certificate after being shown a warning.

   If the check box is cleared, Kaspersky Device Management for iOS automatically blocks the use of untrusted TLS certificates.

   This check box is selected by default.

   Allow automatic updates of trusted certificates

   Automatic update of trusted certificates on the iOS MDM device.

   If the check box is selected, Kaspersky Device Management for iOS automatically applies changes made to the trust settings of a certificate.

   If the check box is cleared, changes to trust settings of a certificate are not applied automatically. After being shown a warning, the user may choose to apply changes to trust settings of the certificate.

   This check box is selected by default.

   Allow trusting of new enterprise developers

   Capability to configure trusting of corporate apps on a mobile device. You can develop corporate apps and distribute them among employees for internal use. To work with a corporate app, the mobile device user must make it a trusted app. When installing apps via Kaspersky Device Management for iOS, the trust level of apps is automatically set.

   If the check box is selected, the user can configure trusting of corporate apps (Settings > General > Profiles or Profiles and device management).

   If the check box is cleared, the user cannot set the trust level for corporate apps when installing an app manually. You can install apps only through Kaspersky Device Management for iOS. The trust level of apps will be set automatically.

   This check box is selected by default.

   Allow installing configuration profiles (supervised only)

   Use of additional configuration profiles (other than Kaspersky Security Center policies) on the iOS MDM device.

   If the check box is selected, the user can install additional configuration profiles on the mobile device.

   If the check box is cleared, the user cannot install additional configuration profiles, other than Kaspersky Security Center policies, on the mobile device.

   This check box is selected by default.

   Allow editing account settings (supervised only)

   The option that lets the user add new accounts (such as email accounts) and edit account settings on the iOS MDM device.

   If the check box is selected, the mobile device user can add new accounts and edit the settings of existing accounts.

   If the check box is cleared, the mobile device user is not allowed to add new accounts and edit the settings of existing accounts.

   This check box is selected by default.

   Allow modification of cellular communication settings (supervised only)

   Capability to configure cellular network data transfer by apps installed on a mobile device.

   If the check box is selected, the user can configure the settings for data transfer over a cellular network (Settings > Cellular communications > Cellular data for apps).

   If the check box is cleared, the settings for cellular network data transfer by apps cannot be modified.

   This check box is selected by default.

   Allow device name editing (supervised only)

   Capability to modify the name of the mobile device.

   If the check box is selected, the user can edit the mobile device name (Settings > General > About this device > Name).

   If the check box is cleared, the device name cannot be edited.

   This check box is selected by default.

   Allow use of Find My Device in the Find My app (supervised only, iOS 13+)

   Selecting or clearing this check box specifies whether the device user can use Find My Device in the Find My app.

   The restriction is supported on devices with iOS 13 and later.

   The check box is selected by default.

   Allow use of Find My Friends in the Find My app (supervised only, iOS 13+)

   Selecting or clearing this check box specifies whether the device user can use Find My Friends in the Find My app.

   The restriction is supported on devices with iOS 13 and later.

   The check box is selected by default.

   Allow editing Find My Friends settings (supervised only)

   The option that lets the user edit the settings of the Find My Friends app on the iOS MDM device.

   If the check box is selected, the user can edit the settings of the Find My Friends app on the iOS MDM device.

   If the check box is cleared, the user cannot edit the configured settings of the Find My Friends app on the iOS MDM device.

   This check box is selected by default.

   Allow editing of notification settings (supervised only)

   Capability to configure the display of notifications on the mobile device.

   If the check box is selected, the user can configure the settings for displaying notifications on the mobile device (Settings > General > Notifications).

   If the check box is cleared, the display of notifications cannot be configured.

   This check box is selected by default.

   Allow password change (supervised only)

   Capability to set, change, or delete the mobile device unlock password.

   If the check box is selected, the user can set, change, or delete the password used for unlocking the mobile device (Settings > Password).

   If the check box is cleared, management of the device unlock password is not available.

   This check box is selected by default.

   Allow modification of Touch ID and Face ID (supervised only)

   Capability to add and remove Touch ID fingerprints or Face ID data. This setting is available if the Allow password change check box is selected.

   You can manage Face ID on devices running iOS version 11.0 or later.

   If the check box is selected, the user can add and remove Touch ID fingerprints or Face ID data (Settings > Touch ID & Passcode / Face ID & Passcode > Fingerprints).

   If the check box is cleared, Touch ID fingerprint or Face ID data management is not available.

   This restriction cannot be applied on iPad devices.

   This check box is selected by default.

   Allow modification of restrictions (supervised only)

   Capability to configure the settings for restrictions on the mobile device. Restrictions may be utilized by the user to perform parental control functions on the mobile device. The user can restrict device functions (for example, block use of the camera), access to media content (for example, set age restrictions on viewing films), use of apps (for example, block the use of iTunes Store), and configure other restrictions.

   If the check box is selected, the user can configure the settings for restrictions on the mobile device (Settings > General > Restrictions).

   If the check box is cleared, restrictions cannot be configured on the mobile device.

   This check box is selected by default.

   Allow wallpaper change (supervised only)

   Capability to select the image that will be displayed on the lock screen or Home screen.

   If the check box is selected, the user can select the wallpaper for the mobile device.

   If the check box is cleared, wallpaper selection is not available.

   This check box is selected by default.

   Allow pairing with non-Configurator hosts (supervised only)

   Protection of the iOS MDM device against third-party connections. A third-party connection is a connection to other devices or synchronization with Apple services, such as iTunes.

   If the check box is selected, the user can synchronize the iOS MDM device with other devices and Apple services.

   If the check box is cleared, Kaspersky Device Management for iOS blocks non-Configurator hosts on the user's mobile device.

   This check box is selected by default.

   Allow non-managed apps to use documents from managed apps

   Possibility to use unmanaged (personal) apps on the iOS MDM device to open documents created using managed (corporate) apps and accounts. Managed apps are corporate apps that are installed, configured, and managed with the aid of Kaspersky Device Management for iOS. Unmanaged apps are apps installed, configured, and managed by the mobile device user.

   If the check box is selected, the user can open documents created managed corporate apps in unmanaged apps.

   If the check box is cleared, the user is not allowed to open documents created using managed apps in unmanaged apps. For example, this setting prevents the opening of a confidential email attachment from a managed email account in personal apps of the user.

   This check box is selected by default.

   Allow managed apps to use documents from non-managed apps

   Possibility to use managed (corporate) apps on the iOS MDM device to open documents created using unmanaged (personal) apps and accounts of the user. Managed apps are corporate apps that are installed, configured, and managed with the aid of Kaspersky Device Management for iOS. Unmanaged apps are apps installed, configured, and managed by the mobile device user.

   If the check box is selected, the user can open documents created using unmanaged apps in managed apps.

   If the check box is cleared, the user is not allowed to open documents created using unmanaged apps in managed apps. For example, this setting prevents a document from a personal iCloud account from being opened in a corporate app.

   This check box is selected by default.

   Treat AirDrop as unmanaged app

   Use of AirDrop as an unmanaged app for transferring data from the mobile device to other Apple devices. This restriction requires that you clear the Allow non-managed apps to use documents from managed apps check box. Unmanaged apps are apps installed, configured, and managed by the mobile device user.

   If the check box is selected, AirDrop is treated as an unmanaged app.

   If the check box is cleared, AirDrop is treated as a managed app.

   This check box is selected by default.

   Allow Handoff

   Use of the Handoff function on the user's mobile device. Handoff enables you to start working with data on one Apple device and then switch to another Apple device and continue working with that data.

   If the check box is selected, Handoff is available to the user.

   If the check box is cleared, Handoff is not available.

   This check box is selected by default.

   Allow Spotlight suggestions (supervised only)

   Use of Spotlight suggestions for the Search function on the user's mobile device. Spotlight enables you to show search results from the Internet, iTunes Store, App Store, and other sources when using the Search function. When using Spotlight suggestions, search queries and their associated user data are sent to Apple.

   If the check box is selected, the user can allow Spotlight suggestions to be added to the Search function (Settings > General > Spotlight search > Spotlight suggestions).

   If the check box is cleared, Spotlight suggestions are not available. User data is not sent to Apple.

   This restriction cannot be applied on iPadOS devices.

   This check box is selected by default.

   Allow diagnostic and personal data to be sent to Apple

   Automatic gathering of diagnostic data and information on iOS MDM device usage and transmission of a report with such data to Apple for analysis.

   If the check box is selected, after being shown a warning the user may allow transmission of reports with diagnostic data and information on mobile device usage to Apple.

   If the check box is cleared, Kaspersky Device Management for iOS blocks transmission of reports with diagnostic data and information on mobile device usage to Apple.

   This check box is selected by default.

   Allow modification of diagnostic data transmission settings (supervised only)

   Automatic gathering of diagnostic data and information on iOS MDM device usage and transmission of a report with such data to Apple for analysis. This setting is available if the Allow diagnostic and personal data to be sent to Apple check box is selected.

   If the check box is selected, the user can configure the submission of reports containing diagnostic information and mobile device usage data to Apple (Settings > Confidentiality > Diagnostics and usage).

   If the check box is cleared, the settings for submission of reports containing diagnostic information are not available.

   This check box is selected by default.

   Allow unlocking device through Touch ID or Face ID

   Use of Touch ID and Face ID technologies make it possible to use a fingerprint or facial recognition as a password for unlocking the iOS MDM device. Touch ID and Face ID can also be used for authentication of purchases by means of Apple Pay, iTunes Store, App Store, iBooks Store and to sign in into apps.

   You can manage Face ID on devices running iOS version 11.0 or later.

   If the check box is selected, the user can use a fingerprint or facial recognition instead of a password for unlocking the mobile device.

   If the check box is cleared, the user cannot use Touch ID or Face ID technology for unlocking the mobile device.

   This check box is selected by default.

   Enable Apple Watch wrist detection

   Automatic locking of Apple Watch when the user removes the watch from his or her hand.

   If the check box is selected, Apple Watch is locked when the user removes a watch from his or her hand (Apple Watch > My watch > General > Wrist detection). To unlock it, the user must enter a password on the mobile device.

   If the check box is cleared, Apple Watch cannot be locked after a watch is removed.

   This check box is selected by default.

   Allow pairing with Apple Watch (supervised only)

   Pairing of Apple Watch with a controlled mobile device.

   If the check box is selected, the user of the controlled mobile device can create a pairing with Apple Watch.

   If the check box is cleared, pairing with Apple Watch is not available.

   This check box is selected by default.

   Prompt for password on first connection to AirPlay

   Use of a password upon connection of the iOS MDM device to devices compatible with AirPlay. The password is used for safe transmission of media content.

   If the check box is selected, before the first connection of the mobile device to devices compatible with AirPlay, the user must specify the password in the AirPlay security settings and subsequently enter it.

   If the check box is cleared, the user is free to decide whether or not to use a password when connecting the mobile device to devices compatible with AirPlay.

   This check box is cleared by default.

   Allow predictive keyboard (supervised only)

   Use of the predictive text input function. The predictive text input function shows options for completing words and suggestions based on available dictionaries.

   If the check box is selected, the user can enable and use the predictive text input function (Settings > General > Keyboard > Predictive text).

   If the check box is cleared, the predictive text function is not available. In this case, suggestions are not displayed when entering text.

   This check box is selected by default.

   Allow keyboard shortcuts (supervised only)

   Use of keyboard shortcuts for quick access to mobile device functions.

   If the check box is selected, the user can enable the keyboard shortcut function and use it when working with the mobile device (Settings > General > Universal access > Keyboard shortcut).

   If the check box is cleared, the keyboard shortcut function is not available.

   This check box is selected by default.

   Allow auto correction (supervised only)

   Use of the auto correction function when entering text.

   If the check box is selected, the user can enable and use the auto correction function (Settings > General > Keyboard > Auto correction).

   If the check box is cleared, auto correction is not available when entering text.

   This check box is selected by default.

   Allow spellcheck (supervised only)

   Use of spellcheck when entering text on a mobile device. The spellcheck function underlines incorrectly spelled words and suggests corrections.

   If the check box is selected, the user can enable and use the spellcheck function (Settings > General > Keyboard > Spellcheck).

   If the check box is cleared, spellcheck is not available when entering text.

   This check box is selected by default.

   Allow dictionary search (supervised only)

   Obtaining the definition of a word in a dictionary on the mobile device. Only a software keyboard has a dictionary function.

   If the check box is selected, the user can highlight any word on the screen of the mobile device and receive the definition of that word.

   If the check box is cleared, dictionary search is not available.

   This check box is selected by default.

   Allow Wallet on-screen notifications when screen is locked

   Use of Wallet notifications on the lock screen of the iOS MDM device.

   If the check box is selected, Wallet notifications are displayed on the lock screen of the mobile device.

   If the check box is cleared, Wallet notifications are not displayed on the lock screen of the mobile device. To work with Wallet, the user must unlock the device.

   This check box is selected by default.

   Show Control Center when screen is locked

   Possibility to go to the Control Center of the iOS MDM device when the device is locked.

   If the check box is selected, the user can go to the Control Center by swiping the lock screen up.

   If the check box is cleared, the user cannot go to the Control Center when the device is locked.

   This check box is selected by default.

   Show Notification Center when screen is locked

   Possibility to go to the Notification Center of the iOS MDM device when the device is locked.

   If the check box is selected, the user can go to the Notification Center by swiping the lock screen down.

   If the check box is cleared, the user cannot go to the Notification Center when the device is locked.

   This check box is selected by default.

   Show Today when screen is locked

   Display of information from the Today section of the Notification Center on the screen of a locked iOS MDM device. The Today section of the Notification Center shows the following information:

   • Planned Calendar events
   • Reminders
   • Stock prices
   • Weather

   If the check box is selected, the user can view notifications from the Today section of the Notification Center on a locked mobile device.

   If the check box is cleared, the Today section is not displayed on the locked mobile device.

   This check box is selected by default.

7. Click the Apply button to save the changes you have made.
8. Select the Restrictions for applications section.
9. In the Applications restriction settings section, select the Apply settings on device check box.
10. Configure restrictions for apps on the iOS MDM device.
11. Click the Apply button to save the changes you have made.
12. Select the Restrictions for Media Content section.
13. In the Media content restriction settings section, select the Apply settings on device check box.
14. Configure restrictions for media content on the iOS MDM device.
15. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, restrictions on features, apps, and media content will be configured on the user's mobile device.

[Topic 136563]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring user access to websites

This section contains instructions on how to configure access to websites on Android and iOS devices.

[Topic 89905]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring access to websites on Android devices

You can use Web Protection to configure access of Android device users to websites. Web Protection supports website filtering by categories defined in Kaspersky Security Network cloud service. Filtering allows you to restrict user access to certain websites or categories of websites (for example, those from the "Gambling, lotteries, sweepstakes", or "Internet communication" categories). Web Protection also protects the personal data of users on the internet.

To enable Web Protection:

• Kaspersky Endpoint Security must be enabled as an Accessibility Features service.
• The Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement) should be accepted. Kaspersky Endpoint Security uses Kaspersky Security Network (KSN) to scan websites. The Web Protection Statement contains the terms of data exchange with KSN.

  You can accept the Web Protection Statement for the user in Kaspersky Security Center. In this case, the user is not required to take any action.

  If you have not accepted the Web Protection Statement and prompt the user to do this, the user must read and accept the Web Protection Statement in the app settings.

  If you have not accepted the Web Protection Statement, Web Protection is not available.

Web Protection on Android devices is supported by Google Chrome, HUAWEI Browser, Samsung Internet Browser, and Yandex Browser only.

The Custom Tabs feature is supported by Google Chrome, HUAWEI Browser, and Samsung Internet Browser.

Web Protection for HUAWEI Browser, Samsung Internet Browser, and Yandex Browser does not block sites on a mobile device if the work profile is used and Web Protection is enabled only for the work profile.

Web Protection is enabled by default: user access to websites in the Phishing and Malware categories is blocked.

To configure the settings of the device user's access to websites:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Web Protection.
5. To use Web Protection, you or device user must read and accept the Statement regarding data processing for the purpose of using Web Protection (Web Protection Statement):
   1. Click the Web Protection Statement link at the top of the section.

      This opens Statement regarding data processing for purpose of using Web Protection window.

   2. Read and accept Privacy Policy by selecting the corresponding check box. To view Privacy Policy, click the Privacy Policy link.

      If you do not accept Privacy Policy, mobile device user can accept Privacy Policy in the Initial Configuration Wizard or in the app ( → About → Terms and conditions → Privacy Policy).

   3. Select the Web Protection Statement acceptance mode:
      • I have read and accept the Web Protection Statement
      • Request acceptance of the Web Protection Statement from the device user
      • I do not accept the Web Protection Statement

        If you select I do not accept the Web Protection Statement, the Web Protection does not block sites on a mobile device. Mobile device user cannot enable Web Protection in the Kaspersky Endpoint Security.

   4. Click OK to close the window.

   

   Step 5. Accept the Statement regarding data processing for purpose of using Web Protection.

6. Select the Enable Web Protection check box.
7. If you want the app to check a full URL when opening a website in Custom Tabs, select the Check full URL when using Custom Tabs check box.

   Custom Tabs is an in-app browser that allows the user to view web pages without having to leave the app and switch to a full web browser version. This option provides better detection of a URL and its check against the configured Web Protection rules. If the check box is selected, Kaspersky Endpoint Security for Android opens the website in a full version of the browser and checks whole web address of the website. If the check box is cleared, Kaspersky Endpoint Security for Android checks only the domain of a website in Custom Tabs.

8. Select one of the following options:
   • If you want the app to restrict user access to websites depending on their content, do the following:
     1. In the Web Protection section, in the drop-down list select Websites of selected categories are forbidden.
     2. Create a list of blocked categories by selecting check boxes next to the categories of websites to which the app will block access.

   

   Step 8. Web Protection section. Select the categories of websites to block access to.

   • If you want the app to allow or restrict user access only to websites specified by the administrator, do the following:
     1. In the Web Protection section, in the drop-down list select Only listed websites are allowed or Only listed websites are blocked.
     2. Create a list of websites by adding addresses of websites to which the app will allow or block access, depending on the value selected in the drop-down list. You can add websites by link (full URL, including the protocol, e.g. https://example.com).

        To make sure that the app allows or blocks access to the specified website in all supported versions of Google Chrome, HUAWEI Browser, Samsung Internet Browser, or Yandex Browser, include the same URL twice, once with the HTTP protocol (e.g., http://example.com) and once with the HTTPS protocol (e.g., https://example.com).

        For example:

        • https://example.com—The main page of the website is either allowed or blocked. This URL can only be accessed through the HTTPS protocol.
        • http://example.com—The main page of the website is either allowed or blocked, but only when accessed through the HTTP protocol. Other protocols like HTTPS are not affected.
        • https://example.com/page/index.html—Only the index.html page of the website will be allowed or blocked. The rest of the website are not affected by this entry.

        The app also supports regular expressions. When entering the address of an allowed or blocked website, use the following templates:

        • https://example\.com/.*—This template blocks or allows all child pages of the website, accessible exclusively via the HTTPS protocol (for example, https://example.com/about).
        • https?://example\.com/.*—This template blocks or allows all child pages of the website, available through both HTTP and HTTPS protocols.
        • https?://.*\.example\.com—This template blocks or allows all subdomain pages of the website (e.g., https://pictures.example.com).
        • https?://example\.com/[abc]/.*—This template blocks or allows all child pages of the website where the URL path begins with 'a', 'b', or 'c' as the first directory (e.g., https://example.com/b/about).
        • https?://\w{3,5}.example\.com/.*—This template blocks or allows all child pages of the website where the subdomain consists of a word with 3 to 5 characters (e.g., http://abde.example.com/about).

        Use the expression https? to select both the HTTP and HTTPS protocols. For more details on regular expressions, please refer to the Oracle Technical Support website.

   

   Step 9. Web Protection section. Specify the list of websites to allow access to.

   • If you want the app to block user access to all websites, in the Web Protection section, in the drop-down list, select All websites are blocked.
9. To lift content-based restrictions on user access to websites, clear the Enable Web Protection check box.
10. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Managing the website list

You can manage the list of websites with the following buttons:

• Add - Click to add a website to the list by entering a URL or regular expression.
• Import - Click to add multiple websites to the list by specifying a .txt file which contains the required URLs or regular expressions. The file must be encoded in UTF-8. URLs or regular expressions in the file must be separated by semicolons or by line breaks.
• Edit - Click to change the address of a website.
• Delete - Click to remove a website from the list. To remove multiple websites from the list, select them with the CTRL+A, CTRL+left-click, or SHIFT+left-click hotkeys, and then click Delete.

[Topic 88661]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring access to websites on iOS MDM devices

Configure Web Protection settings to control access to websites for iOS MDM device users. Web Protection controls a user's access to websites based on lists of allowed and blocked websites. Web Protection also lets you add website bookmarks on the bookmark panel in Safari.

By default, access to websites is not restricted.

Web Protection settings can be configured for supervised devices only.

To configure access to websites on the user's iOS MDM device:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Web Protection section.
5. In the Web Protection settings section, select the Apply settings on device check box.
6. To block access to blocked websites and allow access to allowed websites:
   1. In the Web Filter Mode drop-down list, select the Limit adult content mode.
   2. In the Allowed websites section, create a list of allowed websites.

      The website address should begin with "http://" or "https://". Kaspersky Device Management for iOS allows access to all websites in the domain. For example, if you have added http://www.example.com to the list of allowed websites, access is allowed to http://pictures.example.com and http://example.com/movies. If the list of allowed websites is empty, the application allows access to all websites other than those included in the list of blocked websites.

   3. In the Forbidden websites section, create a list of blocked websites.

      The website address should begin with "http://" or "https://". Kaspersky Device Management for iOS blocks access to all websites in the domain.

7. To block access to all websites other than allowed websites on the tab list:
   1. In the Web Filter Mode drop-down list, select the Allow bookmarked websites only mode.
   2. In the Bookmarks section, create a list of bookmarks of allowed websites.

      The website address should begin with "http://" or "https://". Kaspersky Device Management for iOS allows access to all websites in the domain. If the bookmark list is empty, the application allows access to all websites. Kaspersky Device Management for iOS adds websites from the list of bookmarks on the bookmarks tab in Safari in the user's mobile device.

8. Click the Apply button to save the changes you have made.

As a result, once the policy is applied, Web Protection will be configured on the user's mobile device according to the mode selected and lists created.

[Topic 254072]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control

This section contains instructions on how to monitor device compliance with corporate requirements and how to configure compliance control rules.

[Topic 89910]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control of Android devices with corporate security requirements

You can control Android devices for compliance with the corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:

• Device check criterion (for example, absence of blocked apps on the device).
• Time period allocated for the user to fix the non-compliance (for example, 24 hours).
• Actions that will be taken on the device if the user does not fix the non-compliance within the set time period (for example, lock the device).

  If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.

To create a rule for checking devices for compliance with a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Compliance Control section.
5. To receive notifications about devices that do not comply with the policy, in the Non-compliance notification section select the Notify administrator check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for Violation detected: <name of the criterion checked> in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

6. To notify the device user that the user's device does not comply with the policy, in the Non-compliance notification section select the Notify user check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android notifies the user about this.

7. In the Compliance Control rules section, compile a list of rules for checking the device for compliance with the policy.
8. To add a rule, click Add.

   The Compliance Rule Wizard starts. Proceed through the wizard by using the Next button.

9. Select a non-compliance criterion for the rule.

   The following criteria are available:

   • Real-time protection is disabled

     Checks whether the security app is not installed on the device or is not running.

   • Anti-malware databases are out of date

     Checks whether the anti-malware databases were last updated 3 or more days ago.

   • Forbidden apps are installed

     Checks whether the list of apps on the device contains apps that are set as forbidden in the App Control.

   • Apps from forbidden categories are installed

     Checks whether the list of apps on the device contains apps from the categories that are set as forbidden in the App Control.

   • Not all required apps are installed

     Checks whether the list of apps on the device does not contains an app that is set as required in the App Control.

   • Operating system version is out of date

     Checks whether the Android version on the device is within the allowed range.

     For this criterion, specify the minimum and maximum allowed versions of Android. If the maximum allowed version is set to Any, it means that future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.

   • Device has not been synchronized for a long time

     Checks how long ago the device last synchronized with Administration Server.

     For this criterion, specify the maximum period after the last sync.

   • Device has been rooted

     Checks whether the device is hacked (whether root access is gained on the device).

   • Unlock password is not compliant with security requirements

     Checks whether the unlock password on the device does not comply with the settings defined in the Device Management section of the policy.

   • Installed version of Kaspersky Endpoint Security for Android is not supported

     Checks whether the security application installed on the device is not obsolete.

     This criterion applies only to the application installed by using a Kaspersky Endpoint Security for Android installation package and if the up-to-date version is specified in the Upgrade of Kaspersky Endpoint Security for Android section of Additional properties of the policy.

     For this criterion, you also need to specify the minimum allowed version of Kaspersky Endpoint Security for Android.

   • SIM card usage is not compliant with security requirements

     Checks whether the device SIM card has been replaced or removed compared to the previous check state.

     You can also enable the check for inserting an additional SIM card.

     In some cases, replacement, removal, and insertion of an eSIM is also checked.

10. Select the actions to be performed on the device if the specified non-compliance criterion is detected. You can add multiple actions. They are combined by the AND logical operator.

    The following actions are available:

    • Block all apps except system ones

      All apps on the user's mobile device, except system apps, are blocked from starting.

      As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.

    • Lock device

      The mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.

    • Wipe corporate data

      The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

      • On a personal device, KNOX container and mail certificate are wiped.
      • If the device operates in device owner mode, KNOX container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
      • Additionally, if Android work profile is created, the work profile (its content, configurations, and restrictions) and the certificates installed in the work profile (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
    • Full reset

      All data is deleted from the mobile device and the settings are rolled back to their factory values. After this action is completed, the device will no longer be a managed device. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.

    • Lock work profile

      The work profile on the device is locked. To obtain access to the work profile, you must unlock it. If the reason for locking the work profile is not rectified after it is unlocked, the work profile will be locked again after the specified time period.

      The action is only applicable to Android 6+.

      After the work profile on a device is locked, the history of work profile passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the work profile password settings.

    • Wipe data of all apps

      The action is only applicable to devices running Android 9.0 and later in device owner mode or with created Android work profile.

      If the device works in device owner mode, data of all apps on the device is wiped. If Android work profile is created on the device, data of all apps in the work profile is wiped.

      As a result, apps are rolled back to their default state.

    • Wipe data of specified app

      The action is only applicable to devices running Android 9.0 and later in device owner mode or with created Android work profile.

      For this action, you need to specify the package name for the app whose data is to be deleted. How to get the package name of an app

      To get the package name of an app:

      1. Open Google Play.
      2. Find the required app and open its page.

      The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

      To get the package name of an app that has been added to Kaspersky Security Center:

      1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
      2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

      In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

      If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

      As a result, the app is rolled back to its default state.

      The new rule appears in the Compliance Control rules section.

11. To temporarily disable a rule that you have created, use the toggle switch opposite the selected rule.
12. In the Actions when user accounts are disabled in Active Directory section, you can configure the actions to perform on devices when a user account is disabled in Active Directory.

    Please keep in mind that this configuration requires integration with Microsoft Active Directory.

    To enable automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and choose one of the following actions:

    • Wipe corporate data
    • Reset to factory settings
13. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. If the user device does not comply with the rules, the restrictions you have specified in the scan rule list are applied to the device.

[Topic 241836]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Compliance control of iOS MDM devices with corporate security requirements

Expand all | Collapse all

Compliance Control allows you to monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:

• Status (whether the rule is enabled or disabled).
• Non-compliance criteria (for example, absence of the specified apps or operating system version).
• Actions performed on the device if non-compliance is found (for example, wipe corporate data or send an email message to the user).

To create a rule:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Compliance Control section.
5. In the Compliance Control rules section, click Add.

   The Compliance Control Rule Wizard starts.

6. Select the Enable rule check box if you want to activate the rule. If the check box is cleared, the rule is disabled.
7. On the Non-compliance criteria tab, click Add criterion and select a non-compliance criterion for the rule. You can add multiple criteria. They are combined by the AND logical operator.

   The following criteria are available:

   • List of apps on device

     Checks whether the list of apps on the device contains forbidden apps or does not contain required apps.

     For this criterion, you need to select a check type (Contains or Does not contain) and specify the app's bundle ID. How to get the bundle ID of an app

     To get the bundle ID of a native iPhone or iPad app,

     Follow the instruction in Apple documentation.

     To get the bundle ID of any iPhone or iPad app:

     1. Open App Store.
     2. Find the required app and open its page.

        The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

     3. Copy this identifier (without letters "id").
     4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

        This downloads a text file.

     5. Open the downloaded file and find there the "bundleId" fragment.

     The text that directly follows this fragment is the bundle ID of the required app.

     To get the bundle ID of an app that has been added to Kaspersky Security Center:

     1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
     2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

     In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

     If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

   • Operating system version

     Checks the version of the operating system on the device.

     For this criterion, you need to select a comparison operator (Equal to, Not equal to, Less than, Less than or equal to, Greater than, or Greater than or equal to) and specify the iOS version.

     Note that the Equal to and Not equal to operators check for a full match of the operating system version with the specified value. For instance, if you specify 15 in the rule, but the device is running iOS 15.2, the Equal to criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Less than and Greater than operators.

   • Management mode

     Checks the device's management mode.

     For this criterion, you need to select a mode (Supervised device or Non-supervised device).

   • Device type

     Checks the device type.

     For this criterion, you need to select a type (iPhone or iPad).

   • Device model

     Checks the device model.

     For this criterion, you need to select an operator (Included in the list or Not included in the list), and then specify models that will be checked or excluded from the check, respectively.

     To specify a model, type at least one character in the Identifier field, and then select the required model from the appeared list. The list contains mobile device codes and their matching product names. For example, if you want to add all iPhone 14 models, type "iPhone 14". In this case, you can select any of the available models: "iPhone 14", "iPhone 14 Plus", "iPhone 14 Pro", "iPhone 14 Pro Max".

     In some cases, the same product name may correspond to several mobile device codes (for example, the "iPhone 7" product name corresponds to two mobile device codes, "iPhone9.1" and "iPhone9.3"). Be sure that you select all of the mobile device codes that correspond to the required models.

     If you type a value that is not on the list, nothing will be found. However, you can click the OK button in the field to add the typed value to the criterion.

   • Device is roaming

     Checks whether the device is roaming (if you select True) or not (if you select False).

   • Device password is set

     Checks whether a password is set (if you select True) or not (if you select False).

     If you select True, select whether the device password must match (if you select Matches policy) or must not match (if you select Does not match policy) the settings specified in the Password Settings section.

   • Device free space

     Checks whether the amount of free space on the device becomes less than the threshold that you specify.

     For this criterion, specify the threshold amount of free space, and then select the measurement unit (GB or MB).

   • Device is not encrypted

     Checks whether the device is not encrypted.

     Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this parameter in the device properties: in the console tree, select Additional > Mobile Device Management > Mobile devices, and then double-click the required device).

   • SIM card has been changed

     Checks whether the device SIM card has been replaced or removed compared to the previous check state.

     You can also enable the check for inserting an additional SIM card.

     On eSIM compatible devices, the non-compliance detection cannot be removed by inserting the previously removed eSIM. This is because the device's operating system recognizes each added eSIM as a new one. In this case, you need to delete the compliance control rule from the policy.

   • Last sync earlier than

     Checks how long ago the device last synchronized with Administration Server.

     For this criterion, specify the maximum time after the last sync, and then select the measurement unit (Hours or Days).

     We do not recommend that you specify a value less than the value of the Updating frequency for information about devices parameter in the iOS MDM Server settings.

   If you specify criteria that contradict each other (for example, Device type is set to iPhone but the list of values of Device model, with the Included in the list operator selected, contains an iPad model), an error message is displayed. You cannot save such a rule.

8. On the Actions tab, specify actions to be performed on the device if all specified non-compliance criteria are detected.

   Actions are performed during the compliance rule check, which happens every 40 minutes, and persist until the next synchronization with the Administration Server. To prevent repetitive actions from a single non-compliance detection, set the Updating frequency for information about devices parameter in the iOS MDM Server settings to 30 minutes.

   Add an action in one of the following ways:

   • Click the Add action button if the action should be taken on the device immediately after non-compliance is detected.
   • Click the Add postponed action button if you want to also set a time period in which the user can fix the non-compliance. If the non-compliance is not fixed within this period, the action is performed on the device.

   The following actions are available:

   • Send email message to user

     The device user is informed about the non-compliance by email.

     For this action, you need to specify the user's email address(es). If necessary, you can edit the default text of the email message.

   • Wipe corporate data

     All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device. This action is performed by sending the Wipe corporate data command.

   • Install profile

     The configuration profile is installed on the device. This action is performed by sending the Install profile command.

     For this action, you need to specify the ID of the configuration profile to be installed.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   • Delete profile

     The configuration profile is deleted from the device. This action is performed by sending the Remove profile command.

     For this action, you need to specify the ID of the configuration profile to be removed.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   • Delete all profiles

     All previously installed configuration profiles are deleted from the device.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted configuration profiles one by one, by sending the respective command to the device.

   • Update operating system

     The device operating system is updated.

     For this action, you need to select the specific operation (Download and install, Download only, or Install only if you want to install a previously downloaded version) and the iOS version to be downloaded and/or installed.

   • Change Bluetooth settings (supervised only)

     For this action, you need to select whether you want to enable or disable Bluetooth on the device.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   • Reset to factory settings

     All data is deleted from the device and the settings are rolled back to their default values.

   • Delete managed app

     For this action, you need to specify the bundle ID of the managed app that you want to delete from the device. An app is considered managed if it has been installed on a device through Kaspersky Security Center. How to get the bundle ID of an app

     To get the bundle ID of a native iPhone or iPad app,

     Follow the instruction in Apple documentation.

     To get the bundle ID of any iPhone or iPad app:

     1. Open App Store.
     2. Find the required app and open its page.

        The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

     3. Copy this identifier (without letters "id").
     4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

        This downloads a text file.

     5. Open the downloaded file and find there the "bundleId" fragment.

     The text that directly follows this fragment is the bundle ID of the required app.

     To get the bundle ID of an app that has been added to Kaspersky Security Center:

     1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
     2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

     In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

     If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   • Delete all managed apps

     All managed apps are deleted from the device. An app is considered managed if it has been installed on a device through Kaspersky Security Center.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted apps one by one, by sending the respective command to the device.

   • Delete profile(s) of specified type

     For this action, you need to select the type of the profile to be deleted from the device (for example, Web Clips or Calendar subscriptions).

     As soon as the non-compliance criteria selected for the rule are no longer detected on the device, the deleted profiles are automatically restored.

   • Change roaming settings

     For this action, you need to select whether you want to enable or disable data roaming on the device.

     When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the action by sending the respective command to the device.

   If you specify actions that contradict each other (for example, Enable Bluetooth and Disable Bluetooth at the same time, an error message is displayed. You cannot save such a rule.

9. Click the OK button to save the rule and close the wizard.

   The new rule appears in the list in the Compliance Control rules section.

10. Click the Apply button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

[Topic 141381]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control

This section contains instructions on how to configure user access to apps on a mobile device.

[Topic 90538]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on Android devices

The App Control component allows you to manage apps on Android devices to keep these devices secure.

You can impose restrictions on the user's activity on a device on which blocked apps are installed or required apps are not installed (for example, lock the device). You can impose restrictions using the Compliance Control component. To do so, in the scan rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.

Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, App Control does not run.

In device owner mode, you have extended control over the device. App Control operates without notifying the device user:

• Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
• Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Delete blocked apps automatically (in device owner mode only) check box in the policy settings.

To configure the settings of app startup on the mobile device:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the App Control section.
5. In the Operation mode section, select the mode of app startup on the user's mobile device:
   • To allow the user to start all apps except those specified in the list of categories and apps as blocked apps, select the Blocked apps mode. The app will hide blocked app icons.
   • To allow the user to start only apps specified in the list of categories and apps as allowed, recommended, or required apps, select the Allowed apps mode. The app will hide all app icons except those specified in the list of allowed, recommended, or required apps and system apps.
6. If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select the Do not block forbidden apps, write to event log only check box.

   During the next synchronization of the user's mobile device with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for A forbidden app has been installed in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

7. If the device is in device owner mode, select the Delete blocked apps automatically (in device owner mode only) check box to remove forbidden apps from the device in the background without notifying the user.
8. If you want Kaspersky Endpoint Security for Android to block the startup of system apps on the user's mobile device (such as Calendar, Camera, and Settings) in Allowed apps mode, select the Block system apps check box.

   Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation.

9. Create a list of categories and apps to configure startup of apps.

   Mobile app packages previously created in the Kaspersky Security Center can be added to the list. How to get the package name of an app

   To get the package name of an app:

   1. Open Google Play.
   2. Find the required app and open its page.

   The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

   To get the package name of an app that has been added to Kaspersky Security Center:

   1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
   2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

   In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

   If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

   For details on app categories, please refer to the Appendices.

   For a list of the apps that belong to each category, please visit the Kaspersky website.

10. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

[Topic 242959]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

App control on iOS MDM devices

Expand all | Collapse all

Kaspersky Security Center allows you to manage apps on iOS MDM devices to keep these devices secure. You can create a list of apps allowed to be installed on devices and a list of apps prohibited from being displayed and launching on devices.

These restrictions apply only to supervised iOS MDM devices.

Open Restrictions for applications section

To open settings for app restrictions on iOS MDM devices:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Restrictions for applications section.

Restrict app installation

By default, the user can install any apps on the supervised iOS MDM device.

To restrict the apps that can be installed on the device:

1. Select the Allow installation of apps from the list (supervised only) check box.
2. In the table, click Add to add an app to the list.
3. Specify the app's bundle ID. Specify the com.apple.webapp value to allow all web clips. How to get the bundle ID of an app

   To get the bundle ID of a native iPhone or iPad app,

   Follow the instruction in Apple documentation.

   To get the bundle ID of any iPhone or iPad app:

   1. Open App Store.
   2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

   3. Copy this identifier (without letters "id").
   4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

   5. Open the downloaded file and find there the "bundleId" fragment.

   The text that directly follows this fragment is the bundle ID of the required app.

   To get the bundle ID of an app that has been added to Kaspersky Security Center:

   1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
   2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

   In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

   If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Only apps from the list and system apps will be available for installation. All other apps can't be installed on the device.

The specified apps can be installed on the device in the following ways (if the corresponding options are enabled in the Features restrictions section):

• Installation from Apple Configurator or iTunes
• Installation from App Store
• Automatic loading

Specify prohibited apps

By default, all apps can be displayed and launched on the supervised iOS MDM device.

To specify prohibited apps:

1. Select the Prohibit displaying and launching apps from the list (supervised only) check box.
2. In the table, click Add to add an app to the list.
3. Specify the app's bundle ID. Specify the com.apple.webapp value to restrict all web clips. How to get the bundle ID of an app

   To get the bundle ID of a native iPhone or iPad app,

   Follow the instruction in Apple documentation.

   To get the bundle ID of any iPhone or iPad app:

   1. Open App Store.
   2. Find the required app and open its page.

      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).

   3. Copy this identifier (without letters "id").
   4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.

      This downloads a text file.

   5. Open the downloaded file and find there the "bundleId" fragment.

   The text that directly follows this fragment is the bundle ID of the required app.

   To get the bundle ID of an app that has been added to Kaspersky Security Center:

   1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
   2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

   In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

   If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add this app's package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

4. Click the Apply button to save the changes you have made.

Once the policy is applied to a device, the specified restrictions for apps are configured on the device. Apps from the list will be prohibited from being displayed and launching on the device. All other apps will be displayed and available to run.

[Topic 269341]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Statuses of mobile devices

Mobile device statuses defined by Kaspersky Security Center

Administration Console allows you to quickly assess the current status of Kaspersky Security Center and managed mobile devices by checking traffic lights. The traffic lights are shown in the workspace of the Administration Server node, in the Mobile Device Management folder, in the Mobile devices subfolder. The subfolder workspace displays a table of managed mobile devices.

A traffic light is a colored icon in the Management column of the table. Each traffic light can be any of these colors (see the table Color codes of traffic lights). The color of a traffic light depends on the current status of Kaspersky Security Center and on the events that were logged.

A device can have one of the following statuses: OK, Critical, or Warning.

The statuses are assigned and sent to Kaspersky Security Center, in accordance with the following requirements:

• One reason for status assignment is detected on the device — the device gets the status which is displayed in the list of managed devices.
• Several reasons for status assignment are detected on the device — Kaspersky Secure Mobility Management selects the most critical status and sets it as general.
• No reasons for status assignment are detected on the device — Kaspersky Secure Mobility Management does not send the structure of statuses to Kaspersky Security Center, and the status is set as OK.

  Color codes of traffic lights

  Icon	Status	Traffic light color meaning
  	Light blue Mobile device detected on the network and included in none of the administration groups.	Events have been logged that are unrelated to potential or actual threats to the security of managed devices.
  	Green Mobile device included in an administration group, with the OK status.	Administrator's intervention is required.
  	Yellow Mobile device included in an administration group, with the Warning status.	Events have been logged that are unrelated to potential or actual threats to the security of managed devices.
  	Red Mobile device included in an administration group, with the Critical status.	Serious problems have been encountered. An administrator's intervention is required to solve them.
  	Mobile device included in an administration group, having lost its connection with the Administration Server.	Can be any of the colors: light blue, green, yellow, red.

The administrator's goal is to keep traffic lights green on all of the devices.

You can select Properties from the context menu of the mobile device, and then go to the Protection section to view the logged events that affect traffic lights and the status of Kaspersky Security Center (see the table Name, description, and traffic light colors of logged events).

Name, description, and traffic light colors of logged events