Deployment best practices

Kaspersky Security Center is a distributed application. Kaspersky Security Center includes the following applications:

• Administration Server—The core component, designed for managing devices of an organization and storing data in a DBMS.
• Administration Console—The basic tool for the administrator. Administration Console is shipped together with Administration Server, but it can also be installed individually on one or several devices run by the administrator.
• Network Agent—Designed for managing the security application installed on a device, as well as getting information about that device and transferring this information to the Administration Server. Network Agents are installed on devices of an organization.

Deployment of Kaspersky Security Center on an organization's network is performed as follows:

• Installation of Administration Server
• Installation of Administration Console on the administrator's device
• Installation of Network Agent and the security application on devices of the enterprise

Preparation for deployment

This section describes steps you must take before deploying Kaspersky Security Center.

Planning Kaspersky Security Center deployment

This section provides information about the most convenient options for deployment of Kaspersky Security Center components on an organization's network, depending on the following criteria:

• Total number of devices
• Units (local offices, branches) that are detached organizationally or geographically
• Separate networks connected by narrow channels
• Need for internet access to the Administration Server

Typical schemes of protection system deployment

This section describes the standard deployment schemes of a protection system in an enterprise network using Kaspersky Security Center.

The system must be protected against any type of unauthorized access. We recommend that you install all available security updates for your operating system before installing the application on your device and physically protect Administration Server(s) and distribution point(s).

You can use Kaspersky Security Center to deploy a protection system on a corporate network by means of the following deployment schemes:

• Deploying a protection system through Kaspersky Security Center, in one of the following ways:
  • Through Administration Console
  • Through Kaspersky Security Center 13.1 Web Console

  Kaspersky applications are automatically installed on client devices, which in turn are automatically connected to the Administration Server by using Kaspersky Security Center.

  The basic deployment scheme is protection system deployment through Administration Console. Using Kaspersky Security Center 13.1 Web Console allows you to launch installation of Kaspersky applications from a browser.

• Deploying a protection system manually using stand-alone installation packages generated by Kaspersky Security Center.

  Installation of Kaspersky applications on client devices and the administrator's workstation is performed manually; the settings for connecting client devices to the Administration Server are specified when Network Agent is installed.

  This deployment method is recommended in cases when remote installation is not possible.

Kaspersky Security Center also allows you to deploy your protection system using Microsoft Active Directory group policies.

About planning Kaspersky Security Center deployment in an organization's network

One Administration Server can support a maximum of 100,000 devices. If the total number of devices on an organization's network exceeds 100,000, multiple Administration Servers must be deployed on that network and combined into a hierarchy for convenient centralized management.

If an organization includes large-scale remote local offices (branches) with their own administrators, it is useful to deploy Administration Servers in those offices. Otherwise, those offices must be viewed as detached networks connected by low-throughput channels; see section "Standard configuration: A few large-scale offices run by their own administrators".

When detached networks connected with narrow channels are used, traffic can be saved by assigning one or several Network Agents to act as distribution points (see table for calculation of the number of distribution points). In this case, all devices on a detached network retrieve updates from such local update centers. Actual distribution points can download updates both from the Administration Server (default scenario), and from Kaspersky servers on the internet (see section "Standard configuration: Multiple small remote offices").

Section "Standard configurations of Kaspersky Security Center" provides detailed descriptions of the standard configurations of Kaspersky Security Center. When planning the deployment, choose the most suitable standard configuration, depending on the organization's structure.

At the stage of deployment planning, the assignment of the special certificate X.509 to the Administration Server must be considered. Assignment of the X.509 certificate to the Administration Server may be useful in the following cases (partial list):

• Inspecting secure socket layer (SSL) traffic by means of an SSL termination proxy or for using a reverse proxy
• Integration with the public keys infrastructure (PKI) of an organization
• Specifying required values in certificate fields
• Providing the required encryption strength of a certificate

Selecting a structure for protection of an enterprise

Selection of a structure for protection of an organization is defined by the following factors:

• Organization's network topology.
• Organizational structure.
• Number of employees in charge of the network protection, and allocation of their responsibilities.
• Hardware resources that can be allocated to protection management components.
• Throughput of communication channels that can be allocated to maintenance of protection components on the organizational network.
• Time limits for execution of critical administrative operations on the organization's network. Critical administrative operations include, for example, the distribution of anti-virus databases and modification of policies for client devices.

When you select a protection structure, it is recommended first to estimate the available network and hardware resources that can be used for the operation of a centralized protection system.

To analyze the network and hardware infrastructure, it is recommended that you follow the process below:

1. Define the following settings of the network on which the protection will be deployed:
   • Number of network segments.
   • Speed of communication channels between individual network segments.
   • Number of managed devices in each of the network segments.
   • Throughput of each communication channel that can be allocated to maintain the operation of the protection.
2. Determine the maximum allowed time for the execution of key administrative operations for all managed devices.
3. Analyze information from steps 1 and 2, as well as data from load testing of the administration system. Based on the analysis, answer the following questions:
   • Is it possible to serve all the clients with a single Administration Server, or is a hierarchy of Administration Servers required?
   • Which hardware configuration of Administration Servers is required in order to deal with all the clients within the time limits specified in step 2?
   • Is it required to use distribution points to reduce load on communication channels?

Upon obtaining answers to the questions in step 3 above, you can compile a set of allowed structures of the organization's protection.

On the organization's network you can use one of the following standard protection structures:

• One Administration Server. All client devices are connected to a single Administration Server. Administration Server functions as distribution point.
• One Administration Server with distribution points. All client devices are connected to a single Administration Server. Some of the networked client devices function as distribution points.
• Hierarchy of Administration Servers. For each network segment, an individual Administration Server is allocated and becomes part of a general hierarchy of Administration Servers. The primary Administration Server functions as distribution point.
• Hierarchy of Administration Servers with distribution points. For each network segment, an individual Administration Server is allocated and becomes part of a general hierarchy of Administration Servers. Some of the networked client devices function as distribution points.

Standard configurations of Kaspersky Security Center

This section describes the following standard configurations used for deployment of Kaspersky Security Center components on an organization's network:

• Single office
• A few large-scale offices, which are geographically detached and run by their own administrators
• Multiple small offices, which are geographically detached

Standard configuration: Single office

One or several Administration Servers can be deployed on the organization's network. The number of Administration Servers can be selected either based on available hardware, or on the total number of managed devices.

One Administration Server can support up to 100,000 devices. You must consider the possibility of increasing the number of managed devices in the near future: it may be useful to connect a slightly smaller number of devices to a single Administration Server.

Administration Servers can be deployed either on the internal network, or in the DMZ, depending on whether internet access to the Administration Servers is required.

If multiple Servers are used, it is recommended that you combine them into a hierarchy. Using an Administration Server hierarchy allows you to avoid dubbed policies and tasks, and handle the whole set of managed devices as if they are managed by a single Administration Server (that is, search for devices, build selections of devices, and create reports).

Standard configuration: A few large-scale offices run by their own administrators

If an organization has a few large-scale, geographically separate offices, you must consider the option of deploying Administration Servers at each of the offices. One or several Administration Servers can be deployed per office, depending on the number of client devices and hardware available. In this case, each of the offices can be viewed as a "Standard configuration: Single office". For ease of administration, it is recommended to combine all of the Administration Servers into a hierarchy (possibly multi-level).

If some employees move between offices with their devices (laptops), create Network Agent connection profiles in the Network Agent policy. Network Agent connection profiles are only supported for Windows and MacOS hosts.

Standard configuration: Multiple small remote offices

This standard configuration provides for a headquarters office and many remote small offices that may communicate with the HQ office over the internet. Each of the remote offices may be located behind a Network Address Translation (NAT), that is, no connection can be established between two remote offices because they are isolated.

An Administration Server must be deployed at the headquarters office, and one or multiple distribution points must be assigned to all other offices. If the offices are linked through the internet, it may be useful to create a Download updates to the repositories of distribution points task for the distribution points, so that they will download updates directly from Kaspersky servers, local or network folder, not from the Administration Server.

If some devices at a remote office have no direct access to the Administration Server (for example, access to the Administration Server is provided over the internet but some devices have no internet access), distribution points must be switched into connection gateway mode. In this case, Network Agents on devices at the remote office will be connected, for further synchronization, to the Administration Server—but through the gateway, not directly.

As the Administration Server, most probably, will not be able to poll the remote office network, it may be useful to turn this function over to a distribution point.

The Administration Server will not be able to send notifications to port 15000 UDP to managed devices located behind the NAT at the remote office. To resolve this issue, you can enable the mode of continuous connection to the Administration Server in the properties of devices acting as distribution points (Do not disconnect from the Administration Server check box). This mode is available if the total number of distribution points does not exceed 300. Use push servers to make sure that there is continuous connectivity between a managed device and the Administration Server. Refer to the following topic for details: Using a distribution point as a push server.

How to select a DBMS for Administration Server

When selecting the database management system (DBMS) to be used by an Administration Server, you must take into account the number of devices covered by the Administration Server.

SQL Server Express Edition has limitations on the memory volume used, number of CPU cores used, and maximum size of the database. Therefore, you cannot use SQL Server Express Edition if your Administration Server covers more than 10,000 devices, or if Application Control is used on managed devices. If the Administration Server is used as Windows Server Update Services (WSUS) server, you cannot use SQL Server Express Edition either.

If the Administration Server covers more than 10,000 devices, we recommend that you use SQL Server versions with fewer limitations, such as: SQL Server Workgroup Edition, SQL Server Web Edition, SQL Server Standard Edition, or SQL Server Enterprise Edition.

If the Administration Server covers 50,000 devices (or less), and if Application Control is not used on managed devices, you can also use MySQL 8.0.20 and the later versions.

If the Administration Server covers 20,000 devices (or fewer) and if Application Control is not used on managed devices, you can use MariaDB Server 10.3 as the DBMS.

If the Administration Server covers 10,000 devices (or less), and if Application Control is not used on managed devices, you can also use MySQL 5.5, 5.6, or 5.7 as the DBMS.

MySQL versions 5.5.1, 5.5.2, 5.5.3, 5.5.4, and 5.5.5 are no longer supported.

If you are using SQL Server 2019 as a DBMS and you do not have cumulative patch CU12 or later, you have to perform the following after installing Kaspersky Security Center:

1. Connect to SQL Server using SQL Management Studio.
2. Run the following commands (if you chose a different name for the database, use that name instead of KAV):

   USE KAV

   GO

   ALTER DATABASE SCOPED CONFIGURATION SET TSQL_SCALAR_UDF_INLINING = OFF

   GO

3. Restart the SQL Server 2019 service.

Otherwise, using SQL Server 2019 may result in errors, such as "There is insufficient system memory in resource pool 'internal' to run this query."

Selecting a DBMS

When installing Administration Server, you can select the DBMS that Administration Server will use. When selecting the database management system (DBMS) to be used by an Administration Server, you must take into account the number of devices covered by the Administration Server.

The following table lists the valid DBMS options, as well as the restrictions on their use.

Restrictions on DBMS

If you are using SQL Server 2019 as a DBMS and you do not have cumulative patch CU12 or later, you have to perform the following after installing Kaspersky Security Center:

1. Connect to SQL Server using SQL Management Studio.
2. Run the following commands (if you chose a different name for the database, use that name instead of KAV):

   USE KAV

   GO

   ALTER DATABASE SCOPED CONFIGURATION SET TSQL_SCALAR_UDF_INLINING = OFF

   GO

3. Restart the SQL Server 2019 service.

Otherwise, using SQL Server 2019 may result in errors, such as "There is insufficient system memory in resource pool 'internal' to run this query."

Concurrent use of the SQL Server Express Edition DBMS by Administration Server and another application is strictly forbidden.

Managing mobile devices with Kaspersky Endpoint Security for Android

Mobile devices with installed Kaspersky Endpoint Security for Android (hereinafter referred to as KES devices) are managed by means of the Administration Server. Kaspersky Security Center 10 Service Pack 1, as well as later versions, supports the following features for managing KES devices:

• Handling mobile devices as client devices:
  • Membership in administration groups
  • Monitoring, such as viewing statuses, events, and reports
  • Modifying local settings and assigning policies for Kaspersky Endpoint Security for Android
• Sending commands in centralized mode
• Installing mobile apps packages remotely

Administration Server manages KES devices through TLS, TCP port 13292.

Providing internet access to Administration Server

The following cases require internet access to the Administration Server:

• Regular updating of Kaspersky databases, software modules, and applications
• Updating third-party software

  By default, internet connection is not required for Administration Server to install Microsoft software updates on the managed devices. For example, the managed devices can download the Microsoft software updates directly from Microsoft Update servers or from Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network. Administration Server must be connected to the internet in the following cases:

  • When you use Administration Server as WSUS server
  • To install updates of third-party software other than Microsoft software
• Fixing third-party software vulnerabilities

  Internet connection is required for Administration Server to perform the following tasks:

  • To make a list of recommended fixes for vulnerabilities in Microsoft software. The list is created and regularly updated by Kaspersky specialists.
  • To fix vulnerabilities in third-part software other than Microsoft software.
• Managing devices (laptops) of out-of-office users
• Managing devices in remote offices
• Interacting with primary or secondary Administration Servers located in remote offices
• Managing mobile devices

This section describes typical ways of providing access to the Administration Server over the internet. Each of the cases focusing on providing internet access to the Administration Server may require a dedicated certificate for the Administration Server.

Internet access: Administration Server on a local network

If the Administration Server is located on the internal network of an organization, you might want to make TCP port 13000 of the Administration Server accessible from outside by means of port forwarding. If mobile device management is required, you might want to make accessible port 13292 TCP.

Internet access: Administration Server in DMZ

If the Administration Server is located in the DMZ of the organization's network, it has no access to the organization's internal network. Therefore, the following limitations apply:

• The Administration Server cannot detect new devices.
• The Administration Server cannot perform initial deployment of Network Agent through forced installation on devices on the internal network of the organization.

This only applies to the initial installation of Network Agent. Any further upgrades of Network Agent or the security application installation can, however, be performed by the Administration Server. At the same time, the initial deployment of Network Agents can be performed by other means, for example, through group policies of Microsoft Active Directory.

• The Administration Server cannot send notifications to managed devices through port 15000 UDP, which is not critical for the Kaspersky Security Center functioning.
• The Administration Server cannot poll Active Directory. However, results of Active Directory polling are not required in most scenarios.

If the above limitations are viewed as critical, they can be removed by using distribution points located on the organization's network:

• To perform initial deployment on devices without Network Agent, you first install Network Agent on one of the devices and then assign it the distribution point status. As a result, initial installation of Network Agent on other devices will be performed by the Administration Server through this distribution point.
• To detect new devices on the internal network of the organization and poll Active Directory, you must enable the relevant device discovery methods on one of the distribution points.
• To ensure a successful sending of notifications to port 15000 UDP on managed devices located on the internal network of the organization, you must cover the entire network with distribution points. In the properties of the distribution points that were assigned, select the Do not disconnect from the Administration Server check box. As a result, the Administration Server will establish a continuous connection to the distribution points while they will be able to send notifications to port 15000 UDP on devices that are on the organization's internal network.

Internet access: Network Agent as connection gateway in DMZ

Administration Server can be located on the internal network of the organization, and in that network's DMZ there can be a device with Network Agent running as a connection gateway with reverse connectivity (Administration Server establishes a connection to Network Agent). In this case, the following conditions must be met to ensure internet access:

• Network Agent must be installed on the device that is in the DMZ. When you install Network Agent, in the Connection gateway window of the Setup Wizard, select Use Network Agent as a connection gateway in DMZ.
• The device with the installed connection gateway must be added as a distribution point. When you add the connection gateway, in the Add distribution point window, select the Select → Add connection gateway in DMZ by address option.
• To use an internet connection to connect external desktop computers to the Administration Server, the installation package for Network Agent must be corrected. In the properties of the created installation package, select the Advanced → Connect to Administration Server by using connection gateway option, and then specify the newly created connection gateway.

For the connection gateway in the DMZ, Administration Server creates a certificate signed with the Administration Server certificate. If the administrator decides to assign a custom certificate to Administration Server, it must be done before a connection gateway is created in the DMZ.

If some employees use laptops that can connect to Administration Server either from the local network or over the internet, it may be useful to create a switching rule for Network Agent in the Network Agent's policy.

About distribution points

A device with Network Agent installed can be used as a distribution point. In this mode, Network Agent can perform the following functions:

• Distribute updates (these can be retrieved either from the Administration Server or from Kaspersky servers). In the latter case, the Download updates to the repositories of distribution points task must be created for the device that serves as the distribution point:
  • Install software (including initial deployment of Network Agents) on other devices.
  • Poll the network to detect new devices and update information about existing ones. A distribution point can apply the same device discovery methods as the Administration Server.

Deployment of distribution points on an organization's network has the following objectives:

• Reducing the load on the Administration Server.
• Optimizing traffic.
• Providing the Administration Server with access to devices in hard-to-reach spots of the organization's network. The availability of a distribution point on the network behind a NAT (in relation to the Administration Server) allows the Administration Server to perform the following actions:
  • Send notifications to devices over UDP.
  • Poll the network.
  • Perform initial deployment.

A distribution point is assigned for an administration group. In this case, the scope of the distribution point includes all devices within the administration group and all of its subgroups. However, the device that acts as the distribution point may not be included in the administration group to which it has been assigned.

You can make a distribution point function as a connection gateway. In this case, devices in the scope of the distribution point will be connected to the Administration Server through the gateway, not directly. This mode can be useful in scenarios that do not allow the establishment of a direct connection between the Administration Server and managed devices.

Calculating the number and configuration of distribution points

The more client devices a network contains, the more distribution points it requires. We recommend that you not disable automatic assignment of distribution points. When automatic assignment of distribution points is enabled, Administration Server assigns distribution points if the number of client devices is quite large and defines their configuration.

Using exclusively assigned distribution points

If you plan to use certain specific devices as distribution points (that is, exclusively assigned servers), you can opt out of using automatic assignment of distribution points. In this case, make sure that the devices that you intend to make distribution points have sufficient volume of free disk space, are not shut down regularly, and have Sleep mode disabled.

Number of exclusively assigned distribution points on a network that contains a single network segment, based on the number of networked devices

Number of exclusively assigned distribution points on a network that contains multiple network segments, based on the number of networked devices

Using standard client devices (workstations) as distribution points

If you plan to use standard client devices (that is, workstations) as distribution points, we recommend that you assign distribution points as shown in the tables below in order to avoid excessive load on the communication channels and on Administration Server:

Number of workstations functioning as distribution points on a network that contains a single network segment, based on the number of networked devices

Number of workstations functioning as distribution points on a network that contains multiple network segments, based on the number of networked devices

If a distribution point is shut down (or not available for some other reason), the managed devices in its scope can access the Administration Server for updates.

Hierarchy of Administration Servers

An MSP may run multiple Administration Servers. It can be inconvenient to administer several separate Administration Servers, so a hierarchy can be applied. A "primary/secondary" configuration for two Administration Servers provides the following options:

• A secondary Administration Server inherits policies and tasks from the primary Administration Server, thus preventing duplication of settings.
• Selections of devices on the primary Administration Server can include devices from secondary Administration Servers.
• Reports on the primary Administration Server can contain data (including detailed information) from secondary Administration Servers.

Virtual Administration Servers

On the basis of a physical Administration Server, multiple virtual Administration Servers can be created, which will be similar to secondary Administration Servers. Compared to the discretionary access model, which is based on access control lists (ACLs), the virtual Administration Server model is more functional and provides a larger degree of isolation. In addition to a dedicated structure of administration groups for assigned devices with policies and tasks, each virtual Administration Server features its own group of unassigned devices, own sets of reports, selected devices and events, installation packages, moving rules, etc. The functional scope of virtual Administration Servers can be used both by service providers (xSP) to maximize the isolation of customers, and by large-scale organizations with sophisticated workflows and numerous administrators.

Virtual Administration Servers are very similar to secondary Administration Servers, but with the following distinctions:

• A virtual Administration Server lacks most global settings and its own TCP ports.
• A virtual Administration Server has no secondary Administration Servers.
• A virtual Administration Server has no other virtual Administration Servers.
• A physical Administration Server views devices, groups, events, and objects on managed devices (items in Quarantine, applications registry, etc.) of all its virtual Administration Servers.
• A virtual Administration Server can only scan the network with distribution points connected.

Information about limitations of Kaspersky Security Center

The following table displays the limitations of the current version of Kaspersky Security Center.

Limitations of Kaspersky Security Center

Page top

Network load

This section contains information about the volume of network traffic that the client devices and Administration Server exchange during key administrative scenarios.

The main load on the network is caused by the following administrative scenarios in progress:

• Initial deployment of anti-virus protection
• Initial update of anti-virus databases
• Synchronization of a client device with Administration Server
• Regular updates of anti-virus databases
• Processing of events on client devices by Administration Server

Initial deployment of anti-virus protection

This section provides information about traffic volume values after Network Agent 13.1 and Kaspersky Endpoint Security for Windows are installed on the client device (see the table below).

The Network Agent is installed using forced installation, when the files required for setup are copied by Administration Server to a shared folder on the client device. After installation, the Network Agent retrieves the distribution package of Kaspersky Endpoint Security for Windows, using the connection to the Administration Server.

Traffic

After Network Agents are installed on the client devices, one of the devices in the administration group can be assigned to act as distribution point. It is used for distribution of installation packages. In this case, traffic volume transferred during initial deployment of anti-virus protection varies significantly depending on whether you are using IP multicasting.

If IP multicasting is used, installation packages are sent once to all running devices in the administration group. Thus, total traffic becomes N times smaller, where N stands for the total number of running devices in the administration group. If you are not using IP multicasting, the total traffic is identical to the traffic calculated as if the distribution packages are downloaded from the Administration Server. However, the package source is the distribution point, not the Administration Server.

Initial update of anti-virus databases

The traffic rates during initial update of anti-virus databases (when starting the database update task for the first time on a client device), are as follows:

• Traffic from a client device to Administration Server: 1,8 MB.
• Traffic from Administration Server to a client device: 113 MB.
• Total traffic (for a single client device): 114 MB.

The data may vary slightly depending upon the current version of the anti-virus database.

Synchronizing a client with the Administration Server

This scenario describes the state of the administration system when intensive data synchronization occurs between a client device and the Administration Server. Client devices connect to the Administration Server with the interval defined by the administrator. The Administration Server compares the status of data on a client device with that on the Server, records information in the database about the last client device connection, and synchronizes data.

This section contains information about traffic values for basic administration scenarios when connecting a client to the Administration Server (see table below). The data in the table may vary slightly depending upon the current version of the anti-virus database.

Traffic

Overall traffic volume varies considerably depending on whether IP multicasting is used within administration groups. If IP multicasting is used, the total traffic volume decreases approximately by N times for the group, where N stands for the total number of devices included in the administration group.

The volume of traffic at initial synchronization before and after an update of the databases is specified for the following cases:

• Installing Network Agent and a security application on a client device
• Moving a client device to an administration group
• Applying a policy and tasks that have been created for the group by default, to a client device

The table specifies traffic rates in case of changes to one of the protection settings that are included in the Kaspersky Endpoint Security policy settings. Data for other policy settings may differ from data displayed in the table.

Additional update of anti-virus databases

The traffic rates in case of an incremental update of anti-virus databases 20 hours after the previous update are as follows:

• Traffic from a client device to Administration Server: 169 KB.
• Traffic from Administration Server to a client device: 16 MB.
• Total traffic (for a single client device): 16.3 MB.

The data in the table may vary slightly depending upon the current version of the anti-virus database.

Traffic volume varies significantly depending on whether IP multicasting is used within administration groups. If IP multicasting is used, the total traffic volume decreases approximately by N times for the group, where N stands for the total number of devices included in the administration group. 

Processing of events from clients by Administration Server

This section provides information about traffic volume values when a client device encounters a "Virus detected" event, which is then sent to the Administration Server and registered in the database (see table below). 

Traffic

Data in the table may vary slightly depending upon the current version of the anti-virus application and the events that are defined in its policy for registration in the Administration Server database. 

Traffic per 24 hours

This section contains information about traffic rates for 24 hours of the administration system's activity in a "quiet" condition, when no data changes are made either by client devices or by the Administration Server (see table below).

Data presented in the table describe the network's condition after standard installation of Kaspersky Security Center and completion of the Quick Start Wizard. The frequency of synchronization of the client device with Administration Server was 20 minutes; updates were downloaded to the Administration Server repository once per hour.

Traffic rates per 24 hours in idle state

Page top

Preparing to mobile device management

This section provides the following information:

• About Exchange Mobile Device Server intended for management of mobile devices over the Exchange ActiveSync protocol
• About iOS MDM Server intended for management of iOS devices by installing dedicated iOS MDM profiles on them
• About management of mobile devices that have Kaspersky Endpoint Security for Android installed

Exchange Mobile Device Server

An Exchange Mobile Device Server allows you to manage mobile devices that are connected to an Administration Server using the Exchange ActiveSync protocol (EAS devices).

How to deploy an Exchange Mobile Device Server

If multiple Microsoft Exchange servers within a Client Access Server array have been deployed in the organization, an Exchange Mobile Device Server must be installed on each of the servers in that array. The Cluster mode option must be enabled in the Exchange Mobile Device Server Installation Wizard. In this case, the set of instances of the Exchange Mobile Device Server installed on servers in the array is called the cluster of Exchange Mobile Device Servers.

If no Client Access server array of Microsoft Exchange Servers has been deployed in the organization, an Exchange Mobile Device Server must be installed on a Microsoft Exchange Server that has Client Access. In this case, the Standard mode option must be enabled in the Setup Wizard of the Exchange Mobile Device Server.

Together with the Exchange Mobile Device Server, Network Agent must be installed on the device; it helps integrate the Exchange Mobile Device Server with Kaspersky Security Center.

The default scan scope of the Exchange Mobile Device Server is the current Active Directory domain in which it was installed. Deploying an Exchange Mobile Device Server on a server with Microsoft Exchange Server (versions 2010, 2013) installed allows you to expand the scan scope to include the entire domain forest in the Exchange Mobile Device Server (see section "Configuring the scan scope"). Information requested during a scan includes accounts of Microsoft Exchange server users, Exchange ActiveSync policies, and users' mobile devices connected to the Microsoft Exchange Server over Exchange ActiveSync protocol.

Multiple instances of Exchange Mobile Device Server cannot be installed within a single domain if they run in Standard mode being managed by a single Administration Server. Within a single Active Directory domain forest, multiple instances of Exchange Mobile Device Server (or multiple clusters of Exchange Mobile Device Servers) cannot be installed either—if they run in Standard mode with an expanded scan scope that includes the entire domain forest and if they are connected to a single Administration Server.

Rights required for deployment of Exchange Mobile Device Server

Deployment of an Exchange Mobile Device Server on Microsoft Exchange Server (2010, 2013) requires domain administrator rights and the Organization Management role. Deployment of an Exchange Mobile Device Server on Microsoft Exchange Server (2007) requires domain administrator rights and membership in the Exchange Organization Administrators security group.

Account for Exchange ActiveSync service

When an Exchange Mobile Device Server is installed, an account is automatically created in Active Directory:

• On Microsoft Exchange Server (2010, 2013): KLMDM4ExchAdmin***** account with the KLMDM Role Group role.
• On Microsoft Exchange Server (2007): KLMDM4ExchAdmin***** account, a member of the KLMDM Secure Group security group.

The Exchange Mobile Device Server service runs under this account.

If you want to cancel the automatic generation of an account, you need to create a custom one with the following rights:

• When using Microsoft Exchange Server (2010, 2013), the account must be assigned a role that has been allowed to execute the following cmdlets:
  • Get-CASMailbox
  • Set-CASMailbox
  • Remove-ActiveSyncDevice
  • Clear-ActiveSyncDevice
  • Get-ActiveSyncDeviceStatistics
  • Get-AcceptedDomain
  • Set-AdServerSettings
  • Get-ActiveSyncMailboxPolicy
  • New-ActiveSyncMailboxPolicy
  • Set-ActiveSyncMailboxPolicy
  • Remove-ActiveSyncMailboxPolicy
• When using a Microsoft Exchange Server (2007), the account must be granted the access rights to Active Directory objects (see the table below).

  Access rights to Active Directory objects

  Access	Object	Cmdlet
  Full	Thread "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"	Add-ADPermission -User <User or group name> -Identity "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericAll
  Read	Thread "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"	Add-ADPermission -User <User or group name> -Identity "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericRead
  Read/write	Properties msExchMobileMailboxPolicyLink and msExchOmaAdminWirelessEnable for objects in Active Directory	Add-ADPermission -User <User or group name> -Identity "DC=<Domain name>" -InheritanceType All -AccessRight ReadProperty,WriteProperty -Properties msExchMobileMailboxPolicyLink, msExchOmaAdminWirelessEnable
  Extended right ms-Exch-Store-Active	Mailbox repositories of Exchange server, thread "CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"	Get-MailboxDatabase | Add-ADPermission -User <User or group name> -ExtendedRights ms-Exch-Store-Admin

iOS MDM Server

iOS MDM Server allows you to manage iOS devices by installing dedicated iOS MDM profiles on them. The following features are supported:

• Device lock
• Password reset
• Data wipe
• Installation or removal of apps
• Use of an iOS MDM profile with advanced settings (such as VPN settings, email settings, Wi-Fi settings, camera settings, certificates, etc.)

iOS MDM Server is a web service that receives inbound connections from mobile devices through its TLS port (by default, port 443), which is managed by Kaspersky Security Center using Network Agent. Network Agent is installed locally on a device with an iOS MDM Server deployed.

When deploying an iOS MDM Server, the administrator must perform the following actions:

• Provide Network Agent with access to the Administration Server
• Provide mobile devices with access to the TCP port of the iOS MDM Server

This section addresses two standard configurations of an iOS MDM Server.

Standard configuration: Kaspersky Device Management for iOS in DMZ

An iOS MDM Server is located in the DMZ of an organization's local network with internet access. A special feature of this approach is the absence of any problems when the iOS MDM web service is accessed from devices over the internet.

Because management of an iOS MDM Server requires Network Agent to be installed locally, you must ensure the interaction of Network Agent with the Administration Server. You can ensure this by using one of the following methods:

• By moving the Administration Server to the DMZ.
• By using a connection gateway:
  1. On the device with iOS MDM Server deployed, connect Network Agent to the Administration Server through a connection gateway.
  2. On the device with iOS MDM Server deployed, assign Network Agent to act as connection gateway.

Standard configuration: iOS MDM Server on the local network of an organization

An iOS MDM Server is located on the internal network of an organization. Port 443 (default port) must be enabled for external access, for example, by publishing the iOS MDM web service on Microsoft Forefront Threat Management Gateway (hereinafter referred to as TMG).

Any standard configuration requires access to Apple web services for the iOS MDM Server (range 17.0.0.0/8) through TCP port 2197. This port is used for notifying devices of new commands by means of a dedicated service named APNs.

Managing mobile devices with Kaspersky Endpoint Security for Android

Mobile devices with installed Kaspersky Endpoint Security for Android (hereinafter referred to as KES devices) are managed by means of the Administration Server. Kaspersky Security Center 10 Service Pack 1, as well as later versions, supports the following features for managing KES devices:

• Handling mobile devices as client devices:
  • Membership in administration groups
  • Monitoring, such as viewing statuses, events, and reports
  • Modifying local settings and assigning policies for Kaspersky Endpoint Security for Android
• Sending commands in centralized mode
• Installing mobile apps packages remotely

Administration Server manages KES devices through TLS, TCP port 13292.

Information about Administration Server performance

This section presents the results of performance testing of the Administration Server for different hardware configurations, as well as the limitations on connecting managed devices to the Administration Server.

Limitations on connection to an Administration Server

An Administration Server supports management of up to 100,000 devices without a loss in performance.

Limitations on connections to an Administration Server without a loss in performance:

• One Administration Server can support up to 500 virtual Administration Servers.
• The primary Administration Server supports no more than 1000 sessions simultaneously.
• Virtual Administration Servers support no more than 1000 sessions simultaneously.

Results of Administration Server performance testing

Results of Administration Server performance testing have allowed us to determine the maximum numbers of client devices with which Administration Server can be synchronized for specified time intervals. This information can be used to select the optimal scheme for deploying anti-virus protection on computer networks.

Devices with the following hardware configurations (see the tables below) were used for testing:

Administration Server hardware configuration

Hardware configuration of the SQL Server device

Administration Server supported creation of 500 virtual Administration Servers.

The synchronization interval was 15 minutes for every 10,000 managed devices (see the table below).

Summarized results of Administration Server load testing

If you connect Administration Server to a MySQL or SQL Express database server, it is not recommended to use the application to manage more than 10,000 devices. For the MariaDB database management system, the maximum recommended number of managed devices is 20,000.

Results of KSN proxy server performance testing

If your enterprise network includes a large amount of client devices and they use the Administration Server as KSN proxy server, the Administration Server hardware must meet specific requirements to be able to process the requests from the client devices. You can use the testing results below to evaluate the Administration Server load on your network and plan the hardware resources to provide for normal functioning of the KSN proxy service.

The table below shows the Administration Server hardware configuration that was used for testing.

Administration Server hardware configuration

The table below shows the results of the test.

Summarized results of KSN proxy server performance testing

Page top

Deploying Network Agent and the security application

To manage devices in an organization, you have to install Network Agent on each of them. Deployment of distributed Kaspersky Security Center on corporate devices normally begins with installation of Network Agent on them.

In Microsoft Windows XP, Network Agent might not perform the following operations correctly: downloading updates directly from Kaspersky servers (as a distribution point); functioning as a KSN proxy server (as a distribution point); and detecting third-party vulnerabilities (if Vulnerability and Patch Management is used).

Initial deployment

If a Network Agent has already been installed on a device, remote installation of applications on that device is performed through this Network Agent. The distribution package of an application to be installed is transferred over communication channels between Network Agents and Administration Server, along with the installation settings defined by the administrator. To transfer the distribution package, you can use relay distribution nodes, that is, distribution points, multicast delivery, etc. For more details on how to install applications on managed devices with Network Agent already installed, see below in this section.

You can perform initial installation of Network Agent on devices running Windows, using one of the following methods:

• With third-party tools for remote installation of applications.
• By cloning an image of the administrator's hard drive with the operating system and Network Agent: using tools provided by Kaspersky Security Center for handling disk images, or using third-party tools.
• With Windows group policies: using standard Windows management tools for group policies, or in automatic mode, through the corresponding, dedicated option in the remote installation task of Kaspersky Security Center.
• In forced mode, using special options in the remote installation task of Kaspersky Security Center.
• By sending device users links to stand-alone packages generated by Kaspersky Security Center. Stand-alone packages are executable modules that contain the distribution packages of selected applications with their settings defined.
• Manually, by running application installers on devices.

On platforms other than Microsoft Windows, initial installation of Network Agent on managed devices must be performed through available third-party tools. You can upgrade Network Agent to a new version or install other Kaspersky applications on non-Windows platforms, using Network Agents (already installed on devices) to perform remote installation tasks. In this case, installation is identical to that on devices running Microsoft Windows.

When selecting a method and a strategy for deployment of applications on a managed network, you must consider a number of factors (partial list):

• Organization's network configuration.
• Total number of devices.
• Presence of devices on the organization's network, which are not members of any Active Directory domain, and presence of uniform accounts with administrator rights on those devices.
• Capacity of the channel between the Administration Server and devices.
• Type of communication between Administration Server and remote subnets and capacity of network channels in those subnets.
• Security settings applied on remote devices at the start of deployment (such as use of UAC and Simple File Sharing mode).

Configuring installers

Before starting deployment of Kaspersky applications on a network, you must specify the installation settings, that is, those defined during the application installation. When installing Network Agent, you should specify, at a minimum, an address for connection to Administration Server; some advanced settings may also be required. Depending on the installation method that you have selected, you can define settings in different ways. In the simplest case (manual interactive installation on a selected device), all relevant settings can be defined through the user interface of the installer.

This method of defining the settings is inappropriate for non-interactive ("silent") installation of applications on groups of devices. In general, the administrator must specify values for settings in centralized mode; those values can subsequently be used for non-interactive installation on selected networked devices.

Installation packages

The first and main method of defining the installation settings of applications is all-purpose and thus suitable for all installation methods, both with Kaspersky Security Center tools, and with most third-party tools. This method consists of creating installation packages of applications in Kaspersky Security Center.

Installation packages are generated using the following methods:

• Automatically, from specified distribution packages, on the basis of included descriptors (files with the kud extension that contain rules for installation and results analysis, and other information)
• From the executable files of installers or from installers in native format (.msi, .deb, .rpm), for standard or supported applications

Generated installation packages are organized hierarchically as folders with subfolders and files. In addition to the original distribution package, an installation package contains editable settings (including the installer's settings and rules for processing such cases as necessity of restarting the operating system in order to complete installation), as well as minor auxiliary modules.

Values of installation settings that would be specific for an individual supported application can be defined in the user interface of Administration Console when the installation package is created. When performing remote installation of applications through Kaspersky Security Center tools, installation packages are delivered to devices so that running the installer of an application makes all administrator-defined settings available for that application. When using third-party tools for installation of Kaspersky applications, you only have to ensure the availability of the entire installation package on the device, that is, the availability of the distribution package and its settings. Installation packages are created and stored by Kaspersky Security Center in a dedicated subfolder of the shared folder.

Do not specify any details of privileged accounts in the parameters of installation packages.

For the instruction about using this configuration method for Kaspersky applications before deployment through third-party tools, see section "Deployment using group policies of Microsoft Windows".

Immediately after Kaspersky Security Center installation, a few installation packages are automatically generated; they are ready for installation and include Network Agent packages and security application packages for Microsoft Windows.

Although the license key for an application can be set in the properties of an installation package, it is advisable to avoid this method of license distribution because there it is easy to obtain read access to installation packages. You should use automatically distributed license keys or installation tasks for license keys.

MSI properties and transform files

Another way of configuring installation on Windows platform is to define MSI properties and transform files. This method can be applied in the following cases:

• When installing through Windows group policies, by using regular Microsoft tools or other third-party tools for handling Windows group policies.
• When installing applications by using third-party tools intended for handling installers in Microsoft Installer format.

Deployment with third-party tools for remote installation of applications

When any tools for remote installation of applications (such as Microsoft System Center) are available in an organization, it is convenient to perform initial deployment by using those tools.

The following actions must be performed:

• Select the method for configuring installation that best suits the deployment tool to be used.
• Define the mechanism for synchronization between the modification of the settings of installation packages (through the Administration Console interface) and the operation of selected third-party tools used for deployment of applications from installation package data.
• When performing installation from a shared folder, you must make sure that this file resource has sufficient capacity.

About remote installation tasks in Kaspersky Security Center

Kaspersky Security Center provides various mechanisms for remote installation of applications, which are implemented as remote installation tasks (forced installation, installation by copying a hard drive image, installation through group policies of Microsoft Windows). You can create a remote installation task both for a specified administration group and for specific devices or a selection of devices (such tasks are displayed in Administration Console, in the Tasks folder). When creating a task, you can select installation packages (those of Network Agent and / or another application) to be installed within this task, as well as specify certain settings that define the method of remote installation. In addition, you can use the Remote Installation Wizard, which is based on creation of a remote installation task and results monitoring.

Tasks for administration groups affect both devices included in a specified group and all devices in all subgroups within that administration group. A task covers devices of secondary Administration Servers included in a group or any of its subgroups if the corresponding setting is enabled in the task.

Tasks for specific devices refresh the list of client devices at each run in accordance with the selection contents at the moment the task starts. If a selection includes devices that have been connected to secondary Administration Servers, the task will run on those devices, too. For details on those settings and installation methods see below in this section.

To ensure a successful operation of a remote installation task on devices connected to secondary Administration Servers, you must use the relaying task to relay installation packages used by your task to corresponding secondary Administration Servers in advance.

Deployment by capturing and copying the hard drive image of a device

If you need to install Network Agent on devices on which an operating system and other software also must be installed (or reinstalled), you can use the mechanism of capturing and copying the hard drive of that device.

To perform deployment by capturing and copying a hard drive:

1. Create a reference device with an operating system and the relevant software installed, including Network Agent and a security application.
2. Capture the reference image on the device and distribute that image on new devices through the dedicated task of Kaspersky Security Center.

   To capture and install disk images, you can use either third-party tools available in the organization, or the feature provided (under the Vulnerability and Patch Management license) by Kaspersky Security Center.

If you use any third-party tools to process disk images, you must delete the information that Kaspersky Security Center uses to identify the managed device, when performing deployment on a device from a reference image. Otherwise, Administration Server will not be able to properly distinguish devices that have been created by copying the same image.

When capturing a disk image with Kaspersky Security Center tools, this issue is solved automatically.

Copying a disk image with third-party tools

When applying third-party tools for capturing the image of a device with Network Agent installed, use one of the following methods:

• Recommended method. When installing Network Agent on a reference device, capture the device image before the first run of Network Agent service (because unique information identifying the device is created at the first connection of Network Agent to the Administration Server). After that, it is recommended that you avoid running Network Agent service until the completion of the image capturing operation.
• On the reference device, stop the Network Agent service and run the klmover utility with the -dupfix key. The utility klmover is included in the installation package of Network Agent. Avoid any subsequent runs of Network Agent service until the image capturing operation completes.
• Make sure that klmover will be run with the -dupfix key before (mandatory requirement) the first run of the Network Agent service on target devices, at the first launch of the operating system after the image deployment. The utility klmover is included in the installation package of Network Agent.

If the hard drive image has been copied incorrectly, you can resolve this problem.

You can apply an alternate scenario for Network Agent deployment on new devices through operating system images:

• The captured image contains no Network Agent installed.
• A stand-alone installation package of Network Agent located in the shared folder of Kaspersky Security Center has been added to the list of executable files that are run upon completion of the image deployment on target devices.

This deployment scenario adds flexibility: you can use a single operating system image together with various installation options for Network Agent and / or the security application, including device moving rules related to the standalone package. This slightly complicates the deployment process: you have to provide access to the network folder with stand-alone installation packages from a device.

Deployment using group policies of Microsoft Windows

It is recommended that you perform the initial deployment of Network Agents through Microsoft Windows group policies if the following conditions are met:

• This device is member of an Active Directory domain.
• The deployment scheme allows you to wait for the next routine restart of target devices before starting deployment of Network Agents on them (or you can force a Windows group policy to be applied to those devices).

This deployment scheme consists of the following:

• The application distribution package in Microsoft Installer format (MSI package) is located in a shared folder (a folder where the LocalSystem accounts of target devices have read permissions).
• In the Active Directory group policy, an installation object is created for the distribution package.
• The installation scope is set by specifying the organizational unit (OU) and / or the security group, which includes the target devices.
• The next time a target device logs in to the domain (before device users log in to the system), all installed applications are checked for the presence of the required application. If the application is not found, the distribution package is downloaded from the resource specified in the policy and is then installed.

An advantage of this deployment scheme is that assigned applications are installed on target devices while the operating system is loading, that is, even before the user logs in to the system. Even if a user with sufficient rights removes the application, it will be reinstalled at the next launch of the operating system. This deployment scheme's shortcoming is that changes made by the administrator to the group policy will not take effect until the devices are restarted (if no additional tools are involved).

You can use group policies to install both Network Agent and other applications if their respective installers are in Windows Installer format.

When this deployment scheme is selected, you must also assess the load on the file resource from which files will be copied to devices after applying the Windows group policy.

Handling Microsoft Windows policies through the remote installation task of Kaspersky Security Center

The simplest way to install applications through group policies of Microsoft Windows is to select the Assign package installation in Active Directory group policies option in the properties of the remote installation task of Kaspersky Security Center. In this case, Administration Server automatically performs the following actions when you run the task:

• Creates required objects in the group policy of Microsoft Windows.
• Creates dedicated security groups, includes the target devices in those groups, and assigns installation of selected applications for them. The set of security groups will be updated at every task run, in accordance with the pool of devices at the moment of the run.

To make this feature operable, in the task properties, specify an account that has write permissions in Active Directory group policies.

If you intend to install both Network Agent and another application through the same task, selecting the Assign package installation in Active Directory group policies option causes the application to create an installation object in the Active Directory policy for Network Agent only. The second application selected in the task will be installed through the tools of Network Agent as soon as the latter is installed on the device. If you want to install an application other than Network Agent through Windows group policies, you must create an installation task for this installation package only (without the Network Agent package). Not every application can be installed using Microsoft Windows group policies. To find out about this capability, you can refer to information about the possible methods for installing the application.

If required objects are created in the group policy by using Kaspersky Security Center tools, the shared folder of Kaspersky Security Center will be used as the source of the installation package. When planning the deployment, you must correlate the reading speed for this folder with the number of devices and the size of the distribution package to be installed. It may be useful to locate the shared folder of Kaspersky Security Center in a high-performance dedicated file repository.

In addition to its ease of use, automatic creation of Windows group policies through Kaspersky Security Center has this advantage: when planning Network Agent installation, you can easily specify the Kaspersky Security Center administration group into which devices will be automatically moved after installation completes. You can specify this group in the Add Task Wizard or in the settings window of the remote installation task.

When handling Windows group policies through Kaspersky Security Center, you can specify devices for a group policy object by creating a security group. Kaspersky Security Center synchronizes the contents of the security group with the current set of devices in the task. When using other tools for handling group policies, you can associate objects of group policies with selected OUs of Active Directory directly.

Unassisted installation of applications through policies of Microsoft Windows

The administrator can create objects required for installation in a Windows group policy on his or her own behalf. In this case, he or she can provide links to packages stored in the shared folder of Kaspersky Security Center, or upload those packages to a dedicated file server and then provide links to them.

The following installation scenarios are possible:

• The administrator creates an installation package and sets up its properties in Administration Console. The group policy object provides a link to the MSI file of this package stored in the shared folder of Kaspersky Security Center.
• The administrator creates an installation package and sets up its properties in Administration Console. Then the administrator copies the entire EXEC subfolder of this package from the shared folder of Kaspersky Security Center to a folder on a dedicated file resource of the organization. The group policy object provides a link to the MSI file of this package stored in a subfolder on the dedicated file resource of the organization.
• The administrator downloads the application distribution package (including that of Network Agent) from the internet and uploads it to the dedicated file resource of the organization. The group policy object provides a link to the MSI file of this package stored in a subfolder on the dedicated file resource of the organization. The installation settings are defined by configuring the MSI properties or by configuring MST transform files.

Forced deployment through the remote installation task of Kaspersky Security Center

If you need to start deploying Network Agents or other applications immediately, without waiting for the next time target devices log in to the domain, or if any target devices that are not members of the Active Directory domain are available, you can force installation of selected installation packages through the remote installation task of Kaspersky Security Center.

In this case, you can specify target devices either explicitly (with a list), or by selecting the Kaspersky Security Center administration group to which they belong, or by creating a selection of devices based upon a specific criterion. The installation start time is defined by the task schedule. If the Run missed tasks setting is enabled in the task properties, the task can be run either immediately after target devices are turned on, or when they are moved to the target administration group.

This type of installation consists in copying files to the administrative resource (admin$) on each device and performing remote registration of supporting services on them. The following conditions must be met in this case:

• Devices must be available for connection either from the Administration Server side, or from the distribution point side.
• Name resolution for target devices must function properly in the network.
• The administrative shares (admin$) must remain enabled on target devices.
• The Server system service must be running on target devices (by default, it is running).
• The following ports must be open on target devices to allow remote access through Windows tools: TCP 139, TCP 445, UDP 137, and UDP 138.
• Simple File Sharing mode must be disabled on target devices.
• On target devices, the access sharing and security model must be set as Classic – local users authenticate as themselves, it can be in no way Guest only – local users authenticate as Guest.
• Target devices must be members of the domain, or uniform accounts with administrator rights must be created on target devices in advance.

Devices in workgroups can be adjusted in accordance with the above requirements by using the riprep.exe utility, which is described on Kaspersky Technical Support website.

During installation on new devices that have not yet been allocated to any of the Kaspersky Security Center administration groups, you can open the remote installation task properties and specify the administration group to which devices will be moved after Network Agent installation.

When creating a group task, keep in mind that each group task affects all devices in all nested groups within a selected group. Therefore, you must avoid duplicating installation tasks in subgroups.

Automatic installation is a simplified way to create tasks for forced installation of applications. To do this, open the administration group properties, open the list of installation packages and select the ones that must be installed on devices in this group. As a result, the selected installation packages will be automatically installed on all devices in this group and all of its subgroups. The time interval over which the packages will be installed depends on the network throughput and the total number of networked devices.

Forced installation can also be applied if devices cannot be directly accessed by the Administration Server: for example, devices are on isolated networks, or they are on a local network while the Administration Server item is in DMZ. To make forced installation possible, you must provide distribution points to each of the isolated networks.

Using distribution points as local installation centers may also be useful when performing installation on devices in subnets communicated with Administration Server via a low-capacity channel while a broader channel is available between devices in the same subnet. However, note that this installation method places a significant load on devices acting as distribution points. Therefore, it is recommended that you select powerful devices with high-performance storage units as distribution points. Moreover, the free disk space in the partition with the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must exceed, by many times, the total size of the distribution packages of installed applications.

Running stand-alone packages created by Kaspersky Security Center

The above-described methods of initial deployment of Network Agent and other applications cannot always be implemented because it is not possible to meet all of the applicable conditions. In such cases, you can create a common executable file called a stand-alone installation package through Kaspersky Security Center, using installation packages with the relevant installation settings that have been prepared by the administrator. The stand-alone installation package is stored in the shared folder of Kaspersky Security Center.

You can use Kaspersky Security Center to send selected users an email message containing a link to this file in the shared folder, prompting them to run the file (either in interactive mode, or with the key "-s" for silent installation). You can attach the stand-alone installation package to an email message and then send it to the users of devices that have no access to the shared folder of Kaspersky Security Center. The administrator can also copy the stand-alone package to a removable drive, deliver it to a relevant device, and then run it later.

You can create a stand-alone package from a Network Agent package, a package of another application (for example, the security application), or both. If the stand-alone package has been created from Network Agent and another application, installation starts with Network Agent.

When creating a stand-alone package with Network Agent, you can specify the administration group to which new devices (those that have not been allocated to any of the administration groups) will be automatically moved when Network Agent installation completes on them.

Stand-alone packages can run in interactive mode (by default), displaying the result for installation of applications they contain, or they can run in silent mode (when run with the key "-s"). Silent mode can be used for installation from scripts, for example, from scripts configured to run after an operating system image is deployed. The result of installation in silent mode is determined by the return code of the process.

Options for manual installation of applications

Administrators or experienced users can install applications manually in interactive mode. They can use either original distribution packages or installation packages generated from them and stored in the shared folder of Kaspersky Security Center. By default, installers run in interactive mode and prompt users for all required values. However, when running the process setup.exe from the root of an installation package with the key "-s", the installer will be running in silent mode and with the settings that have been defined when configuring the installation package.

When running setup.exe from the root of an installation package stored in the shared folder of Kaspersky Security Center, the package will first be copied to a temporary local folder, and then the application installer will be run from the local folder.

Remote installation of applications on devices with Network Agent installed

If an operable Network Agent connected to the primary Administration Server (or to any of its secondary Servers) is installed on a device, you can upgrade Network Agent on this device, as well as install, upgrade, or remove any supported applications through Network Agent.

You can enable the Using Network Agent option in the properties of the remote installation task.

If this option is selected, installation packages with installation settings defined by the administrator will be transferred to target devices over communication channels between Network Agent and the Administration Server.

To optimize the load on the Administration Server and minimize traffic between the Administration Server and the devices, it is useful to assign distribution points on every remote network or in every broadcasting domain (see sections "About distribution points" and "Building a structure of administration groups and assigning distribution points"). In this case, installation packages and the installer settings are distributed from the Administration Server to target devices through distribution points.

Moreover, you can use distribution points for broadcasting (multicast) delivery of installation packages, which allows reducing network traffic significantly when deploying applications.

When transferring installation packages to target devices over communication channels between Network Agents and the Administration Server, all installation packages that have been prepared for transfer will also be cached in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\.working\FTServer folder. When using multiple large installation packages of various types and involving a large number of distribution points, the size of this folder may increase dramatically.

Files cannot be deleted from the FTServer folder manually. When original installation packages are deleted, the corresponding data will be automatically deleted from the FTServer folder.

The data received by distribution points is saved in the folder %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1103\$FTClTmp.

Files cannot be deleted from the $FTClTmp folder manually. As tasks using data from this folder complete, the contents of this folder will be deleted automatically.

Because installation packages are distributed over communication channels between Administration Server and Network Agents from an intermediate repository in a format optimized for network transfers, no changes are allowed in installation packages stored in the original folder of each installation package. Those changes will not be automatically registered by Administration Server. If you need to modify the files of installation packages manually (although you are recommended to avoid this scenario), you must edit any of the settings of an installation package in Administration Console. Editing the settings of an installation package in Administration Console causes Administration Server to update the package image in the cache that has been prepared for transfer to target devices.

Managing device restarts in the remote installation task

Devices often need a restart to complete the remote installation of applications (particularly on Windows).

If you use the remote installation task of Kaspersky Security Center, in the Add Task Wizard or in the properties window of the task that has been created (Operating system restart section), you can select the action to perform when a restart is required:

• Do not restart the device. In this case, no automatic restart will be performed. To complete the installation, you must restart the device (for example, manually or through the device management task). Information about the required restart will be saved in the task results and in the device status. This option is suitable for installation tasks on servers and other devices where continuous operation is critical.
• Restart the device. In this case, the device is always restarted automatically if a restart is required for completion of the installation. This option is useful for installation tasks on devices that provide for regular pauses in their operation (shutdown or restart).
• Prompt user for action. In this case, the restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). The Prompt user for action is the most suitable for workstations where users need a possibility of selecting the most convenient time for a restart.

Suitability of databases updating in an installation package of a security application

Before starting the protection deployment, you must keep in mind the possibility of updating anti-virus databases (including modules of automatic patches) shipped together with the distribution package of the security application. It is useful to update the databases in the installation package of the application before starting the deployment (for example, by using the corresponding command in the context menu of a selected installation package). This will reduce the number of restarts required for completion of protection deployment on target devices.

Using tools for remote installation of applications in Kaspersky Security Center for running relevant executable files on managed devices

Using the New Package Wizard, you can select any executable file and define the settings of the command line for it. For this you can add to the installation package either the selected file itself or the entire folder in which this file is stored. Then you must create the remote installation task and select the installation package that has been created.

While the task is running, the specified executable file with the defined settings of the command prompt will be run on target devices.

If you use installers in Microsoft Windows Installer (MSI) format, Kaspersky Security Center analyzes the installation results by means of standard tools.

If the Vulnerability and Patch Management license is available, Kaspersky Security Center (when creating an installation package for any supported application in the corporate environment) also uses rules for installation and analysis of installation results that are in its updatable database.

Otherwise, the default task for executable files waits for the completion of the running process, and of all its child processes. After completion of all of the running processes, the task will be completed successfully regardless of the return code of the initial process. To change such behavior of this task, before creating the task, you have to manually modify the .kpd files that were generated by Kaspersky Security Center in the folder of the newly created installation package and its subfolders.

For the task not to wait for the completion of the running process, set the value of the Wait setting to 0 in the [SetupProcessResult] section:

For the task to wait only for the completion of the running process on Windows, not for the completion of all child processes, set the value of the WaitJob setting to 0 in the [SetupProcessResult], section, for example:

For the task to complete successfully or return an error depending on the return code of the running process, list successful return codes in the [SetupProcessResult_SuccessCodes], section, for example:

In this case, any code other than those listed will result in an error returned.

To display a string with a comment on the successful completion of the task or an error in the task results, enter brief descriptions of errors corresponding to return codes of the process in the [SetupProcessResult_SuccessCodes] and [SetupProcessResult_ErrorCodes] sections, for example:

To use Kaspersky Security Center tools for managing the device restart (if a restart is required to complete an operation), list the return codes of the process that indicate that a restart must be performed, in the [SetupProcessResult_NeedReboot] section:

Page top

Monitoring the deployment

To monitor the Kaspersky Security Center deployment and make sure that a security application and Network Agent are installed on managed devices, you have to check the traffic light in the Deployment section. This traffic light is located in the workspace of the Administration Server node in the main window of Administration Console. The traffic light reflects the current deployment status. The number of devices with Network Agent and security applications installed is displayed next to the traffic light. When any installation tasks are running, you can monitor their progress here. If any installation errors occur, the number of errors is displayed here. You can view the details of any error by clicking the link.

You can also use the deployment schema in the workspace of the Managed devices folder on the Groups tab. The chart reflects the deployment process, showing the number of devices without Network Agent, with Network Agent, or with Network Agent and a security application.

For more details on the progress of the deployment (or the operation of a specific installation task) open the results window of the relevant remote installation task: Right-click the task and select Results in the context menu. The window displays two lists: the upper one contains the task statuses on devices, while the lower one contains task events on the device that is currently selected in the upper list.

Information about deployment errors are added to the Kaspersky Event Log on Administration Server. Information about errors is also available through the corresponding event selection in the Administration Server node on the Events tab.

Configuring installers

This section provides information about the files of Kaspersky Security Center installers and the installation settings, as well as recommendations on how to install Administration Server and Network Agent in silent mode.

General information

Installers of Kaspersky Security Center 13.1 components (Administration Server, Network Agent, and Administration Console) are built on Windows Installer technology. An MSI package is the core of an installer. This format of packaging allows using all of the advantages provided by Windows Installer: scalability, availability of a patching system, transformation system, centralized installation through third-party solutions, and transparent registration with the operating system.

Installation in silent mode (with a response file)

The installers of Administration Server and Network Agent have the feature of working with the response file (ss_install.xml), where the parameters for installation in silent mode without user participation are integrated. The ss_install.xml file is located in the same folder as the MSI package; it is used automatically during installation in silent mode. You can enable the silent installation mode with the command line key "/s".

An overview of an example run follows:

Before you start the installer in silent mode, read the End User License Agreement (EULA). If the Kaspersky Security Center distribution kit does not include a TXT file with the text of the EULA, you can download the file from the Kaspersky website.

The ss_install.xml file is an instance of the internal format of parameters of the Kaspersky Security Center installer. Distribution packages contain the ss_install.xml file with the default parameters.

Please do not modify ss_install.xml manually. This file can be modified through the tools of Kaspersky Security Center when editing the parameters of installation packages in Administration Console.

To modify the response file for Administration Server installation:

1. Open the Kaspersky Security Center distribution package. If you use a full package EXE file, then unpack it.
2. Form the Server folder, open the command line, and then run the following command:

   setup.exe /r ss_install.xml

   The Kaspersky Security Center installer starts.

3. Follow the Wizard's steps to configure the Kaspersky Security Center installation.

When you complete the Wizard, the response file is automatically modified according to the new settings that you specified.

Installation of Network Agent in silent mode (without a response file)

You can install Network Agent with a single .msi package, specifying the values of MSI properties in the standard way. This scenario allows Network Agent to be installed by using group policies. To avoid conflicts between parameters defined through MSI properties and parameters defined in the response file, you can disable the response file by setting the property DONT_USE_ANSWER_FILE=1. An example of a run of the Network Agent installer with an .msi package is as follows.

Installation of Network Agent in non-interactive mode requires acceptance of the terms of the End User License Agreement. Use the EULA=1 parameter only if you have fully read, understand and accept the terms of the End User License Agreement.

You can also define the installation parameters for an .msi package by preparing the response file in advance (one with an .mst extension). This command appears as follows:

You can specify several response files in a single command.

Partial installation configuration through setup.exe

When running installation of applications through setup.exe, you can add the values of any properties of MSI to the MSI package.

This command appears as follows:

Administration Server installation parameters

The table below describes the MSI properties that you can configure when installing Administration Server. All of the parameters are optional, except for EULA and PRIVACYPOLICY.

Parameters of Administration Server installation in non-interactive mode

Network Agent installation parameters

The table below describes the MSI properties that you can configure when installing Network Agent. All of the parameters are optional, except for EULA and SERVERADDRESS.

Parameters of Network Agent installation in non-interactive mode

Virtual infrastructure

Kaspersky Security Center supports the use of virtual machines. You can install Network Agent and the security application on each virtual machine, and you can protect virtual machines at the hypervisor level. In the first case, you can use either a standard security application or Kaspersky Security for Virtualization Light Agent to protect your virtual machines. In the second case, you can use Kaspersky Security for Virtualization Agentless.

Kaspersky Security Center supports rollbacks of virtual machines to their previous state.

Tips on reducing the load on virtual machines

When installing Network Agent on a virtual machine, you are advised to consider disabling some Kaspersky Security Center features that seem to be of little use for virtual machines.

When installing Network Agent on a virtual machine or on a template intended for generation of virtual machines, we recommend the following actions:

• If you are running a remote installation, in the properties window of the Network Agent installation package, in the Advanced section, select the Optimize settings for VDI option.
• If you are running an interactive installation through a Wizard, in the Wizard window, select the Optimize the Network Agent settings for the virtual infrastructure option.

Selecting those options alters the settings of Network Agent so that the following features remain disabled by default (before a policy is applied):

• Retrieving information about software installed
• Retrieving information about hardware
• Retrieving information about vulnerabilities detected
• Retrieving information about updates required

Usually, those features are not necessary on virtual machines because they use uniform software and virtual hardware.

Disabling the features is invertible. If any of the disabled features is required, you can enable it through the policy of Network Agent, or through the local settings of Network Agent. The local settings of Network Agent are available through the context menu of the relevant device in Administration Console.

Support of dynamic virtual machines

Kaspersky Security Center supports dynamic virtual machines. If a virtual infrastructure has been deployed on the organization's network, dynamic (temporary) virtual machines can be used in certain cases. The dynamic VMs are created under unique names based on a template that has been prepared by the administrator. The user works on a VM for a while and then, after being turned off, this virtual machine will be removed from the virtual infrastructure. If Kaspersky Security Center has been deployed on the organization's network, a virtual machine with installed Network Agent will be added to the Administration Server database. After you turn off a virtual machine, the corresponding entry must also be removed from the database of Administration Server.

To make functional the feature of automatic removal of entries on virtual machines, when installing Network Agent on a template for dynamic virtual machines, select the Enable dynamic mode for VDI option:

• For remote installation—In the properties window of the installation package of Network Agent (Advanced section)
• For interactive installation—In the Network Agent Installation Wizard

Avoid selecting the Enable dynamic mode for VDI option when installing Network Agent on physical devices.

If you want events from dynamic virtual machines to be stored on the Administration Server for a while after you remove those virtual machines, then, in the Administration Server properties window, in the Events repository section, select the Store events after devices are deleted option and specify the maximum storage term for events (in days).

Support of virtual machines copying

Copying a virtual machine with installed Network Agent or creating one from a template with installed Network Agent is identical to the deployment of Network Agents by capturing and copying a hard drive image. So, in general case, when copying virtual machines, you need to perform the same actions as when deploying Network Agent by copying a disk image.

However, the two cases described below showcase Network Agent, which detects the copying automatically. Owing to the above reasons, you do not have to perform the sophisticated operations described under "Deployment by capturing and copying the hard drive of a device":

• The Enable dynamic mode for VDI option was selected when Network Agent was installed—After each restart of the operating system, this virtual machine will be recognized as a new device, regardless of whether it has been copied or not.
• One of the following hypervisors is in use: VMware, HyperV, or Xen: Network Agent detects the copying of the virtual machine by the changed IDs of the virtual hardware.

Analysis of changes in virtual hardware is not absolutely reliable. Before applying this method widely, you must test it on a small pool of virtual machines for the version of the hypervisor currently used in your organization.

Support of file system rollback for devices with Network Agent

Kaspersky Security Center is a distributed application. Rolling back the file system to a previous state on a device with Network Agent installed will lead to data desynchronization and improper functioning of Kaspersky Security Center.

The file system (or a part of it) can be rolled back in the following cases:

• When copying an image of the hard drive.
• When restoring a state of the virtual machine by means of the virtual infrastructure.
• When restoring data from a backup copy or a recovery point.

Scenarios under which third-party software on devices with Network Agent installed affects the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\ folder are only critical scenarios for Kaspersky Security Center. Therefore, you must always exclude this folder from the recovery procedure, if possible.

Because the workplace rules of some organizations provide for rollbacks of the file system on devices, support for the file system rollback on devices with Network Agent installed has been added to Kaspersky Security Center, starting with version 10 Maintenance Release 1 (Administration Server and Network Agents must be of version 10 Maintenance Release 1 or later). When detected, those devices are automatically reconnected to the Administration Server with full data cleansing and full synchronization.

By default, support of file system rollback detection is enabled in Kaspersky Security Center 13.1.

As much as possible, avoid rolling back the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\ folder on devices with Network Agent installed, because full resynchronization of data requires a large amount of resources.

A rollback of the system state is absolutely not allowed on a device with Administration Server installed. Nor is a rollback of the database used by Administration Server.

You can restore a state of Administration Server from a backup copy only with the standard klbackup utility.

Local installation of applications

This section provides an installation procedure for applications that can be installed on local devices only.

To perform local installation of applications on a specific client device, you must have administrator rights on this device.

To install applications locally on a specific client device:

1. Install Network Agent on the client device and configure the connection between the client device and Administration Server.
2. Install the requisite applications on the device as described in the guides of these applications.
3. Install a management plug-in for each of the installed applications on the administrator's workstation.

Kaspersky Security Center also supports the option of local installation of applications using a stand-alone installation package. Kaspersky Security Center does not support installation of all Kaspersky applications.

Local installation of Network Agent

To install Network Agent on a device locally:

1. On the device, run the setup.exe file from the distribution package downloaded from the internet.

   A window opens prompting you to select Kaspersky applications to install.

2. In the application selection window, click the Install only Kaspersky Security Center 13.1 Network Agent link to start the Network Agent Setup Wizard. Follow the instructions of the Wizard.

   While the Installation Wizard is running, you can specify the advanced settings of Network Agent (see below).

3. If you want to use your device as the connection gateway for a specific administration group, in the Connection gateway window of the Setup Wizard select Use Network Agent as a connection gateway in DMZ.
4. To configure Network Agent during installation on a virtual machine:
   1. If you plan to create dynamic virtual machines from the virtual machine image, enable dynamic mode of Network Agent for Virtual Desktop Infrastructure (VDI). To do this, in the Advanced Settings window of the Setup Wizard, select the Enable dynamic mode for VDI option. 

      Skip this step if you do not plan to create dynamic virtual machines from the virtual machine image.

   2. Optimize the Network Agent operation for VDI. To do this, in the Advanced Settings window of the Setup Wizard, select the Optimize the Kaspersky Security Center Network Agent settings for the virtual infrastructure option.

      Scanning of executable files for vulnerabilities at the device startup will be disabled. Also, this disables the sending of information about the following objects to Administration Server:

      • Hardware registry
      • Applications installed on the device
      • Microsoft Windows updates that must be installed on the local client device
      • Software vulnerabilities detected on the local client device

      Furthermore, you will be able to enable the sending of this information in the Network Agent properties or in the Network Agent policy settings.

When the Setup Wizard finishes, Network Agent will be installed on the device.

You can view the properties of the Kaspersky Security Center Network Agent service; you can also start, stop, and monitor Network Agent activity by means of standard Microsoft Windows tools: Computer Management\Services.

Installing Network Agent in non-interactive (silent) mode

Network Agent can be installed in non-interactive mode, that is, without the interactive input of installation parameters. Non-interactive installation uses a Windows Installer package (MSI) for Network Agent. The MSI file is located in the Kaspersky Security Center distribution package, in the Packages\NetAgent\exec folder.

To install Network Agent on a local device in non-interactive mode:

1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
2. Run the command

   msiexec /i "Kaspersky Network Agent.msi" /qn <setup_parameters>

   where setup_parameters is a list of parameters and their respective values, separated by a space (PROP1=PROP1VAL PROP2=PROP2VAL).

   In the list of parameters, you must include EULA=1. Otherwise Network Agent will not be installed.

If you are using the standard connection settings for Kaspersky Security Center 11 and later, and Network Agent on remote devices, run the command:

/l*vx is the key for writing logs. The log is created during the installation of Network Agent and saved at C:\windows\temp\nag_inst.log.

In addition to nag_inst.log, the application creates the $klssinstlib.log file, which contains the installation log. This file is stored in the %windir%\temp or %temp% folder. For troubleshooting purposes, you or a Kaspersky Technical Support specialist may need both log files—nag_inst.log and $klssinstlib.log.

If you need to additionally specify the port for connection to the Administration Server run the command:

The parameter SERVERPORT corresponds to the number of port for connection to Administration Server.

The names and possible values for parameters that can be used when installing Network Agent in non-interactive mode are listed in the Network Agent installation parameters section.

Installing Network Agent for Linux in silent mode (with an answer file)

You can install Network Agent on Linux devices by using an answer file—a text file that contains a custom set of installation parameters: variables and their respective values. Using this answer file allows you to run an installation in the silent (non-interactive) mode, that is, without user participation.

To perform installation of Network Agent for Linux in silent mode:

1. Prepare the relevant Linux device for remote installation. Download and create the remote installation package, by using a .deb or .rpm package of Network Agent, by means of any suitable package management system.
2. Read the End User License Agreement. Follow the steps below only if you understand and accept the terms of the End User License Agreement.
3. Set the value of the KLAUTOANSWERS environment variable by entering the full name of the answer file (including the path), for example, as follows:

   export KLAUTOANSWERS=/tmp/nagent_install/answers.txt

4. Create the answer file (in TXT format) in the directory that you have specified in the environment variable. Add to the answer file a list of variables in the VARIABLE_NAME=variable_value format, each variable on a separate line.

   For correct usage of the answer file, you must include in it a minimum set of the three required variables:

   • KLNAGENT_SERVER
   • KLNAGENT_AUTOINSTALL
   • EULA_ACCEPTED

   You can also add any optional variables to use more specific parameters of your remote installation. The following table lists all of the variables that can be included in the answer file:

   Variables of the answer file used as parameters of Network Agent for Linux installation in silent mode

   Variables of the answer file used as parameters of Network Agent for Linux installation in silent mode

   Variable name	Required	Description	Possible values
   KLNAGENT_SERVER	Yes	Contains the Administration Server name presented as fully qualified domain name (FQDN) or IP address.	DNS name or IP address.
   KLNAGENT_AUTOINSTALL	Yes	Defines whether silent (non-interactive) installation mode is enabled.	1—Silent mode is enabled; the user is not prompted for any actions during installation. Other—Silent mode is disabled; the user may be prompted for actions during installation.
   EULA_ACCEPTED	Yes	Defines whether the user accepts the End User License Agreement (EULA) of Network Agent; when missing, can be interpreted as non-acceptance of the EULA.	1—I confirm that I have fully read, understand, and accept the terms and conditions of this End User License Agreement. Other or not specified—I do not accept the terms of the License Agreement (installation is not performed).
   KLNAGENT_PROXY_USE	No	Defines whether connection with the Administration Server will use proxy settings. The default value is 0.	1—Proxy settings are used. Other—Proxy settings are not used.
   KLNAGENT_PROXY_ADDR	No	Defines the address of the proxy server used for connection with the Administration Server.	DNS name or IP address.
   KLNAGENT_PROXY_LOGIN	No	Defines the user name used for login to the proxy server.	Any existing user name.
   KLNAGENT_PROXY_PASSWORD	No	Defines the user password used for login to the proxy server.	Any set of alphanumeric characters allowed by the password format in the operating system.
   KLNAGENT_VM_VDI	No	Defines whether Network Agent is installed on an image for creation of dynamic virtual machines.	1—Network Agent is installed on an image, which is subsequently used for creation of dynamic virtual machines. Other—No image is used during installation.
   KLNAGENT_VM_OPTIMIZE	No	Defines whether the Network Agent settings are optimal for hypervisor.	1—The default local settings of Network Agent are modified so that they allow optimized usage on hypervisor.
   KLNAGENT_TAGS	No	Lists the tags assigned to the Network Agent instance.	One or multiple tag names separated with semicolon.
   KLNAGENT_UDP_PORT	No	Defines the UDP port used by Network Agent. The default value is 15000.	Any existing port number.
   KLNAGENT_PORT	No	Defines the non-TLS port used by Network Agent. The default value is 14000.	Any existing port number.
   KLNAGENT_SSLPORT	No	Defines the TLS port used by Network Agent. The default value is 13000.	Any existing port number.
   KLNAGENT_USESSL	No	Defines whether Transport Layer Security (TLS) is used for connection.	1 (default)—TLS is used. Other—TLS is not used.
   KLNAGENT_GW_MODE	No	Defines whether connection gateway is used.	1 (default)—The current settings are not modified (at the first call, no connection gateway is specified). 2—No connection gateway is used. 3—Connection gateway is used. 4—The Network Agent instance is used as connection gateway in demilitarized zone (DMZ).
   KLNAGENT_GW_ADDRESS	No	Defines the address of the connection gateway. The value is applicable only if KLNAGENT_GW_MODE=3.	DNS name or IP address.

5. Install Network Agent:
   • To install Network Agent from an RPM package to a 32-bit operating system, execute the following command:
     # rpm -i klnagent-<build number>.i386.rpm
   • To install Network Agent from an RPM package to a 64-bit operating system, execute the following command:
     # rpm -i klnagent64-<build number>.x86_64.rpm
   • To install Network Agent from an RPM package on a 64-bit operating system for the Arm architecture, execute the following command:
     # rpm -i klnagent64-<build number>.aarch64.rpm
   • To install Network Agent from a DEB package to a 32-bit operating system, execute the following command:
     # apt-get install ./klnagent_<build number>_i386.deb
   • To install Network Agent from a DEB package to a 64-bit operating system, execute the following command:
     # apt-get install ./klnagent64_<build number>_amd64.deb
   • To install Network Agent from a DEB package on a 64-bit operating system for the Arm architecture, execute the following command:
     # apt-get install ./klnagent64_<build number>_arm64.deb

Installation of Network Agent for Linux starts in silent mode; the user is not prompted for any actions during the process.

Local installation of the application management plug-in

To install the application management plug-in:

On a device with Administration Console installed, run the klcfginst.exe executable file, which is included in the application distribution package.

The klcfginst.exe file is included in all applications that can be managed through Kaspersky Security Center. Installation is facilitated by the Wizard and requires no manual configuration of settings.

Installing applications in non-interactive mode

To install an application in non-interactive mode:

1. Open the main window of Kaspersky Security Center.
2. In the Remote installation folder of the console tree, in the Installation packages subfolder select the installation package of the relevant application or create a new one for that application.

   The installation package will be stored on the Administration Server in the Packages service folder that is in the shared folder. A separate subfolder corresponds to each installation package.

3. Open the folder storing the required installation package in one of the following ways:
   • By copying the folder corresponding to the relevant installation package from the Administration Server to the client device. Then open the copied folder on the client device.
   • By opening from the client device the shared folder that corresponds to the requisite installation package on the Administration Server.

   If the shared folder is located on a device that has Microsoft Windows Vista installed, you must set the Disabled value for the User account control: Run all administrators in Admin Approval Mode setting (Start → Control Panel → Administration → Local security policy → Security settings).

4. Depending on the selected application, do the following:
   • For Kaspersky Anti-Virus for Windows Workstations, Kaspersky Anti-Virus for Windows Servers, and Kaspersky Security Center, navigate to the exec subfolder and run the executable file (the file with the .exe extension) with the /s key.
   • For other Kaspersky applications, run the executable file (a file with the .exe extension) with the /s key from the open folder.

   Running the executable file with the EULA=1 and PRIVACYPOLICY=1 keys means that you have fully read, understand and accept the terms of the End User License Agreement and the Privacy Policy, respectively. You are also aware that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy. The text of the License Agreement and the Privacy Policy is included in the Kaspersky Security Center distribution kit. Accepting the terms of the License Agreement and the Privacy Policy is necessary for installing the application or upgrading a previous version of the application.

Installing applications by using stand-alone packages

Kaspersky Security Center lets you create stand-alone installation packages for applications. A stand-alone installation package is an executable file that can be located on the Web Server, sent by email, or transferred to a client device by another method. The received file can be run locally on the client device to install an application without involving Kaspersky Security Center.

To install an application using a stand-alone installation package:

1. Connect to the necessary Administration Server.
2. In the Remote installation folder of the console tree, select the Installation packages subfolder.
3. In the workspace, select the installation package of the required application.
4. Start the process of creating a stand-alone installation package in one of the following ways:
   • By selecting Create stand-alone installation package in the context menu of the installation package.
   • By clicking the Create stand-alone installation package link in the workspace of the installation package.

   The Stand-alone Installation Package Creation Wizard starts. Follow the instructions of the Wizard.

   At the final step of the Wizard, select a method for transferring the stand-alone installation package to the client device.

5. Transfer the stand-alone installation package to the client device.
6. Run the stand-alone installation package on the client device.

The application is now installed on the client device with the settings specified in the stand-alone package.

When you create a stand-alone installation package, it is automatically published on Web Server. The link for downloading the stand-alone package is displayed in the list of created stand-alone installation packages. If necessary, you can cancel publication of the selected stand-alone package and republish it on the Web Server. By default, port 8060 is used for downloading stand-alone installation packages.

Network Agent installation package settings

Expand all | Collapse all

To configure a Network Agent installation package:

1. In the Remote installation folder of the console tree, select the Installation packages subfolder.

   The Remote installation folder is a subfolder of the Advanced folder by default.

2. In the context menu of the Network Agent installation package, select Properties.

The Network Agent installation package properties window opens.

General

The General section displays general information about the installation package:

• Installation package name
• Name and version of the application for which the installation package has been created
• Installation package size
• Installation package creation date
• Path to the installation package folder

Settings

This section presents the settings required to ensure proper functioning of Network Agent immediately after it is installed. The settings in this section are available only on devices running Windows.

In the Destination folder group of settings, you can select the client device folder in which Network Agent will be installed.

• Install in default folder

  If this option is selected, Network Agent will be installed in the <Drive>:\Program Files\Kaspersky Lab\NetworkAgent folder. If this folder does not exist, it will be created automatically.

  By default, this option is selected.

• Install in specified folder

  If this option is selected, Network Agent will be installed in the folder specified in the entry field.

In the following group of settings, you can set a password for the Network Agent remote uninstallation task:

• Use uninstallation password

  If this option is enabled, by clicking the Modify button you can enter the uninstall password (only available for Network Agent on devices running Windows operating systems).

  By default, this option is disabled.

• Status

  Status of the password: Password set or Password not set.

  By default, this password is not installed.

• Protect Network Agent service against unauthorized removal or termination, and to prevent changes to the settings

  After Network Agent is installed on a managed device, the component cannot be removed or reconfigured without required privileges. The Network Agent service cannot be stopped.

  By default, this option is disabled.

• Automatically install applicable updates and patches for components that have the Undefined status

  If this option is enabled, all downloaded updates and patches for Administration Server, Network Agent, Administration Console, Exchange Mobile Device Server, and iOS MDM Server will be installed automatically (automatic updating and patching is only available starting from Kaspersky Security Center 10 Service Pack 2 version).

  If this option is disabled, all downloaded updates and patches will only be installed after you change their status to Approved. Updates and patches with Undefined status will not be installed.

  By default, this option is enabled.

Connection

In this section, you can configure connection of Network Agent to the Administration Server:

In this section, you can configure connection of Network Agent to the Administration Server. To establish a connection, you can use the SSL or UDP protocol. For configuring the connection, specify the following settings:

• Administration Server

  Address of the device with Administration Server installed.

• Port

  Port number that is used for connection.

• SSL port

  Port number that is used for connection over the SSL protocol.

• Use Server certificate

  If this option is enabled, authentication of Network Agent access to the Administration Server will use the certificate file that you can specify by clicking the Browse button.

  If this option is disabled, the certificate file will be received from the Administration Server at the first connection of Network Agent to the address specified in the Server address field.

  We do not recommend to disable this option, because automatic receipt of an Administration Server certificate by Network Agent upon connection to the Administration Server is considered insecure.

  By default, this check box is selected.

• Use SSL

  If this option is enabled, connection to the Administration Server is established through a secure port via SSL.

  By default, this option is disabled. We recommend that you do not disable this option so your connection remains secured.

• Use UDP port

  If this option is enabled, the Network Agent is connected to Administration Server through a UDP port. This allows to manage client devices and receive information about them.

  The UDP port must be open on managed devices where Network Agent is installed. Therefore, we recommend that you do not disable this option.

  By default, this option is enabled.

• UDP port number

  In this field you can specify the port to connect Network Agent to Administration Server using UDP protocol.

  The default UDP port is 15000.

• Open Network Agent ports in Microsoft Windows Firewall

  If this option is enabled, after you install Network Agent on the client device, a UDP port is added to the list of Microsoft Windows Firewall exclusions. This UDP port is required for Network Agent to run properly.

  By default, this option is enabled.

Advanced

In the Advanced section, you can configure how to use the connection gateway. For this purpose, you can do the following:

• Use Network Agent as a connection gateway in the demilitarized zone (DMZ) to connect to Administration Server, communicate with it, and keep data on the Network Agent safe during data transmission.
• Connect to Administration Server by using a connection gateway to reduce the number of connections to the Administration Server. In this case, enter the address of the device that will act as the connection gateway in the Connection gateway address field.
• Configure the connection for Virtual Desktop Infrastructure (VDI) if your network includes virtual machines. For this purpose, do the following:
  • Enable dynamic mode for VDI

    If this option is enabled, dynamic mode for Virtual Desktop Infrastructure (VDI) will be enabled for Network Agent installed on a virtual machine.

    By default, this option is disabled.

  • Optimize settings for VDI

    If this option is enabled, the following features are disabled in the Network Agent settings:

    • Retrieving information about software installed
    • Retrieving information about hardware
    • Retrieving information about vulnerabilities detected
    • Retrieving information about updates required

    By default, this option is disabled.

Additional components

In this section you can select additional components for concurrent installation with Network Agent.

Tags

The Tags section displays a list of keywords (tags) that can be added to client devices after Network Agent installation. You can add and remove tags from the list, as well as rename them.

If the check box is selected next to a tag, this tag is automatically added to managed devices during Network Agent installation.

If the check box is cleared next to a tag, the tag will not automatically be added to managed devices during Network Agent installation. You can manually add this tag to devices.

When removing a tag from the list, it is automatically removed from all devices to which it was added.

Revision history

In this section, you can view the history of the installation package revisions. You can compare revisions, view revisions, save revisions to a file, and add and edit revision descriptions.

Network Agent installation package settings available to a specific operating system are given in the table below.

Network Agent installation package settings

Page top

Viewing the Privacy Policy

The Privacy Policy is available online at https://www.kaspersky.com/products-and-services-privacy-policy; it is also available offline. You can read the Privacy Policy, for example, before installing Network Agent.

To read the Privacy Policy offline:

1. Start the installer of Kaspersky Security Center.
2. In the installer window, proceed to the Extract installation packages link.
3. In the list that opens, select Kaspersky Security Center 13.1 Network Agent, and then click Next.

The privacy_policy.txt file appears on your device, in the folder that you specified, in the NetAgent_<current version> subfolder.

Page top

Deploying mobile device management systems

This section describes the deployment of mobile device management systems using Exchange ActiveSync, iOS MDM, and Kaspersky Endpoint Security protocols.

Deploying a system for management via Exchange ActiveSync protocol

Kaspersky Security Center allows you to manage mobile devices that are connected to the Administration Server using the Exchange ActiveSync protocol. Exchange ActiveSync (EAS) mobile devices are those connected to an Exchange Mobile Device Server and managed by Administration Server.

The following operating systems support Exchange ActiveSync protocol:

• Windows Phone 8
• Windows Phone 8.1
• Windows 10 Mobile
• Android 
• iOS

The set of management settings for an Exchange ActiveSync device is dependent on the operating system under which the mobile device is running. For details on the support features of Exchange ActiveSync protocol for a specific operating system, please refer to the documentation enclosed with the operating system.

Deployment of a mobile device management system using Exchange ActiveSync protocol includes the following steps:

1. The administrator installs Exchange Mobile Device Server on the selected client device.
2. The administrator creates a management profile(s) in Administration Console for managing EAS devices and adds the profile(s) to the mailboxes of Exchange ActiveSync users.

   Management profile of Exchange ActiveSync mobile devices is an ActiveSync policy used on a Microsoft Exchange server for managing Exchange ActiveSync mobile devices. Only one EAS device management profile can be assigned to a Microsoft Exchange mailbox.

   Users of mobile EAS devices connect to their Exchange mailboxes. Any management profile imposes some restrictions on mobile devices.

Installing Mobile Device Server for Exchange ActiveSync

An Exchange Mobile Device Server is installed on a client device with a Microsoft Exchange server installed. We recommend that you install the Exchange Mobile Device Server on a Microsoft Exchange server with the Client Access role assigned. If several Microsoft Exchange servers with the Client Access role in the same domain are combined into a Client Access Array, it is recommended to install the Exchange Mobile Device Server on each Microsoft Exchange server in that array in cluster mode.

To install an Exchange Mobile Device Server on a local device:

1. Run the setup.exe executable file.

   A window opens prompting you to select Kaspersky applications to install.

2. In the applications selection window, click the Install Exchange Mobile Device Server link to run the Setup Wizard of Exchange Mobile Device Server.
3. In the Installation settings window, select the type of Exchange Mobile Device Server installation:
   • To install Exchange Mobile Device Server with the default settings, select Standard installation and click the Next button.
   • To define the settings for installation of the Exchange Mobile Device Server manually, select Custom installation and click Next. Then do the following:
     1. Select destination folder in Destination Folder window. The default folder is <Disk>:\Program Files\Kaspersky Lab\Mobile Device Management for Exchange. If such a folder does not exist, it is created automatically during the installation. You can change the destination folder by using the Browse button.
     2. Choose the type of Exchange Mobile Device Server installation in the Installation mode window: normal mode or cluster mode.
     3. In Select Account window, choose an account that will be used to manage mobile devices:
        • Create account and role group automatically. Account will be created automatically.
        • Specify an account. The account should be selected manually. Click the Browse button to select the user whose account will be used and specify the password. The selected user must belong to a group that has rights to manage mobile devices using ActiveSync.
     4. In the IIS settings window, allow or prohibit automatic configuration of the  Internet Information Services (IIS) web server properties.

        If you have prohibited automatic configuration of the Internet Information Services (IIS) properties, enable the "Windows authentication" mechanism manually in the IIS settings for Microsoft PowerShell Virtual Directory. If "Windows authentication" mechanism is disabled, Exchange Mobile Device Server will not operate correctly. Please refer to IIS documentation for more information about configuring IIS.

     5. Click Next.
4. In the window that opens, verify the Exchange Mobile Device Server installation properties, and then click Install.

When the Wizard finishes, the Exchange Mobile Device Server is installed on the local device. The Exchange Mobile Device Server will be displayed in the Mobile Device Management folder in the console tree.

Connecting mobile devices to an Exchange Mobile Device Server

Before connecting any mobile devices, you must configure Microsoft Exchange Server in order to allow the devices to be connected using ActiveSync protocol.

To connect a mobile device to an Exchange Mobile Device Server, the user connects to his or her Microsoft Exchange mailbox from the mobile device through ActiveSync. When connecting, the user must specify the connection settings in the ActiveSync client, such as email address and email password.

The user's mobile device, connected to the Microsoft Exchange server, is displayed in the Mobile devices subfolder contained in the Mobile Device Management folder in the console tree.

After the Exchange ActiveSync mobile device is connected to an Exchange Mobile Device Server, the administrator can manage the connected Exchange ActiveSync mobile device.

Configuring the Internet Information Services web server

When using Microsoft Exchange Server (versions 2010 and 2013), you have to activate the Windows authentication mechanism for a Windows PowerShell virtual directory in the settings of the Internet Information Services (IIS) web server. This authentication mechanism is activated automatically if the Configure Microsoft Internet Information Services (IIS) automatically option is selected in the Exchange Mobile Device Server Installation Wizard (default option).

Otherwise, you will have to activate the authentication mechanism on your own.

To activate the Windows authentication mechanism for a PowerShell virtual directory manually:

1. In Internet Information Services (IIS) Manager console, open the properties of the PowerShell virtual directory.
2. Go to the Authentication section.
3. Select Microsoft Windows Authentication, and then click the Enable button.
4. Open Advanced Settings.
5. Select the Enable Kernel-mode authentication option.
6. In the Extended protection drop-down list, select Required.

When using Microsoft Exchange Server 2007, the IIS web server requires no configuration.

Local installation of an Exchange Mobile Device Server

For a local installation of an Exchange Mobile Device Server, the administrator must perform the following operations:

1. Copy the contents of the \Server\Packages\MDM4Exchange\ folder from the Kaspersky Security Center distribution package to a client device.
2. Run the setup.exe executable file.

Local installation includes two types of installation:

• Standard installation is a simplified installation that does not require the administrator to define any settings; it is recommended in most cases.
• Extended installation is an installation that requires from the administrator to define the following settings:
  • Path for Exchange Mobile Device Server installation.
  • Exchange Mobile Device Server operation mode: standard mode or cluster mode.
  • Possibility of specifying the account under which the Exchange Mobile Device Server service will run.
  • Enabling / disabling automatic configuration of the IIS web server.

The Exchange Mobile Device Server Installation Wizard must be run under an account that has all of the required rights.

Remote installation of an Exchange Mobile Device Server

To configure the remote installation of Exchange Mobile Device Server, the administrator must perform the following actions:

1. In the tree of Kaspersky Security Center Administration Console, select the Remote installation folder, then the Installation packages subfolder.
2. In the Installation packages subfolder, open the properties of the Exchange Mobile Device Server package.
3. Go to the Settings section.

   This section contains the same settings as those used for the local installation of the application.

After the remote installation is configured, you can start installing Exchange Mobile Device Server.

To install Exchange Mobile Device Server:

1. In the tree of Kaspersky Security Center Administration Console, select the Remote installation folder, then the Installation packages subfolder.
2. In the Installation packages subfolder, select the Exchange Mobile Device Server package.
3. Open the context menu of the package and select Install application.
4. In the Remote Installation Wizard that opens, select a device (or multiple devices for installation in cluster mode).
5. In the Run application Setup Wizard under specified account field, specify the account under which the installation process will be run on the remote device.

   The account must have the required rights.

Deploying a system for management using iOS MDM protocol

Kaspersky Security Center allows you to manage mobile devices running iOS. iOS MDM mobile devices refer to iOS mobile devices that are connected to an iOS MDM Server and managed by an Administration Server.

Connection of mobile devices to an iOS MDM Server is performed in the following sequence:

1. The administrator installs iOS MDM Server on the selected client device. Installation of iOS MDM Server is performed using the standard tools of the operating system.
2. The administrator retrieves an Apple Push Notification Service (APNs) certificate.

   The APNs certificate allows Administration Server to connect to the APNs server to send push notifications to iOS MDM mobile devices.

3. The administrator installs the APNs certificate on the iOS MDM Server.
4. The administrator creates an iOS MDM profile for the user of the iOS mobile device.

   The iOS MDM profile contains a collection of settings for connecting iOS mobile devices to Administration Server.

5. The administrator issues a shared certificate to the user.

   The shared certificate is required to confirm that the mobile device is owned by the user.

6. The user clicks the link sent by the administrator and downloads an installation package to the mobile device.

   The installation package contains a certificate and an iOS MDM profile.

   After the iOS MDM profile is downloaded and the iOS MDM mobile device is synchronized with the Administration Server, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree.

7. The administrator adds a configuration profile on the iOS MDM Server and installs the configuration profile on the mobile device after it is connected.

   The configuration profile contains a collection of settings and restrictions for the iOS MDM mobile device, for example, settings for installation of applications, settings for the use of various features of the device, email and scheduling settings. A configuration profile allows you to configure iOS MDM mobile devices in accordance with the organization's security policies.

8. If necessary, the administrator adds provisioning profiles on the iOS MDM Server and then installs these provisioning profiles on mobile devices.

   Provisioning profile is a profile that is used for managing applications distributed in ways other than through App Store. A provisioning profile contains information about the license; it is linked to a specific application.

Installing iOS MDM Server

To install iOS MDM Server on a local device:

1. Run the setup.exe executable file.

   A window opens prompting you to select Kaspersky applications to install.

   In the applications selection window, click the Install iOS MDM Server link to run the iOS MDM Server Setup Wizard.

2. Select a destination folder.

   The default destination folder is <Disk>:\Program Files\Kaspersky Lab\Mobile Device Management for iOS. If such a folder does not exist, it is created automatically during the installation. You can change the destination folder by using the Browse button.

3. In the Specify the settings for connection to iOS MDM Server window of the Wizard, in the External port for connection to iOS MDM service field, specify an external port for connecting mobile devices to the iOS MDM service.

   External port 5223 is used by mobile devices for communication with the APNs server. Make sure that port 5223 is open in the firewall for connection with the address range 17.0.0.0/8.

   Port 443 is used for connection to iOS MDM Server by default. If port 443 is already in use by another service or application, it can be replaced with, for example, port 9443.

   The iOS MDM Server uses external port 2197 to send notifications to the APNs server.

   APNs servers run in load-balancing mode. Mobile devices do not always connect to the same IP addresses to receive notifications. The 17.0.0.0/8 address range is reserved for Apple, and it is therefore recommended to specify this entire range as an allowed range in Firewall settings.

4. If you want to configure interaction ports for application components manually, select the Set up local ports manually option, and then specify values for the following settings:
   • Port for connection to Network Agent. In this field, specify a port for connecting the iOS MDM service to Network Agent. The default port number is 9799.
   • Local port to connect to iOS MDM service. In this field, specify a local port for connecting Network Agent to the iOS MDM service. The default port number is 9899.

   It is recommended to use default values.

5. In the External address of Mobile Device Server window of the Wizard, in the Web address for remote connection to Mobile Device Server field, specify the address of the client device on which iOS MDM Server is to be installed.

   This address will be used for connecting managed mobile devices to the iOS MDM service. The client device must be available for connection of iOS MDM devices.

   You can specify the address of a client device in any of the following formats:

   • Device FQDN (such as mdm.example.com)
   • Device NetBIOS name
   • Device IP address

   Please avoid adding the URL scheme and the port number in the address string: these values will be added automatically.

When the Wizard finishes, iOS MDM Server is installed on the local device. The iOS MDM Server is displayed in the Mobile Device Management folder in the console tree.

Installing iOS MDM Server in non-interactive mode

Kaspersky Security Center allows you to install iOS MDM Server on a local device in non-interactive mode, that is, without the interactive input of installation settings.

To install iOS MDM Server on a local device in non-interactive mode:

1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
2. Run the following command:

   .\exec\setup.exe /s /v"DONT_USE_ANSWER_FILE=1 EULA=1 <setup_parameters>"

   where setup_parameters is a list of settings and their respective values, separated with spaces (PRO1=PROP1VAL PROP2=PROP2VAL). The setup.exe file is located in the Server folder, which is part of the Kaspersky Security Center distribution kit.

The names and possible values for parameters that can be used when installing iOS MDM Server in non-interactive mode are listed in the table below. Parameters can be specified in any convenient order.

Parameters of iOS MDM Server installation in non-interactive mode

The iOS MDM Server installation parameters are given in detail in section "Installing iOS MDM Server".

iOS MDM Server deployment scenarios

The number of copies of iOS MDM Server to be installed can be selected either based on available hardware or on the total number of mobile devices covered.

Please keep in mind that the recommended maximum number of mobile devices for a single installation of Kaspersky Device Management for iOS is 50,000 at most. In order to reduce the load, the entire pool of devices can be distributed among several servers that have iOS MDM Server installed.

Authentication of iOS MDM devices is performed through user certificates (any profile installed on a device contains the certificate of the device owner). Thus, two deployment schemes are possible for an iOS MDM Server:

• Simplified scheme
• Deployment scheme involving Kerberos constrained delegation (KCD)

Simplified deployment scheme

When deploying an iOS MDM Server under the simplified scheme, mobile devices connect to the iOS MDM web service directly. In this case, user certificates issued by Administration Server can only be applied for devices authentication. Integration with Public Key Infrastructure (PKI) is impossible for user certificates.

Deployment scheme involving Kerberos constrained delegation (KCD)

The deployment scheme with Kerberos constrained delegation (KCD) requires the Administration Server and the iOS MDM Server to be located on the internal network of the organization.

This deployment scheme provides for the following:

• Integration with Microsoft Forefront TMG
• Use of KCD for authentication of mobile devices
• Integration with the PKI for applying user certificates

When using this deployment scheme, you must do the following:

• In Administration Console, in the settings of the iOS MDM web service, select the Ensure compatibility with Kerberos constrained delegation check box.
• As the certificate for the iOS MDM web service, specify the customized certificate that was defined when the iOS MDM web service was published on TMG.
• User certificates for iOS devices must be issued by the Certificate Authority (CA) of the domain. If the domain contains multiple root CAs, user certificates must be issued by the CA that was specified when the iOS MDM web service was published on TMG.

  You can ensure that the user certificate is in compliance with the this CA-issuance requirement by using one of the following methods:

  • Specify the user certificate in the New iOS MDM Profile Wizard and in the Certificate Installation Wizard.
  • Integrate the Administration Server with the domain's PKI and define the corresponding setting in the rules for issuance of certificates:
    1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
    2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
    3. In the Integration with PKI section, configure integration with the Public Key Infrastructure.
    4. In the Issuance of mobile certificates section, specify the source of certificates.

Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:

• The iOS MDM web service is running on port 443.
• The name of the device with TMG is tmg.mydom.local.
• The name of device with the iOS MDM web service is iosmdm.mydom.local.
• The name of external publishing of the iOS MDM web service is iosmdm.mydom.global.

Service Principal Name for http/iosmdm.mydom.local

In the domain, you have to register the service principal name (SPN) for the device with the iOS MDM web service (iosmdm.mydom.local):

setspn -a http/iosmdm.mydom.local iosmdm

Configuring the domain properties of the device with TMG (tmg.mydom.local)

To delegate traffic, trust the device with TMG (tmg.mydom.local) to the service that is defined by the SPN (http/iosmdm.mydom.local).

To trust the device with TMG to the service defined by the SPN (http/iosmdm.mydom.local), the administrator must perform the following actions:

1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with TMG installed (tmg.mydom.local).
2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
3. Add the SPN (http/iosmdm.mydom.local) to the Services to which this account can present delegated credentials list.

Special (customized) certificate for the published web service (iosmdm.mydom.global)

You have to issue a special (customized) certificate for the iOS MDM web service on the FQDN iosmdm.mydom.global and specify that it replaces the default certificate in the settings of iOS MDM web service in Administration Console.

Please note that the certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).

Publishing the iOS MDM web service on TMG

On TMG, for traffic that goes from a mobile device to port 443 of iosmdm.mydom.global, you have to configure KCD on the SPN (http/iosmdm.mydom.local), using the certificate issued for the FQDN (iosmdm.mydom.global). Please note that publishing, and the published web service must share the same server certificate.

Use of iOS MDM Server by multiple virtual Servers

To enable the use of iOS MDM Server by multiple virtual Administration Servers:

1. Open the system registry of the client device with iOS MDM Server installed (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0

3. For the ConnectorFlags (DWORD) key, set the 02102482 value.
4. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0

5. For the ConnInstalled (DWORD) key, set the 00000001 value.
6. Restart the iOS MDM Server service.

Key values must be entered in the specified sequence.

Receiving an APNs certificate

If you already have an APNs certificate, please consider renewing it instead of creating a new one. When you replace the existing APNs certificate with a newly created one, the Administration Server loses the ability to manage the currently connected iOS mobile devices.

When the Certificate Signing Request (CSR) is created at the first step of the APNs Certificate Wizard, its private key is stored in the RAM of your device. Therefore, all the steps of the Wizard must be completed within a single session of the application.

To receive an APNs certificate:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings, click the Request new button.

   The Receive APNs Certificate Wizard starts and the Request new window opens.

6. Create a Certificate Signing Request (hereinafter referred to as CSR). To do this, perform the following actions:
   1. Click the Create CSR button.
   2. In the Create CSR window that opens, specify a name for your request, the names of your company and department, your city, region, and country.
   3. Click the Save button and specify a name for the file to which your CSR will be saved.

   The private key of the certificate is saved in the device memory.

7. Use your CompanyAccount to send the file with the CSR you have created to Kaspersky to be signed.

   Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows using Mobile Device Management.

   After your online request is processed, you will receive a CSR file signed by Kaspersky.

8. Send the signed CSR file to Apple Inc. website, using a random Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

   After your CSR is processed in Apple Inc., you will receive the public key of the APNs certificate. Save the file on disk.

9. Export the APNs certificate together with the private key created when generating the CSR, in PFX file format. To do this:
   1. In the Request new APNs certificate window, click the Complete CSR button.
   2. In the Open window, choose a file with the public key of the certificate received from Apple Inc. as the result of CSR processing, and then click the Open button.

      The certificate export process starts.

   3. In the next window, enter the private key password and click OK.

      This password will be used for the APNs certificate installation on the iOS MDM Server.

   4. In the Save APNs certificate window, specify a file name for APNs certificate, choose a folder, and click Save.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PFX format. After this, you can install the APNs certificate on the iOS MDM Server.

Renewing an APNs certificate

To renew an APNs certificate:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings click the Renew button.

   The APNs Certificate Renewal Wizard starts, the Renew APNs certificate window opens.

6. Create a Certificate Signing Request (hereinafter referred to as CSR). To do this, perform the following actions:
   1. Click the Create CSR button.
   2. In the Create CSR window that opens, specify a name for your request, the names of your company and department, your city, region, and country.
   3. Click the Save button and specify a name for the file to which your CSR will be saved.

   The private key of the certificate is saved in the device memory.

7. Use your CompanyAccount to send the file with the CSR you have created to Kaspersky to be signed.

   Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows using Mobile Device Management.

   After your online request is processed, you will receive a CSR file signed by Kaspersky.

8. Send the signed CSR file to Apple Inc. website, using a random Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

   After your CSR is processed in Apple Inc., you will receive the public key of the APNs certificate. Save the file on disk.

9. Request the public key of the certificate. To do this, perform the following actions:
   1. Proceed to Apple Push Certificates portal. To log in to the portal, use the Apple Id received at the initial request of the certificate.
   2. In the list of certificates, select the certificate whose APSP name (in "APSP: <number>" format) matches the APSP name of the certificate used by iOS MDM Server and click the Renew button.

      The APNs certificate is renewed.

   3. Save the certificate created on the portal.
10. Export the APNs certificate together with the private key created when generating the CSR, in PFX file format. To do this, perform the following actions:
    1. In the Renew APNs certificate window, click the Complete CSR button.
    2. In the Open window, choose a file with the public key of the certificate, received from Apple Inc. as the result of CSR processing, and click the Open button.

       The certificate export process will start.

    3. In the next window, enter the private key password and click OK.

       This password will be used for the APNs certificate installation on the iOS MDM Server.

    4. In the Renew APNs certificate window that opens, specify a file name for APNs certificate, choose a folder, and click Save.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PFX format.

Configuring a reserve iOS MDM Server certificate

The iOS MDM Server functionality enables you to issue a reserve certificate. This certificate is intended for use in iOS MDM profiles, to ensure seamless switching of managed iOS devices after the iOS MDM Server certificate expires.

If your iOS MDM Server uses a default certificate issued by Kaspersky, you can issue a reserve certificate (or specify your own custom certificate as reserve) before the iOS MDM Server certificate expires. By default, the reserve certificate is automatically issued 60 days before the iOS MDM Server certificate expiration. The reserve iOS MDM Server certificate becomes the main certificate immediately after the iOS MDM Server certificate expiration. The public key is distributed to all managed devices through configuration profiles, so you do not have to transmit it manually.

To issue an iOS MDM Server reserve certificate or specify a custom reserve certificate:

1. In the console tree, in the Mobile Device Management folder, select the Mobile Device Servers subfolder.
2. In the list of Mobile Device Servers, select the relevant iOS MDM Server, and on the right pane, click the Configure iOS MDM Server button.
3. In the iOS MDM Server settings window that opens, select the Certificates section.
4. In the Reserve certificate block of settings, do one of the following:
   • If you plan to continue using a self-signed certificate (that is, the one issued by Kaspersky):
     1. Click the Issue button.
     2. In the Activation date window that opens, select one of the two options for the date when the reserve certificate must be applied:
        • If you want to apply the reserve certificate at the time of expiration of the current certificate, select the When current certificate expires option.
        • If you want to apply the reserve certificate before the current certificate expires, select the After specified period (days) option. In the entry field next to this option, specify the duration of the period after which the reserve certificate must replace the current certificate.

        The validity period of the reserve certificate that you specify cannot exceed the validity term of the current iOS MDM Server certificate.

     3. Click the OK button.

     The reserve iOS MDM Server certificate is issued.

   • If you plan to use a custom certificate issued by your certification authority:
     1. Click the Add button.
     2. In the File Explorer window that opens, specify a certificate file in the PEM, PFX, or P12 format, which is stored on your device, and then click the Open button.

     Your custom certificate is specified as the reserve iOS MDM Server certificate.

You have a reserve iOS MDM Server certificate specified. The details of the reserve certificate are displayed in the Reserve certificate block of settings (certificate name, issuer name, expiration date, and the date the reserve certificate must be applied, if any).

Installing an APNs certificate on an iOS MDM Server

After you receive the APNs certificate, you must install it on the iOS MDM Server.

To install the APNs certificate on the iOS MDM Server:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.

In the Certificates section, in the Apple Push Notification certificate group of settings click the Install button.

1. Select the PFX file that contains the APNs certificate.
2. Enter the password of the private key specified when exporting the APNs certificate.

The APNs certificate will be installed on the iOS MDM Server. The certificate details will be displayed in the properties window of the iOS MDM Server, in the Certificates section.

Configuring access to Apple Push Notification service

To ensure a proper functioning of the iOS MDM web service and timely responses of mobile devices to the administrator's commands, you need to specify an Apple Push Notification Service certificate (hereinafter referred to as APNs certificate) in the iOS MDM Server settings.

Interacting with Apple Push Notification (hereinafter referred to as APNs), the iOS MDM web service connects to the external address api.push.apple.com through port 2197 (outbound). Therefore, the iOS MDM web service requires access to port TCP 2197 for the range of addresses 17.0.0.0/8. From the iOS device side is access to port TCP 5223 for the range of addresses 17.0.0.0/8.

If you intend to access APNs from the iOS MDM web service side through a proxy server, you must perform the following actions on the device with the iOS MDM web service installed:

1. Add the following strings to the registry:
   • For 32-bit operating systems:

   HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset "ApnProxyHost"="<Proxy Host Name>" "ApnProxyPort"="<Proxy Port>" "ApnProxyLogin"="<Proxy Login>" "ApnProxyPwd"="<Proxy Password>"

   • For 64-bit operating systems:

   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset "ApnProxyHost"="<Proxy Host Name>" "ApnProxyPort"="<Proxy Port>" "ApnProxyLogin"="<Proxy Login>" "ApnProxyPwd"="<Proxy Password>"

2. Restart the iOS MDM web service.

Issuing and installing a shared certificate on a mobile device

To issue a shared certificate to a user:

1. In the console tree, in the User accounts folder, select a user account.
2. In the context menu of the user account, select Install certificate.

The Certificate Installation Wizard starts. Follow the instructions of the Wizard.

When the Wizard finishes, a certificate will be created and added to the list of the user's certificates.

The issued certificate will be downloaded by the user, along with the installation package that contains the iOS MDM profile.

After the mobile device is connected to the iOS MDM Server, the iOS MDM profile settings will be applied on the user's device. The administrator will be able to manage the device after connection.

The user's mobile device connected to the iOS MDM Server is displayed in the Mobile Devices subfolder within the Mobile Device Management folder in the console tree.

Adding a KES device to the list of managed devices

To add the KES device of a user to the list of managed devices using a link to Google Play:

1. In the console tree, select the User accounts folder.

   By default, the User accounts folder is a subfolder of the Advanced folder.

2. Select the account of the user whose mobile device you want add to the list of managed devices.
3. In the context menu of the user account, select Add mobile device.

   The New Mobile Device Connection Wizard starts. In the Certificate source window of the Wizard, you have to specify the method for creating the shared certificate that Administration Server will use to identify the mobile device. You can specify a shared certificate in one of the following ways:

   • Create a shared certificate automatically, by means of Administration Server tools, and then deliver the certificate to the device.
   • Specify a shared certificate file.
4. In the Device type window of the Wizard, select Link to Google Play.
5. In the User notification method window of the Wizard, define the settings for notification of the mobile device user of certificate creation (with an SMS message, by email, or by displaying the information when the Wizard has finished).
6. In the certificate info window of the Wizard, click the Finish button to close the Wizard.

After the Wizard finishes its activities, a link and a QR code will be sent to the mobile device of the user, allowing the user to download Kaspersky Endpoint Security from Google Play. The user proceeds to Google Play by using the link or by scanning the QR code. After this, the operating system of the device prompts the user to accept Kaspersky Endpoint Security for Android installation. After Kaspersky Endpoint Security for Android is downloaded and installed, the mobile device connects to the Administration Server and downloads a shared certificate. After the certificate is installed on the mobile device, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree.

If Kaspersky Endpoint Security for Android has already been installed on the device, the user has to receive the Administration Server connection settings from the administrator and then enter them independently. After the connection settings are defined, the mobile device connects to the Administration Server. The administrator issues a shared certificate for the device and sends the user an email message or an SMS message with a login and password for the certificate download. The user downloads and installs the shared certificate. After the certificate is installed on the mobile device, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree. In this case, Kaspersky Endpoint Security for Android will not be downloaded and installed again.

Connecting KES devices to the Administration Server

Depending on the method used for connection of devices to the Administration Server, two deployment schemes are possible for Kaspersky Device Management for iOS for KES devices:

• Scheme of deployment with direct connection of devices to the Administration Server
• Scheme of deployment involving Forefront Threat Management Gateway (TMG)

Direct connection of devices to the Administration Server

KES devices can connect directly to port 13292 of the Administration Server.

Depending on the method used for authentication, two options are possible for connection of KES devices to the Administration Server:

• Connecting devices with a user certificate
• Connecting devices without a user certificate

Connecting a device with a user certificate

When connecting a device with a user certificate, that device is associated with the user account to which the corresponding certificate has been assigned through Administration Server tools.

In this case, two-way SSL authentication (mutual authentication) will be used. Both the Administration Server and the device will be authenticated with certificates.

Connecting a device without a user certificate

When connecting a device without a user certificate, that device is associated with none of the user's accounts on the Administration Server. However, when the device receives any certificate, the device will be associated with the user to which the corresponding certificate has been assigned through Administration Server tools.

When connecting that device to the Administration Server, one-way SSL authentication will be applied, which means that only the Administration Server is authenticated with the certificate. After the device retrieves the user certificate, the type of authentication will change to two-way SSL authentication (2-way SSL authentication, mutual authentication).

Scheme for connecting KES devices to the Server involving Kerberos constrained delegation (KCD)

The scheme for connecting KES devices to the Administration Server involving Kerberos constrained delegation (KCD) provides for the following:

• Integration with Microsoft Forefront TMG.
• Use of Kerberos Constrained Delegation (hereinafter referred to as KCD) for authentication of mobile devices.
• Integration with Public Key Infrastructure (hereinafter referred to as PKI) for applying user certificates.

When using this connection scheme, please note the following:

• The type of connection of KES devices to TMG must be "two-way SSL authentication", that is, a device must connect to TMG through its proprietary user certificate. To do this, you need to integrate the user certificate into the installation package of Kaspersky Endpoint Security for Android, which has been installed on the device. This KES package must be created by the Administration Server specifically for this device (user).
• You must specify the special (customized) certificate instead of the default server certificate for the mobile protocol:
  1. In the Administration Server properties window, in the Settings section, select the Open port for mobile devices check box and select Add certificate in the drop-down list.
  2. In the window that opens, specify the same certificate that was set on TMG when the point of access to the mobile protocol was published on the Administration Server.
• User certificates for KES devices must be issued by the Certificate Authority (CA) of the domain. Keep in mind that if the domain includes multiple root CAs, user certificates must be issued by the CA, which has been set in the publication on TMG.

  You can make sure the user certificate is in compliance with the above-described requirement, using one of the following methods:

  • Specify the special user certificate in the New Installation Package Wizard and in the Certificate Installation Wizard.
  • Integrate the Administration Server with the domain's PKI and define the corresponding setting in the rules for issuance of certificates:
    1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
    2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
    3. In the Integration with PKI section, configure integration with the Public Key Infrastructure.
    4. In the Issuance of mobile certificates section, specify the source of certificates.

Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:

• Point of access to the mobile protocol on the Administration Server is set up on port 13292.
• The name of the device with TMG is tmg.mydom.local.
• The name of the device with Administration Server is ksc.mydom.local.
• Name of the external publishing of the point of access to the mobile protocol is kes4mob.mydom.global.

Domain account for Administration Server

You must create a domain account (for example, KSCMobileSrvcUsr) under which the Administration Server service will run. You can specify an account for the Administration Server service when installing the Administration Server or through the klsrvswch utility. The klsrvswch utility is located in the installation folder of Administration Server.

A domain account must be specified by the following reasons:

• The feature for management of KES devices is an integral part of Administration Server.
• To ensure a proper functioning of Kerberos Constrained Delegation (KCD), the receive side (i.e., the Administration Server) must run under a domain account.

Service Principal Name for http/kes4mob.mydom.local

In the domain, under the KSCMobileSrvcUsr account, add an SPN for publishing the mobile protocol service on port 13292 of the device with Administration Server. For the kes4mob.mydom.local device with Administration Server, this will appear as follows:

setspn -a http/kes4mob.mydom.local:13292 mydom\KSCMobileSrvcUsr

Configuring the domain properties of the device with TMG (tmg.mydom.local)

To delegate traffic, you must trust the device with TMG (tmg.mydom.local) to the service defined by the SPN (http/kes4mob.mydom.local:13292).

To trust the device with TMG to the service defined by the SPN (http/kes4mob.mydom.local:13292), the administrator must perform the following actions:

1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with TMG installed (tmg.mydom.local).
2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
3. In the Services to which this account can present delegated credentials list, add the SPN http/kes4mob.mydom.local:13292.

Special (customized) certificate for the publishing (kes4mob.mydom.global)

To publish the mobile protocol of Administration Server, you must issue a special (customized) certificate for the FQDN kes4mob.mydom.global and specify it instead of the default server certificate in the settings of the mobile protocol of Administration Server in Administration Console. To do this, in the properties window of the Administration Server, in the Settings section select the Open port for mobile devices check box and then select Add certificate in the drop-down list.

Please note that the server certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).

Configuring publication on TMG

On TMG, for traffic that goes from the mobile device side to port 13292 of kes4mob.mydom.global, you have to configure KCD on the SPN (http/kes4mob.mydom.local:13292), using the server certificate issued for the FQND kes4mob.mydom.global. Please note that publishing and the published access point (port 13292 of the Administration Server) must share the same server certificate.

Using Google Firebase Cloud Messaging

To ensure timely responses of KES devices on Android to the administrator's commands, you must enable the use of Google Firebase Cloud Messaging (hereinafter referred to as FCM) in the Administration Server properties.

To enable the use of FCM:

1. In Administration Console, select the Mobile Device Management node, and the Mobile devices folder.
2. In the context menu of the Mobile devices folder, select Properties.
3. In the folder properties, select the Google Firebase Cloud Messaging settings section.
4. In the Sender ID and Server key fields, specify the FCM settings: SENDER_ID and API Key.

FCM service runs in the following address ranges:

• From the KES device's side, access is required to ports 443 (HTTPS), 5228 (HTTPS), 5229 (HTTPS), and 5230 (HTTPS) of the following addresses:
  • google.com
  • fcm.googleapis.com
  • android.apis.google.com
  • All of the IP addresses listed in Google's ASN of 15169
• From the Administration Server side, access is required to port 443 (HTTPS) of the following addresses:
  • fcm.googleapis.com
  • All of the IP addresses listed in Google's ASN of 15169

If the proxy server settings (Advanced / Configuring Internet access) have been specified in the Administration Server properties in Administration Console, they will be used for interaction with FCM.

Configuring FCM: retrieving SENDER_ID and API Key

To configure FCM, the administrator must perform the following actions:

1. Register on Google portal.
2. Go to Developers portal.
3. Create a new project by clicking the Create Project button, specify the project's name, and specify the ID.
4. Wait for the project to be created.

   On the first page of the project, in the upper part of the page, the Project Number field shows the relevant SENDER_ID.

5. Go to the APIs & auth / APIs section and enable Google Firebase Cloud Messaging for Android.
6. Go to the APIs & auth / Credentials section and click the Create New Key button.
7. Click the Server key button.
8. Impose restrictions (if any), click the Create button.
9. Retrieve the API Key from the properties of the newly created key (Server key field).

Integration with Public Key Infrastructure

Integration with Public Key Infrastructure (hereinafter referred to as PKI) is primarily intended for simplifying the issuance of domain user certificates by Administration Server.

The administrator can assign a domain certificate for a user in Administration Console. This can be done using one of the following methods:

• Assign the user a special (customized) certificate from a file in the New Device Connection Wizard or in the Certificate Installation Wizard.
• Perform integration with PKI and assign PKI to act as the source of certificates for a specific type of certificates or for all types of certificates.

The settings of integration with PKI are available in the workspace of the Mobile Device Management / Certificates folder by clicking the Integrate with public key infrastructure link.

General principle of integration with PKI for issuance of domain user certificates

In Administration Console, click the Integrate with public key infrastructure link in the workspace of the Mobile Device Management / Certificates folder to specify a domain account that will be used by Administration Server to issue domain user certificates through the domain's CA (hereinafter referred to as the account under which integration with PKI is performed).

Please note the following:

• The settings of integration with PKI provide you the possibility to specify the default template for all types of certificates. Note that the rules for issuance of certificates (available in the workspace of the Mobile Device Management / Certificates folder by clicking the Configure certificate issuance rules button) allow you to specify an individual template for every type of certificates.
• A special Enrollment Agent (EA) certificate must be installed on the device with Administration Server, in the certificates repository of the account under which integration with PKI is performed. The Enrollment Agent (EA) certificate is issued by the administrator of the domain's CA (Certificate Authority).

The account under which integration with PKI is performed must meet the following criteria:

• It is a domain user.
• It is a local administrator of the device with Administration Server from which integration with PKI is initiated.
• It has the right to Log On As Service.
• The device with Administration Server installed must be run at least once under this account to create a permanent user profile.

Kaspersky Security Center Web Server

Kaspersky Security Center Web Server (hereinafter referred to as Web Server) is a component of Kaspersky Security Center. Web Server is designed for publishing stand-alone installation packages, stand-alone installation packages for mobile devices, iOS MDM profiles, and files from the shared folder.

The iOS MDM profiles and installation packages that have been created are published on Web Server automatically and then removed after the first download. The administrator can send the new link to the user in any convenient way, such as by email.

By clicking the link, the user can download the required information to a mobile device.

Web Server settings

If a fine-tuning of Web Server is required, the properties of Administration Console Web Server provide the possibility to change ports for HTTP (8060) and HTTPS (8061). In addition to changing ports, you can replace the server certificate for HTTPS and change the FQDN of Web Server for HTTP.