The App Control component allows you to manage apps on Android devices to keep these devices secure.
You can impose restrictions on the user's activity on a device on which blocked apps are installed or required apps are not installed (for example, lock the device). You can impose restrictions using the Compliance Control component. To do so, in the scan rule settings, you must select the Forbidden apps are installed, Apps from forbidden categories are installed, or Not all required apps are installed criterion.
Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure proper functioning of App Control. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. If this is the case, App Control does not run.
In device owner mode, you have extended control over the device. App Control operates without notifying the device user:
Required apps are installed automatically in the background. To install apps silently, you need to specify a link to the APK file of the required app in the policy settings.
Forbidden apps can be deleted from the device automatically. To delete apps silently, you need to select the Delete blocked apps automatically (in device owner mode only) check box in the policy settings.
To configure the settings of app startup on the mobile device:
In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
In the workspace of the group, select the Policies tab.
Open the policy properties window by double-clicking any column.
Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.
In the policy Properties window, select the App Control section.
In the Operation mode section, select the mode of app startup on the user's mobile device:
To allow the user to start all apps except those specified in the list of categories and apps as blocked apps, select the Forbidden apps mode. The app will hide blocked app icons.
To allow the user to start only apps specified in the list of categories and apps as allowed, recommended, or required apps, select the Allowed apps mode. The app will hide all app icons except those specified in the list of allowed, recommended, or required apps and system apps.
If you want Kaspersky Endpoint Security for Android to send data on forbidden apps to the event log without blocking them, select the Do not block forbidden apps, only add a record to the event log check box.
During the next synchronization of the user's mobile device with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for A forbidden app has been installed in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.
If the device is in device owner mode, select the Delete blocked apps automatically (in device owner mode only) check box to remove forbidden apps from the device in the background without notifying the user.
If you want Kaspersky Endpoint Security for Android to block the startup of system apps on the user's mobile device (such as Calendar, Camera, and Settings) in Allowed apps mode, select the Block system apps check box.
Kaspersky experts recommend against blocking system apps because this could lead to failures in device operation.
Create a list of categories and apps to configure startup of apps.
To get the package name of an app that has been added to Kaspersky Security Center:
In the console tree of Kaspersky Security Center go to Advanced > Remote installation > Installation packages.
Click the Additional actions button and select Manage mobile apps packages in the drop-down list.
In the Mobile apps package management window that opens, identifiers of managed apps are displayed in the Application name column.
If you have an app package as an APK file and want to know the app identifier, you can add the app package to the Mobile apps package management window by clicking the New button and following the on-screen instructions.
For details on app categories, please refer to the Appendices.
For a list of the apps that belong to each category, please visit the Kaspersky website.
If you want Kaspersky Endpoint Security for Android to create a report on installed apps, in the Report on installed mobile apps block, select the Send data on installed apps check box to send information about apps installed on mobile devices, and specify the following settings if required:
To send data about the system apps installed on users' devices to the Administration Server, select the Send data on system apps check box.
To send data about the service apps installed on users' devices to the Administration Server, select the Send data on service apps check box.
If a system app or a service app is configured in the App Control settings, the app data is sent regardless of the state of the Send data on system apps or the Send data on service apps check boxes respectively.
Kaspersky Endpoint Security for Android sends data to the event log each time an app is installed to a device or removed from it.
Click the Apply button to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.