Managing the startup of apps on Android devices

You can block apps from running on Android devices if those apps do not meet the corporate security requirements. App startup is restricted through App Control. You can also use App Control to prompt the user to install required and recommended apps on the device, or remove forbidden apps. App Control is based on lists of rules.

To make use of App Control on mobile devices running Android 5.0 or later, Kaspersky Endpoint Security for Android must be set as the Accessibility service. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility service through the Quick Start Wizard. The user can skip this step or disable the service through the device settings later. In this case, App Control is not running.

To configure App Control on Android devices:

  1. Open Kaspersky Endpoint Security Cloud Management Console.
  2. Select the Security managementSecurity profiles section.

    The Security profiles section contains a list of security profiles configured in Kaspersky Endpoint Security Cloud.

  3. In the list, select the security profile for the devices on which you want to configure App Control.
  4. Click the link with the profile name to open the security profile properties window.

    The security profile properties window displays settings available for all devices.

  5. In the Android group, select the Management settings section.
  6. In the App Control is not configured section, click the Settings link.

    The App Control settings page opens.

  7. Set the toggle switch to Event generation during installation of applications is enabled.

    After the security profile is applied, Kaspersky Endpoint Security Cloud generates a report on the apps that have been installed on the device. You can view this report in the Management Console, in the mobile device properties. You will receive this report every time an app is installed on or removed from the device.

  8. In the Operation mode section, click the Settings link.

    The App Control mode selection window opens, which also provides the advanced settings.

  9. Select the App Control mode:
    • To allow the user to run all apps except for those blocked by the list of App Control rules, select the Block only forbidden apps mode.
    • To allow the user to run only apps that have been marked as allowed, recommended, or required in the list of App Control rules, select the Block all apps except for allowed apps mode.
  10. Define the advanced settings of App Control:
    • To allow Kaspersky Endpoint Security Cloud to generate a report on prohibited apps installed on the user's mobile device without blocking those apps, select the Do not block forbidden apps, report only check box.

      After the security profile is applied, Kaspersky Endpoint Security Cloud generates a report on prohibited apps that have been installed on the device. You can view this report in the Management Console, in the mobile device properties.

    • To allow Kaspersky Endpoint Security Cloud to block system apps (such as the standard Android browser) in the Block all apps except for allowed apps mode, select the Block system apps check box.

      Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation.

  11. Click OK.
  12. Create a list of App Control rules:
    1. Click Add.

      The App Control Rule Creation Wizard starts.

    2. Follow the instructions of the App Control Rule Creation Wizard.

    The rule that you created will be added to the list of App Control rules.

  13. Click the Save button.

After the security profile is applied, App Control will be configured on Android devices. Depending on the App Control settings, the device user will be prompted either to remove forbidden apps or to install required and recommended apps. You can impose restrictions on user activity on a device on which blocked apps are installed or required apps are not installed (for example, lock the device). You can impose restrictions by using the Compliance Control component. To do so, in the scan rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.

Page top