You can control Android devices for compliance with the corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:
If the device is in battery saver mode, the app may perform this task later than specified. To ensure timely responses of KES devices on Android to the administrator's commands, enable the use of Firebase Cloud Messaging.
To create a rule for checking devices for compliance with a group policy:
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for Violation detected: <name of the criterion checked> in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.
If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android notifies the user about this.
The Compliance Rule Wizard starts. Proceed through the wizard by using the Next button.
The following criteria are available:
Checks whether the security app is not installed on the device or is not running.
Checks whether the anti-malware databases were last updated 3 or more days ago.
Checks whether the list of apps on the device contains apps that are set as forbidden in the App Control.
Checks whether the list of apps on the device contains apps from the categories that are set as forbidden in the App Control.
Checks whether the list of apps on the device does not contains an app that is set as required in the App Control.
Checks whether the Android version on the device is within the allowed range.
For this criterion, specify the minimum and maximum allowed versions of Android. If the maximum allowed version is set to Any, it means that future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.
Checks how long ago the device last synchronized with Administration Server.
For this criterion, specify the maximum period after the last sync.
Checks whether the device is hacked (whether root access is gained on the device).
Checks whether the unlock password on the device does not comply with the settings defined in the Device Management section of the policy.
Checks whether the security application installed on the device is not obsolete.
This criterion applies only to an app installed using a Kaspersky Endpoint Security for Android installation package and if the latest version is specified in the Upgrade of Kaspersky Endpoint Security for Android section of Additional properties of the policy.
For this criterion, you also need to specify the minimum allowed version of Kaspersky Endpoint Security for Android.
Checks whether the device SIM card has been replaced or removed compared to the previous check state.
You can also enable the check for an additional SIM card.
In some cases, replacement, removal, and insertion of an eSIM is also checked.
Specifying the geofence area will result in increased device power consumption.
For this criterion, select the specific requirement that must be monitored:
In the List of geofence areas block, you can add, edit, or delete geofence areas.
To add a new geofence area:
Opens the Add geofence area window.
If you want to add more than 3 points, click the Add point button. To delete a point, click the X button.
For each geofence area, you can manually enter from 3 to 100 coordinate pairs (latitude, longitude) as decimal numbers.
A geofence area perimeter must not contain intersecting lines.
The new geofence area appears in the list.
To edit a geofence area:
The edited geofence area appears in the list.
To delete a geofence area:
The geofence area is removed from the list.
Checks whether the Kaspersky Endpoint Security for Android app is not allowed to access the precise location of the device or use the device location in the background.
Some of the actions are continuous. Continuous actions remain in effect until one of the following conditions are met:
The following actions are available:
All apps on the user's mobile device, except system apps, are blocked from starting.
As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.
The mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.
The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:
All data is deleted from the mobile device and the settings are rolled back to their factory values. After this action is completed, the device will no longer be a managed device. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.
The work profile on the device is locked. To obtain access to the work profile, you must unlock it. If the reason for locking the work profile is not rectified after it is unlocked, the work profile will be locked again after the specified time period.
The action is only applicable to Android 6 or later.
After the work profile on a device is locked, the history of work profile passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the work profile password settings.
The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.
If the device works in device owner mode, data of all apps on the device is wiped. If Android work profile is created on the device, data of all apps in the work profile is wiped.
As a result, apps are rolled back to their default state.
The action is only applicable to devices running Android 9 or later in device owner mode or with created Android work profile.
For this action, you need to specify the package name for the app whose data is to be deleted. How to get the package name of an app
As a result, the app is rolled back to its default state.
The user is not allowed to boot the device in safe mode.
The action is only applicable to devices running Android 6 or later in device owner mode.
This is a continuous action.
The user is not allowed to use any cameras on the device.
This is a continuous action.
The device user is not allowed to turn on and configure Bluetooth in Settings.
The action is only applicable to personal devices running Android 12 or earlier, devices operating in device owner mode, or devices with created Android work profile.
This is a continuous action.
The device user is not allowed to use Wi-Fi and configure it in Settings.
The action is only applicable to devices operating in device owner mode (all Android versions), personal devices running Android 9 or earlier.
This is a continuous action.
The user is not allowed to use USB debugging features and developer mode on the device.
The action is only applicable to devices operating in device owner mode or devices with created Android work profile.
This is a continuous action.
The user is not allowed to enable airplane mode on the device.
The action is only applicable to devices running Android 9 or later in device owner mode.
This is a continuous action.
The new rule appears in the Compliance Control rules section.
These parameters require integration with Microsoft Active Directory.
To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and choose one of the following actions:
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. If the user device does not comply with the rules, the restrictions you have specified in the scan rule list are applied to the device.
Page top