Compliance control of Android devices with corporate security requirements
You can control Android devices for compliance with the corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-virus databases must be up-to-date, and the device password must be sufficiently strong. Compliance control is based on a list of rules. A compliance rule includes the following components:
- Device check criterion (for example, absence of blocked apps on the device).
- Time period allocated for the user to fix the non-compliance (for example, 24 hours).
- Action that will be taken on the device if the user does not fix the non-compliance within the set time period (for example, lock device).
If the user does not fix the non-compliance within the specified time, the following actions are available:
- Block all applications except system ones. All apps on the user’s mobile device, except system apps, are blocked from starting.
- Lock device. Mobile device is locked. To obtain access to data, you must unlock the device. If the reason for locking the device is not rectified after the device is unlocked, the device will be locked again after the specified time period.
- Wipe corporate data. Wipe containerized data, corporate email account, settings for connecting to the corporate Wi-Fi network and VPN, Access Point Name (APN), Android work profile, KNOX container, and the KNOX License Manager key.
- Full Reset. All data is deleted from the mobile device and the settings are rolled back to their factory values. After this action is completed, the device will no longer be a managed device. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.
To create a scan rule for checking devices for compliance with a group policy:
- In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
- In the workspace of the group, select the Policies tab.
- Open the policy properties window by double-clicking.
- In the policy Properties window that opens, select the Compliance control section.
- To receive notifications about devices that do not comply with the policy, in the Noncompliance notification section select the Notify administrator check box.
If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android writes an entry for Violation detected: <name of the criterion checked> in the event log. You can view the Event log on the Events tab in the Administration Server properties or in the local properties of the application.
- To notify the device user that the user's device does not comply with the policy, in the Noncompliance notification section select the Notify user check box.
If the device does not comply with a policy, during device synchronization with the Administration Server, Kaspersky Endpoint Security for Android notifies the user about this in the Status section.
- In the Compliance Rules section, compile a list of rules for checking the device for compliance with the policy. Follow the steps below:
- Click Add.
The Scan Rule Wizard starts.
- Follow the instructions of the Scan Rule Wizard.
When the wizard finishes, the new rule is displayed in the Compliance Rules section in the list of scan rules.
- To temporarily disable a scan rule that you have created, use the toggle switch opposite the selected rule.
- Click the Apply button to save the changes you have made.
Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center. If the user device does not comply with the rules, the restrictions you have specified in the scan rule list are applied to the device.