Compliance control of Android devices with corporate security requirements

You can control Android devices for compliance with the corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:

• Device check criterion (for example, absence of blocked apps on the device).
• Time period allocated for the user to fix the non-compliance (for example, 24 hours).
• Actions that will be taken on the device if the user does not fix the non-compliance within the set time period (for example, lock the device).

  If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Google Firebase Cloud Messaging.

To create a rule for checking devices for compliance with a group policy:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Compliance Control section.
5. To receive notifications about devices that do not comply with the policy, in the Non-compliance notification section select the Notify administrator check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for Violation detected: <name of the criterion checked> in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.

6. To notify the device user that the user's device does not comply with the policy, in the Non-compliance notification section select the Notify user check box.

   If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android notifies the user about this.

7. In the Compliance Control rules section, compile a list of rules for checking the device for compliance with the policy.
8. To add a rule, click Add.

   The Compliance Rule Wizard starts. Proceed through the wizard by using the Next button.

9. Select a non-compliance criterion for the rule.

   The following criteria are available:

   • Real-time protection is disabled

     Checks whether the security app is not installed on the device or is not running.

   • Anti-malware databases are out of date

     Checks whether the anti-malware databases were last updated 3 or more days ago.

   • Forbidden apps are installed

     Checks whether the list of apps on the device contains apps that are set as forbidden in the App Control.

   • Apps from forbidden categories are installed

     Checks whether the list of apps on the device contains apps from the categories that are set as forbidden in the App Control.

   • Not all required apps are installed

     Checks whether the list of apps on the device does not contains an app that is set as required in the App Control.

   • Operating system version is out of date

     Checks whether the Android version on the device is within the allowed range.

     For this criterion, specify the minimum and maximum allowed versions of Android. If the maximum allowed version is set to Any, it means that future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.

   • Device has not been synchronized for a long time

     Checks how long ago the device last synchronized with Administration Server.

     For this criterion, specify the maximum period after the last sync.

   • Device has been rooted

     Checks whether the device is hacked (whether root access is gained on the device).

   • Unlock password is not compliant with security requirements

     Checks whether the unlock password on the device does not comply with the settings defined in the Device Management section of the policy.

   • Installed version of Kaspersky Endpoint Security for Android is not supported

     Checks whether the security application installed on the device is not obsolete.

     This criterion applies only to an app installed using a Kaspersky Endpoint Security for Android installation package and if the latest version is specified in the Upgrade of Kaspersky Endpoint Security for Android section of Additional properties of the policy.

     For this criterion, you also need to specify the minimum allowed version of Kaspersky Endpoint Security for Android.

   • SIM card usage is not compliant with security requirements

     Checks whether the device SIM card has been replaced or removed compared to the previous check state.

     You can also enable the check for an additional SIM card.

     In some cases, replacement, removal, and insertion of an eSIM is also checked.

   • Device is within or outside the geofence areas

     Specifying the geofence area will result in increased device power consumption.

     For this criterion, select the specific requirement that must be monitored:

     • The device is within any of the geofence areas in the list (the geofence areas are combined using the OR logical operator).
     • The device is outside all of the geofence areas in the list (the geofence areas are combined using the AND logical operator).

     In the List of geofence areas block, you can add, edit, or delete geofence areas.

     To add a new geofence area:

     1. Click the Add button.

        Opens the Add geofence area window.

     2. Specify the Geofence area name.
     3. In the Coordinates of the geofence area perimeter section, specify a latitude and a longitude for each point.

        If you want to add more than 3 points, click the Add point button. To delete a point, click the X button.

        For each geofence area, you can manually enter from 3 to 100 coordinate pairs (latitude, longitude) as decimal numbers.

        A geofence area perimeter must not contain intersecting lines.

     4. You can view the specified geofence area in the Yandex.Maps program, by clicking the View on map button.
     5. Click the Add button to add the specified geofence area.

        The new geofence area appears in the list.

     To edit a geofence area:

     1. Select the geofence area you want to edit, and then click the Edit button.
     2. Specify the new geofence area settings, as described earlier.
     3. Click the Add button.

        The edited geofence area appears in the list.

     To delete a geofence area:

     1. Select the geofence area you want to delete, and then click the Delete button.

        The geofence area is removed from the list.

   • Kaspersky Endpoint Security for Android has no access to precise or background location

     Checks whether the Kaspersky Endpoint Security for Android app is not allowed to access the precise location of the device or use the device location in the background.

10. Select the actions to be performed on the device if the specified non-compliance criterion is detected. You can add multiple actions. They are combined by the AND logical operator.

    Some of the actions are continuous. Continuous actions remain in effect until one of the following conditions are met:

    • The non-compliance criterion no longer applies.
    • A policy is applied in which the corresponding Compliance Control rule is deleted.

    The following actions are available:

    • Block all apps except system apps

      All apps on the user's mobile device, except system apps, are blocked from starting.

      As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.

    • Lock device

      The mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.

    • Wipe corporate data

      The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:

      • On a personal device, KNOX container and mail certificate are wiped.
      • If the device operates in device owner mode, KNOX container and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
      • Additionally, if Android work profile is created, the work profile (its content, configurations, and restrictions) and the certificates installed in the work profile (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
    • Full reset

      All data is deleted from the mobile device and the settings are rolled back to their factory values. After this action is completed, the device will no longer be a managed device. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.

    • Lock work profile

      The work profile on the device is locked. To obtain access to the work profile, you must unlock it. If the reason for locking the work profile is not rectified after it is unlocked, the work profile will be locked again after the specified time period.

      The action is only applicable to Android 6 or later.

      After the work profile on a device is locked, the history of work profile passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the work profile password settings.

    • Wipe data of all apps

      The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.

      If the device works in device owner mode, data of all apps on the device is wiped. If Android work profile is created on the device, data of all apps in the work profile is wiped.

      As a result, apps are rolled back to their default state.

    • Wipe data for a specified app

      The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.

      For this action, you need to specify the package name for the app whose data is to be deleted. How to get the package name of an app

      To get the package name of an app:

      1. Open Google Play.
      2. Find the required app and open its page.

      The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).

      To get the package name of an app that has been added to Kaspersky Security Center:

      1. In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
      2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.

      In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.

      If you have an app package as an .apk or .ipa file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.

      As a result, the app is rolled back to its default state.

    • Prohibit safe boot

      The user is not allowed to boot the device in safe mode.

      The action is only applicable to devices running Android 6 or later in device owner mode.

      This is a continuous action.

    • Prohibit use of camera

      The user is not allowed to use any cameras on the device.

      This is a continuous action.

    • Prohibit use of Bluetooth

      The device user is not allowed to turn on and configure Bluetooth in Settings.

      The action is only applicable to personal devices running Android 12 or earlier, devices operating in device owner mode, or devices with created Android work profile.

      This is a continuous action.

    • Prohibit use of Wi-Fi

      The device user is not allowed to use Wi-Fi and configure it in Settings.

      The action is only applicable to devices operating in device owner mode (all Android versions), personal devices running Android 9 or earlier.

      This is a continuous action.

    • Prohibit USB debugging features

      The user is not allowed to use USB debugging features and developer mode on the device.

      The action is only applicable to devices operating in device owner mode or devices with created Android work profile.

      This is a continuous action.

    • Prohibit airplane mode

      The user is not allowed to enable airplane mode on the device.

      The action is only applicable to devices running Android 9 or later in device owner mode.

      This is a continuous action.

      The new rule appears in the Compliance Control rules section.

11. To temporarily disable a rule that you have created, use the toggle switch opposite the selected rule.
12. In the Actions when user accounts are disabled in Active Directory section, you can configure the actions to perform on devices when a user account is disabled in Active Directory.

    These parameters require integration with Microsoft Active Directory.

    To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and choose one of the following actions:

    • Wipe corporate data
    • Reset to factory settings
13. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. If the user device does not comply with the rules, the restrictions you have specified in the scan rule list are applied to the device.

Page top