Initial setup of Kaspersky Security Center

This section describes steps you must take after the Kaspersky Security Center installation to perform its initial setup.

Administration Server Quick Start Wizard

This section provides information about the Administration Server Quick Start Wizard.

About Quick Start Wizard

This section provides information about the Administration Server Quick Start Wizard.

Administration Server Quick Start Wizard allows you to create a minimum of necessary tasks and policies, adjust a minimum of settings, download and install plug-ins for managed Kaspersky applications, and create installation packages of managed Kaspersky applications. When the Wizard is running, you can make the following changes to the application:

• Download and install plug-ins for managed applications. After the Quick Start Wizard has finished, the list of installed management plug-ins is displayed in the Advanced → Details of application management plug-ins installed section of the Administration Server properties window.
• Create installation packages of managed Kaspersky applications. After the Quick Start Wizard has finished, installation packages of Network Agent for Windows and managed Kaspersky applications are displayed in the Administration Server → Advanced → Remote installation → Installation packages list.
• Add key files or enter activation codes that can be automatically distributed to devices within administration groups. After the Quick Start Wizard has finished, information about license keys is displayed in the Administration Server → Kaspersky Licenses list and in the License keys section of the Administration Server properties window.
• Configure interaction with Kaspersky Security Network
  (KSN)

  An infrastructure of cloud services that provides access to the Kaspersky database with constantly updated information about the reputation of files, web resources, and software. Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false positives.

  .
• Set up email delivery of notifications of events that occur during operation of Administration Server and managed applications (successful notification delivery requires that the Messenger service run on the Administration Server and all recipient devices). After the Quick Start Wizard has finished, the email notifications settings are displayed in the Notification section of the Administration Server properties window.
• Adjust the update settings and vulnerability fix settings for applications installed on devices.
• Create a protection policy for workstations and servers, as well as virus scan tasks, update download tasks, and data backup tasks, for the top level of the hierarchy of managed devices. After the Quick Start Wizard has finished, the created tasks are displayed in the Administration Server → Tasks list, the policies corresponding to the plug-ins for managed applications are displayed in the Administration Server → Policies list.

The Quick Start Wizard creates policies for managed applications, such as Kaspersky Endpoint Security for Windows, unless such policies are already created for the Managed devices group. The Quick Start Wizard creates tasks if tasks with the same names do not exist for the Managed devices group.

In Administration Console, Kaspersky Security Center automatically prompts you to run the Quick Start Wizard after you have started it for the first time. You can also start the Quick Start Wizard manually at any time.

Starting Administration Server Quick Start Wizard

The application automatically prompts you to run the Quick Start Wizard after Administration Server installation, at the first connection to it. You can also start the Quick Start Wizard manually at any time.

To start the Quick Start Wizard manually:

1. In the console tree, select the Administration Server node.
2. In the context menu of the node, select All Tasks → Administration Server Quick Start Wizard.

The Wizard prompts you to perform initial configuration of the Administration Server. Follow the instructions of the Wizard.

If you start the Quick Start Wizard again, tasks and policies created at the previous run of the Wizard cannot be created again.

Step 1. Getting acquainted with Quick Start Wizard

Read information about the actions that Quick Start Wizard performs.

Step 2. Configuring a proxy server

Expand all | Collapse all

Specify the internet access settings for Administration Server. You must configure internet access to use Kaspersky Security Network and to download updates of anti-virus databases for Kaspersky Security Center and managed Kaspersky applications.

Select the Use proxy server option if you want to use a proxy server when connecting to the internet. If this option is selected, the fields are available for entering settings. Specify the following settings for proxy server connection:

• Address

  Address of the proxy server used for Kaspersky Security Center connection to the internet.

• Port number

  Number of the port through which Kaspersky Security Center proxy connection will be established.

• Bypass proxy server for local addresses

  No proxy server will be used to connect to devices in the local network.

• Proxy server authentication

  If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.

  This entry field is available if the Use proxy server check box is selected.

• User name

  User account under which connection to the proxy server is established (this field is available if the Proxy server authentication check box is selected).

• Password

  Password set by the user under whose account the proxy server connection is established (this field is available if the Proxy server authentication check box is selected).

  To see the entered password, click and hold the Show button for as long as you require.

You can configure internet access later, separately from the quick start wizard.

To specify the internet access settings for Administration Server:

1. In the console tree, select the Administration Server node.
2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, go to Advanced → Configuring Internet access.
4. Specify the settings for a proxy server connection.

Step 3. Selecting the application activation method

Expand all | Collapse all

Select one of the following Kaspersky Security Center activation options:

• By inserting your activation code

  Activation code is a unique sequence of 20 alphanumeric characters. You enter an activation code to add a key that activates Kaspersky Security Center. You receive the activation code through the email address that you specified after purchasing Kaspersky Security Center.

  To activate the application with an activation code, you need Internet access to establish connection with Kaspersky activation servers.

  If you have selected this activation option, you can enable the Automatically distribute license key to managed devices option.

  If this option is enabled, the license key will be deployed automatically to managed devices.

  If this option is disabled, you can deploy license key to managed devices later, in the Kaspersky Licenses node of the Administration Console tree.

• By specifying a key file

  Key file is a file with the .key extension provided to you by Kaspersky. A key file is intended for adding a key that activates the application.

  You receive your key file through the email address that you specified after purchasing Kaspersky Security Center.

  To activate the application using a key file, you do not have to connect to Kaspersky activation servers.

  If you have selected this activation option, you can enable the Automatically distribute license key to managed devices option.

  If this option is enabled, the license key will be deployed automatically to managed devices.

  If this option is disabled, you can deploy license key to managed devices later, in the Kaspersky Licenses node of the Administration Console tree.

• By postponing the application activation

  The application will operate with basic functionality, without Mobile Device Management and without Vulnerability and Patch Management.

If you choose to postpone application activation, you can add a license key later at any time.

Step 4. Selecting the protection scopes and platforms

Expand all | Collapse all

Select the protection scopes and platforms that are in use on your network. When you select these options, you specify the filters for application management plug-ins and distribution packages on Kaspersky servers that you can download to install on client devices on your network. Select the options:

• Areas

  You can select the following protection areas:

  • Workstations. Select this option if you want to protect workstations in your network. By default, the Workstation option is selected.
  • File Servers and Storage. Select this option if you want to protect file servers in your network.
  • Virtualization. Select this option if you want to protect virtual machines in your network.
  • Embedded Systems. Select this option if you want to protect Windows-based embedded systems, such as Automated Teller Machine (ATM).

• Operating systems

  You can select the following platforms:

  • Microsoft Windows
  • macOS
  • Android
  • Linux
  • Other

  For information about supported operating systems, refer to Hardware and software requirements for Kaspersky Security Center 13.1 Web Console.

You can select the Kaspersky application packages from the list of available packages later, separately from the quick start wizard. To simplify the search for the required packages, you can filter the list of available packages by the following criteria:

• Protection area
• Type of downloaded software (distribution package, utility, plug-in, or web plug-in)
• Version of the Kaspersky application
• Localization language of the Kaspersky application

Step 5. Selecting plug-ins for managed applications

Expand all | Collapse all

Select plug-ins for managed applications to install. A list of plug-ins located on Kaspersky servers is displayed. The list is filtered according to the options selected on the previous step of the Wizard. By default, a full list includes plug-ins of all languages. To display only plug-in of specific language, select the language from Show the Administration Console localization language or drop-down list. The list of plug-ins includes the following columns:

• Application name

  The plug-ins depending of the protection areas and platforms that you have selected on the previous step are selected.

• Application version

  The list includes plug-ins of all the versions placed on Kaspersky servers. By default, the plug-ins of the latest versions are selected.

• Localization language

  By default, the localization language of a plug-in is defined by the Kaspersky Security Center language that you have selected at installation. You can specify other languages in Show the Administration Console localization language or drop-down list.

After the plug-ins are selected, their installation starts automatically in a separate window. To install some plug-ins, you must accept the terms of the EULA. Read the text of EULA, select the I accept the terms of the License Agreement option and click the Install button. If you do not accept the terms of the EULA, the plug-in is not installed.

After the installation completes, close the installation window.

You can also select the management plug-ins later, separately from the Quick Start Wizard.

Step 6. Downloading distribution packages and creating installation packages

Kaspersky Endpoint Security for Windows includes encryption tool for the information stored on client devices. To download a distribution package of Kaspersky Endpoint Security for Windows valid for the needs of your organization, consult the legislation of the country where the client devices of your organization are located. In the Encryption type window, select one of the following encryption types:

• Strong encryption (AES256). This encryption type uses 256-bit key length.
• Lite encryption (AES56). This encryption type uses 56-bit key length.

The Encryption type window is displayed only if you have selected Workstations as a protection area and Microsoft Windows as a platform.

After you have selected an encryption type, a list of distribution packages of both encryption types is displayed. A distribution package with the selected encryption type is selected in the list. The distribution package language corresponds to the Kaspersky Security Center language. If a distribution package of Kaspersky Endpoint Security for Windows for the Kaspersky Security Center language does not exist, the English distribution package is selected.

In the list, you can select distribution package languages by means Show the Administration Console localization language or drop-down list.

Distributives of managed applications may require a specific minimum version of Kaspersky Security Center to be installed.

In the list, you can select distribution packages of any encryption type, different of that you have selected in the Encryption type window. After you have selected a distribution package for Kaspersky Endpoint Security for Windows, downloading of the distribution packages, corresponding to the components and platforms, starts. You can monitor the downloading progress in the Download status column. After the Quick Start Wizard has finished, installation packages of Network Agent for Windows and managed Kaspersky applications are displayed in the Administration Server → Advanced → Remote installation → Installation packages list.

To finish downloading of some distribution packages you must accept EULA. When you click the Accept button, the text of EULA is displayed. To proceed to the next step of the Wizard, you must accept the terms and conditions of the EULA and the terms and conditions of Kaspersky Privacy Policy. Select the options related to the EULA and Kaspersky Privacy Policy, and then click the Accept all button. If you do not accept the terms and conditions, the downloading of the package is canceled.

After you have accepted the terms and conditions of the EULA and the terms and conditions of Kaspersky Privacy Policy, the downloading of the distribution packages continues. When the downloading is finished, the Installation package is created status is displayed. Later, you can use installation packages to deploy Kaspersky applications on client devices.

If you prefer not to run the Wizard, you can create installation packages manually by going to Administration Server → Advanced → Remote installation → Installation packages in the Administration Console tree.

Step 7. Configuring Kaspersky Security Network usage

Expand all | Collapse all

You can obtain access to the reputation databases of Kaspersky Security Network to ensure faster responses by Kaspersky applications to threats, improve the effectiveness of some protection components, and reduce the risk of false positives.

Read the KSN Statement, which is displayed in the window. Specify the settings for relaying information about Kaspersky Security Center operations to the Kaspersky Security Network knowledge base. Select one of the following options:

• I agree to use Kaspersky Security Network

  Kaspersky Security Center and managed applications installed on client devices will automatically transfer their operation details to Kaspersky Security Network. Participation in Kaspersky Security Network ensures faster updates of databases containing information about viruses and other threats, which ensures a faster response to emergent security threats.

• I do not agree to use Kaspersky Security Network

  Kaspersky Security Center and managed applications will provide no information to Kaspersky Security Network.

  If you select this option, the use of Kaspersky Security Network will be disabled.

If you downloaded the Kaspersky Endpoint Security for Windows plug-in, both KSN statements—the KSN Statement for Kaspersky Security Center and the KSN Statement for Kaspersky Endpoint Security for Windows—are displayed. KSN statements for other managed Kaspersky applications whose plug-ins were downloaded are displayed in separate windows and you must accept (or not accept) each of the statements separately.

You can also set up Administration Server access to Kaspersky Security Network (KSN) later in the Administration Server properties window of Administration Console.

Step 8. Configuring email notifications

Expand all | Collapse all

Configure the sending of notifications about events registered during the operation of Kaspersky applications on managed devices. These settings are used as the default settings for Administration Server.

To configure the delivery of notifications about events occurring in Kaspersky applications, use the following settings:

• Recipients (email addresses)

  The email addresses of users to whom the application will send notifications. You can enter one or more addresses; if you enter more than one address, separate them with a semicolon.

• SMTP servers

  The address or addresses of your organization's mail servers.

  If you enter more than one address, separate them with a semicolon. You can use the IP address or the Windows network name (NetBIOS name) of a device as the address.

• SMTP server port

  Communication port number of the SMTP server. If you use several SMTP servers, the connection to them is established through the specified communication port. The default port number is 25.

• Use ESMTP authentication

  Enables support of ESMTP authentication. When the check box is selected, in the User name and Password fields you can specify the ESMTP authentication settings. By default, this check box is cleared.

• Settings

  Specify the following settings:

  • Subject (subject of an email message)
  • Sender email address
  • TLS settings for SMTP server

  You can specify TLS settings for SMTP server:

  You can disable usage of TLS, use TLS if the SMTP server supports this protocol, or you can force usage of TLS only. If you choose to use only TLS, specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, if you choose to use only TLS, you can specify a certificate for client authentication on the SMTP server.

  • Browse for an SMTP server certificate file:

  You can receive a file with the list of certificates from a trusted certification authority, and then upload the file to Administration Server. Kaspersky Security Center checks whether the certificate of an SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to an SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

  • Browse for a client certificate file:

  You can use a certificate that you received from any source, for example, from any trusted certification authority. You must specify the certificate and its private key by using one of the following certificate types:

  • X-509 certificate:

  Specify the file with the certificate and the file with the private key. You can upload these files in any order. When both files are uploaded, specify the password to decrypt the private key. The password can have an empty value if the private key is not encrypted.

  • pkcs12 container:

  You must upload a single file that contains the certificate and its private key. When the file is loaded, then you must specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

You can test the new email notification settings by clicking the Send test message button.

You can also configure event notifications later, separately from the Quick Start Wizard.

Step 9. Configuring update management

Expand all | Collapse all

Configure the settings for managing updates of applications installed on client devices.

You can configure these settings only if you have provided a license key with the Vulnerabilities and Patch management option.

In the Search for updates and install them group of settings, you can select a mode of Kaspersky Security Center update search and installation:

• Search for required updates

  The Find vulnerabilities and required updates task is created.

  This option is selected by default.

• Find and install required updates

  The Find vulnerabilities and required updates and Install required updates and fix vulnerabilities tasks are created automatically, if you do not have ones.

In the Windows Server Update Services group of settings, you can select the update synchronization method:

• Use update sources defined in the domain policy

  Client devices will download Windows Update updates according to your domain policy settings. Network Agent policy is created automatically, if you do not have one.

• Use Administration Server as a WSUS server

  Client devices will download Windows Update updates from the Administration Server. The Perform Windows Update synchronization task and Network Agent policy are created automatically, if you do not have ones.

If you prefer not to run the Quick Start Wizard, create the Find vulnerabilities and required updates and Install required updates and fix vulnerabilities tasks later. To use Administration Server as the WSUS server, create the Perform Windows Update synchronization task, and then select the Use Administration Server as a WSUS server option in the Network Agent policy.

Page top

Step 10. Creating an initial protection configuration

The Configure initial protection window displays a list of policies and tasks that are created automatically. The following policies and tasks are created:

• Kaspersky Security Center Network Agent policy
• Policies for managed Kaspersky applications
• Administration Server maintenance task
• Backup of Administration Server data task
• Download updates to the Administration Server repository task
• Find vulnerabilities and required updates task
• Install update task

Wait for the creation of policies and tasks to complete before proceeding to the next step of the Wizard.

If you have downloaded and installed the plug-in for Kaspersky Endpoint Security for Windows 10 Service Pack 1 and later till the 11.0.1, during the creation of policies and tasks, a window opens for initial configuration of the trusted zone of Kaspersky Endpoint Security for Windows. The application will prompt you to add vendors verified by Kaspersky to the trusted zone for the purposes of excluding their applications from scans to prevent them from being accidentally blocked. You can create recommended exclusions now or create a list of exclusions later by selecting the following in the console tree: Policies → Kaspersky Endpoint Security properties menu → Advanced Threat Protection → Trusted zone → Settings → Add. The list of scan exclusions is available for editing at any time when using the application.

Operations on the trusted zone are performed by using tools integrated into Kaspersky Endpoint Security for Windows. For detailed instructions on how to perform operations and a description of encryption features please refer to Kaspersky Endpoint Security for Windows Online Help.

To finish initial configuration of the trusted zone and return to the Wizard, click OK.

Click Next. This button becomes available after all necessary policies and tasks have been created.

You can also create the required tasks and policies later, separately from the Quick Start Wizard.

Step 11. Connecting mobile devices

Expand all | Collapse all

If you previously enabled the Mobile devices protection area in the Wizard settings, specify the settings for connecting the enterprise mobile devices of the managed organization. If you did not enable Mobile devices protection area, this step is skipped.

At this step of the Wizard, do the following:

• Configure ports for connection of mobile devices
• Configure Administration Server authentication
• Create or manage certificates
• Set up issuance, automatic updating, and encryption of general-type certificates
• Create a moving rule for mobile devices

To set up the ports for connection of mobile devices:

1. Click the Configure button to the right of the Mobile device connection field.
2. In the drop-down list, select Configure ports.

   The Administration Server properties window opens, displaying the Additional ports section.

3. In the Additional ports section, you can specify the mobile device connection settings:
   • SSL port for the activation proxy server

     The number of an SSL port for connection of Kaspersky Endpoint Security for Windows to activation servers of Kaspersky.

     The default port number is 17000.

   • Open port for mobile devices

     A port opens for mobile devices to connect to the Licensing Server. You can define the port number and other settings in the fields below.

     By default, this option is enabled.

   • Port for mobile device synchronization

     Number of the port through which mobile devices connect to the Administration Server and exchange data with it. The default port number is 13292.

     You can assign a different port if port 13292 is being used for other purposes.

   • Port for mobile device activation

     The port for connection of Kaspersky Endpoint Security for Android to activation servers of Kaspersky.

     The default port number is 17100.

   • Open port for UEFI protection devices and KasperskyOS devices

     UEFI protection devices can connect to the Administration Server.

   • Port for UEFI protection devices and KasperskyOS devices

     You can change the port number if the Open port for UEFI protection devices and KasperskyOS devices option is enabled. The default port number is 13294.

4. Click OK to save changes and return to the Quick Start Wizard.

You will have to configure authentication of the Administration Server by mobile devices and authentication of mobile devices by the Administration Server. If you want, you can configure authentication later, separately from the Quick Start Wizard.

To configure Administration Server authentication by mobile devices:

1. Click the Configure button to the right of the Mobile device connection field.
2. In the drop-down list, select Configure authentication.

   The Administration Server properties window opens, displaying the Certificates section.

3. Select the authentication option for mobile devices in the Administration Server authentication by mobile devices group of settings, and select the authentication option for UEFI protection devices in the Administration Server authentication by UEFI protection devices group of settings.

   When Administration Server exchanges data with client devices, it is authenticated through the use of a certificate.

   By default, Administration Server uses the certificate that was created during Administration Server installation. If you want, you can add a new certificate.

To add a new certificate (optional):

1. Select Other certificate.

   The Browse button appears.

2. Click the Browse button.
3. In the window that opens, specify the certificate settings:
   • Certificate type

     In the drop-down list, you can select a certificate type:

     • X.509 certificate. If this option is selected, you should specify the private key of a certificate and an open certificate:
       • Private key (.prk, .pem). In this field, click the Browse button to specify the private key of a certificate in PKCS #8 (*.prk) format.
       • Public key (.cer). In this field, click the Browse button to specify a public key in PEM (*.cer) format.
     • PKCS #12 container. If you select this option, you can specify a certificate file in P12 or PFX format by clicking the Browse button and filling in the Certificate file field.
   • Activation time:
     • Immediately

       The current certificate will be immediately replaced with the new one after you click OK.

       Previously connected mobile devices will not be able to connect to Administration Server.

     • After this period expires, days

       If you select this option, a reserve certificate will be generated. The current certificate will be replaced with the new one in the specified number of days. The effective date of the reserve certificate is displayed in the Certificates section.

       It is recommended that you plan the reissue in advance. The reserve certificate must be downloaded to the mobile devices before the specified period expires. After the current certificate is replaced with the new one, previously connected mobile devices that do not have the reserve certificate will not be able to connect to Administration Server.

4. Click the Properties button to view the settings of the selected Administration Server certificate.

To reissue a certificate issued through Administration Server:

1. Select Certificate issued through Administration Server.
2. Click the Reissue button.
3. In the window that opens, specify the following settings:
   • Connection address:
     • Use old connection address

       The address of the Administration Server to which mobile devices connect remains unchanged.

       This option is selected by default.

     • Change connection address to

       If you want mobile devices to connect to a different address, specify the relevant address in this field.

       If the address for mobile device connection has changed, a new certificate must be issued. The old certificate becomes invalid on all mobile devices connected. Previously connected devices will not be able to connect to Administration Server so they will become unmanaged.

   • Activation time:
     • Immediately

       The current certificate will be immediately replaced with the new one after you click OK.

       Previously connected mobile devices will not be able to connect to Administration Server.

     • After this period expires, days

       If you select this option, a reserve certificate will be generated. The current certificate will be replaced with the new one in the specified number of days. The effective date of the reserve certificate is displayed in the Certificates section.

       It is recommended that you plan the reissue in advance. The reserve certificate must be downloaded to the mobile devices before the specified period expires. After the current certificate is replaced with the new one, previously connected mobile devices that do not have the reserve certificate will not be able to connect to Administration Server.

4. Click OK to save changes and return to the Certificates window.
5. Click OK to save changes and return to the Quick Start Wizard.

To set up issuance, automatic updating, and encryption of general-type certificates for identification of mobile devices by Administration Server:

1. Click the Configure button on the right of the Mobile device authentication field.

   The Certificate issuance rules window opens, displaying the Issuance of mobile certificates section.

2. If necessary, specify the following settings in the Issuance settings section:
   • Certificate lifetime, days

     Certificate lifetime period in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.

   • Certificate source

     Select the source of general-type certificates for mobile devices: certificates are issued by Administration Server, or they are specified manually.

     You can modify the certificate templates if integration with the public key infrastructure (PKI) has been configured in the Integration with PKI section. In this case, the following template selection fields are available:

   • Default template

     Use a certificate issued by an external certificate source – Certification Center – under the default template.

     By default, this option is selected.

   • Other template

     Select a template used to issue certificates. You can specify certificate templates in the domain. The Refresh list button updates the list of certificate templates.

3. If necessary, specify the following settings for automatic issuance of certificates in the Automatic Updates settings section:
   • Renew when certificate is to expire in (days)

     The number of days remaining until the current certificate's expiration during which Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 7.

   • Reissue certificate automatically if possible

     Select this option to reissue a certificate automatically for the number of days specified in the Renew when certificate is to expire in (days) field. If a certificate was manually defined, it cannot be automatically renewed, and the enabled option will not work.

     By default, this option is disabled.

   Certificates are automatically reissued by a Certification Authority.

4. If necessary, in the Password protection settings section, specify the settings for decrypting certificates during installation.

   Select the Prompt for password during certificate installation option to prompt the user for password when the certificate is installed on a mobile device. The password is used only once—during installation of the certificate on the mobile device.

   The password will be automatically generated by Administration Server and sent to the email address that you specified. You can specify the user's email address, or your own email address if you want to use another method to forward the password to the user.

   You can use the slider to specify the number of characters in the certificate decryption password.

   The password prompting option is required, for example, to protect a shared certificate in a stand-alone Kaspersky Endpoint Security for Android installation package. Password protection will prevent an intruder from obtaining access to the shared certificate through theft of the stand-alone installation package from Kaspersky Security Center Web Server.

   If this option is disabled, the certificate is automatically decrypted during installation and the user will not be prompted for a password. By default, this option is disabled.

5. Click OK to save changes and return to the Quick Start Wizard window.

   Click the Cancel button to return to the Quick Start Wizard without saving any changes made.

To enable the function for moving mobile devices to an administration group that you choose,

In the Automatic moving of mobile devices field, select the Create a moving rule for mobile devices option.

If the Create a moving rule for mobile devices option is selected, the application automatically creates a moving rule that moves devices running Android and iOS to the Managed devices group:

• With Android operating systems on which a Kaspersky Endpoint Security for Android and a mobile certificate are installed
• With iOS operating systems on which the iOS MDM profile with a shared certificate is installed

If such a rule already exists, the application does not create it again.

By default, this option is disabled.

Kaspersky no longer supports Kaspersky Safe Browser.

Step 12. Downloading updates

Updates for anti-virus databases for Kaspersky Security Center and managed Kaspersky applications are downloaded automatically. The updates are downloaded from Kaspersky servers.

To download updates separately from the Quick Start Wizard, create and configure the Download updates to the repository of the Administration Server task.

Page top

Step 13. Device discovery

The Network poll window displays information about the status of network polling performed by the Administration Server.

You can view network devices detected by Administration Server and receive help on working with the Device discovery window by clicking the links in the lower part of the window.

You can poll your network later. If you prefer not to run the Quick Start Wizard, use Administration Console to configure the polling of Windows domains, Active Directory, and IP ranges by the distribution point.

Step 14. Closing the Quick Start Wizard

In the Quick Start Wizard completion window, select the Run the Remote Installation Wizard option if you want to start automatic installation of anti-virus applications and/or Network Agent on devices on your network.

To complete the Wizard, click the Finish button.

Configuring the connection of Administration Console to Administration Server

In earlier versions of Kaspersky Security Center, Administration Console was connected to Administration Server through SSL port TCP 13291, as well as SSL port TCP 13000. Starting from Kaspersky Security Center 10 Service Pack 2, the SSL ports used by the application are strictly separated and misuse of ports is not possible:

• SSL port TCP 13291 can only be used by Administration Console and klakaut automation objects.
• SSL port TCP 13000 can only be used by Network Agent, a secondary Administration Server, and the primary Administration Server in DMZ.

Port TCP 14000 can be used for connecting Administration Console, distribution points, secondary Administration Servers, and klakaut automation objects, as well as for receiving data from client devices.

In some cases, Administration Console may have to be connected through SSL port 13000:

• If a single SSL port is likely to be used both for Administration Console and for other activities (receiving data from client devices, connecting distribution points, connecting secondary Administration Servers).
• If a klakaut automation object is not connected to Administration Server directly but through a distribution point in the DMZ.

To allow the connection of Administration Console over port 13000:

1. Open the system registry of the device on which Administration Server is installed (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\.core\.independent\KLLIM

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\.core\.independent\KLLIM

3. For the LP_ConsoleMustUsePort13291 (DWORD) key, set 00000000 as the value.

   The default value specified for this key is 1.

4. Restart the Administration Server service.

You will now be able to connect Administration Console to Administration Server over port 13000.

Requirements for custom certificates used in Kaspersky Security Center

The table below shows the requirements for custom certificates specified for different components of Kaspersky Security Center.

Requirements for Kaspersky Security Center certificates

Connecting out-of-office devices

This section describes how to connect out-of-office devices (that is, managed devices that are located outside of the main network) to Administration Server.

Scenario: Connecting out-of-office devices through a connection gateway

This scenario describes how to connect managed devices that are located outside of the main network to Administration Server.

Prerequisites

The scenario has the following prerequisites:

• A demilitarized zone (DMZ) is organized in your organization's network.
• Kaspersky Security Center Administration Server is deployed on the corporate network.

Stages

This scenario proceeds in stages:

1. Selecting a client device in the DMZ

   This device will be used as a connection gateway. The device that you select must meet the requirements for connection gateways.

2. Installing Network Agent in the connection gateway role

   We recommend that you use a local installation to install Network Agent on the selected device.

   By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

   In the Connection gateway window of the Network Agent Setup Wizard, select Use Network Agent as a connection gateway in DMZ. This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

   Alternatively, you can install Network Agent on a Linux device and configure Network Agent to work as a connection gateway, but pay attention to the list of limitations of Network Agent running on Linux devices.

3. Allowing connections in firewalls on the connection gateway

   To make sure that Administration Server can actually connect to the connection gateway in the DMZ, allow connections to TCP port 13000 in all firewalls between Administration Server and the connection gateway.

   If the connection gateway has no real IP address on the internet, but instead is located behind Network Address Translation (NAT), configure a rule to forward connections through NAT.

4. Creating an administration group for external devices

   Create a new group under the Managed devices group. This new group will contain external managed devices.

5. Connecting the connection gateway to Administration Server

   The connection gateway that you have configured is waiting for a connection from Administration Server. However, Administration Server does not list the device with the connection gateway among managed devices. This is because the connection gateway has not tried to establish a connection to Administration Server. Therefore, you need a special procedure to ensure that Administration Server initiates a connection to the connection gateway.

   Do the following:

   1. Add the connection gateway as a distribution point.
   2. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.

   The connection gateway is connected and configured.

6. Connecting external desktop computers to Administration Server

   Usually, external desktop computers are not moved inside the perimeter. Therefore, you need to configure them to connect to Administration Server through the gateway when installing Network Agent.

7. Setting up updates for external desktop computers

   If updates of security applications are configured to be downloaded from Administration Server, external computers download updates through the connection gateway. This has two disadvantages:

   • This is unnecessary traffic, which takes up bandwidth of the company's internet communication channel.
   • This is not necessarily the quickest way to get updates. It is very likely that it would be cheaper and faster for external computers to receive updates from Kaspersky update servers.

   Do the following:

   1. Move all external computers to the separate administration group that you created earlier.
   2. Exclude the group with external devices from the update task.
   3. Create a separate update task for the group with external devices.
8. Connecting traveling laptops to Administration Server

   Traveling laptops are within the network sometimes and outside the network at other times. For effective management, you need them to connect to Administration Server differently depending on their location. For efficient use of traffic, they also need to receive updates from different sources, depending on their location.

   You need to configure rules for out-of-office users: connection profiles and network location descriptions. Each rule defines the Administration Server instance to which traveling laptops must connect, depending on their location and the Administration Server instance from which they must receive updates.

About connecting out-of-office devices

Some managed devices are always located outside of the main network (for example, computers in a company's regional branches; kiosks, ATMs, and terminals installed at various points of sale; computers in the home offices of employees). Some devices travel outside the perimeter from time to time (for example, laptops of users who visit regional branches or a customer's office).

You still need to monitor and manage the protection of out-of-office devices—receive actual information about their protection status and keep the security applications on them in the up-to-date state. This is necessary because, for example, if such a device is compromised while being away from the main network, it could become a platform for propagating threats as soon as it connects to the main network. To connect out-of-office devices to Administration Server, you can use two methods:

• Connection gateway in the demilitarized zone (DMZ)

  See the data traffic scheme: Administration Server on LAN, managed devices on the Internet, connection gateway in use

• Administration Server in DMZ

  See the data traffic scheme: Administration Server in DMZ, managed devices on Internet

A connection gateway in the DMZ

A recommended method for connecting out-of-office devices to Administration Server is organizing a DMZ in the organization's network and installing a connection gateway in the DMZ. External devices will connect to the connection gateway, and Administration Server inside the network will initiate a connection to the devices via the connection gateway.

As compared to the other method, this one is more secure:

• You do not need to open access to Administration Server from outside the network.
• A compromised connection gateway does not pose a high risk to the safety of the network devices. A connection gateway does not actually manage anything itself and does not establish any connections.

Also, a connection gateway does not require many hardware resources.

However, this method has a more complicated configuration process:

• To act a device as a connection gateway in the DMZ, you need to install Network Agent and connect it to Administration Server in a specific way.
• You will not be able to use the same address for connecting to Administration Server for all situations. From outside the perimeter, you will need to use not just a different address (connection gateway address), but also a different connection mode: through a connection gateway.
• You also need to define different connection settings for laptops in different locations.

The scenario in this section describes this method.

Administration Server in the DMZ

Another method is installing a single Administration Server in the DMZ.

This configuration is less secure than the other method. To manage external laptops in this case, Administration Server must accept connections from any address on the internet. It will still manage all devices in the internal network, but from the DMZ. Therefore, a compromised Server could cause an enormous amount of damage, despite the low likelihood of such an event.

The risk gets significantly lower if Administration Server in the DMZ does not manage devices in the internal network. Such a configuration can be used, for example, by a service provider to manage the devices of customers.

You might want to use this method in the following cases:

• If you are familiar with installing and configuring Administration Server, and do not want to perform another procedure to install and configure a connection gateway.
• If you need to manage more devices. The maximum capacity of Administration Server is 100,000 devices, while a connection gateway can support up to 10,000 devices.

This solution also has possible difficulties:

• Administration Server requires more hardware resources and one more database.
• Information about devices will be stored in two unrelated databases (for Administration Server inside the network and another one in the DMZ), which complicates monitoring.
• To manage all devices, Administration Server needs to be joined into a hierarchy, which complicates not only monitoring but also management. A secondary Administration Server instance imposes limitations on the possible structures of administration groups. You have to decide how and which tasks and policies to distribute to a secondary Administration Server instance.
• Configuring external devices to use Administration Server in the DMZ from the outside and to use the primary Administration Server from the inside is not simpler than to just configure them to use a conditional connection through a gateway.
• High security risks. A compromised Administration Server instance makes it easier to compromise its managed laptops. If this happens, the hackers just need to wait for one of the laptops to return to the corporate network so that they can continue their attack on the local area network.

Connecting external desktop computers to Administration Server

Desktop computers that are always outside of the main network (for example, computers in the company's regional branches; kiosks, ATMs, and terminals installed at various points of sale; computers in the home offices of employees) cannot be connected to Administration Server directly. They must be connected to Administration Server via a connection gateway that is installed in the demilitarized zone (DMZ). This configuration is made when installing Network Agent on those computers.

To connect external desktop computers to Administration Server:

1. Create a new installation package for Network Agent.
2. Open the properties of the created installation package and go to the Advanced section, and then select the Connect to Administration Server by using connection gateway option.

   The Connect to Administration Server by using connection gateway setting is incompatible with the Use Network Agent as a connection gateway in DMZ setting. You cannot enable both of these settings at the same time.

3. In Connection gateway address, specify the public address of the connection gateway.

   If the connection gateway is located behind Network Address Translation (NAT) and does not have its own public address, configure a NAT gateway rule for forwarding connections from the public address to the internal address of the connection gateway.

4. Create a stand-alone installation package based on the created installation package.
5. Deliver the stand-alone installation package to the target computers, either electronically or on a removable drive.
6. Install Network Agent from the stand-alone package.

External desktop computers are connected to Administration Server.

About connection profiles for out-of-office users

Out-of-office users of laptops (hereinafter also referred to as "devices") may need to change the method of connecting to an Administration Server or switch between Administration Servers depending on the current location of the device on the enterprise network.

Connection profiles are supported only for devices running Windows.

Using different addresses of a single Administration Server

The following procedure is only applied to Kaspersky Security Center 10 Service Pack 1 and later.

Devices with Network Agent installed can connect to the Administration Server either from the organization's intranet or from the internet. This situation may require Network Agent to use different addresses for connection to Administration Server: the external Administration Server address for the Internet connection and the internal Administration Server address for the internal network connection.

To do this, you must add a profile (for connection to Administration Server from the Internet) to the Network Agent policy. Add the profile in the policy properties (Connectivity section, Connection profiles subsection). In the profile creation window, you must disable the Use to receive updates only option and select the Synchronize connection settings with the Administration Server settings specified in this profile option. If you use a connection gateway to access Administration Server (for example, in a Kaspersky Security Center configuration as that described in Internet access: Network Agent as connection gateway in DMZ), you must specify the address of the connection gateway in the corresponding field of the connection profile.

Switching between Administration Servers depending on the current network

The following procedure is only applied to Kaspersky Security Center 10 Service Pack 2 Maintenance Release 1 and any later versions.

If the organization has multiple offices with different Administration Servers and some of the devices with Network Agent installed move between them, you need Network Agent to connect to the Administration Server of the local network in the office where the device is currently located.

In this case, you must create a profile for connection to Administration Server in the properties of the policy of Network Agent for each of the offices, except for the home office where the original home Administration Server is located. You must specify the addresses of Administration Servers in connection profiles and enable or disable the Use to receive updates only option:

• Select the option if you need Network Agent to be synchronized with the home Administration Server, while using the local Server for downloading updates only.
• Disable this option if it is necessary for Network Agent to be managed completely by the local Administration Server.

After that, you must set up the conditions of switching to the newly created profiles: at least one condition for each of the offices, except for the home office. Every condition's purpose consists in detection of items that are specific for an office's network environment. If a condition is true, the corresponding profile gets activated. If none of the conditions is true, Network Agent switches to the home Administration Server.

Creating a connection profile for out-of-office users

Expand all | Collapse all

An Administration Server connection profile is available only on devices running Windows.

To create a profile for connecting Network Agent to Administration Server for out-of-office users:

1. In the console tree, select the administration group containing the client devices for which you need to create a profile for connecting Network Agent to the Administration Server.
2. Do one of the following:
   • If you want to create a connection profile for all devices in the group, select a Network Agent policy in the group workspace, on the Policies tab. Open the properties window of the selected policy.
   • If you want to create a connection profile for a device in a group, select that device in the group workspace, on the Devices tab, and perform the following actions:
     1. Open the properties window of the selected device.
     2. In the Applications section of the device properties window, select Network Agent.
     3. Open the Network Agent properties window.
3. In the properties window, in the Connectivity section, select the Connection profiles subsection.
4. In the Administration Server connection profiles settings group, click the Add button.

   By default, the list of connection profiles contains the <Offline mode> and <Home Administration Server> profiles. Profiles cannot be edited or removed.

   The <Offline mode> profile does not specify any Server for connection. Therefore, Network Agent, when switched to that profile, does not attempt to connect to any Administration Server while applications installed on client devices run under out-of-office policies. The <Offline mode> profile can be used if devices are disconnected from the network.

   The <Home Administration Server> profile specifies for connection the Administration Server that was selected during Network Agent installation. The <Home Administration Server> profile is applied when a device is reconnected to the home Administration Server after it was running on an external network for some time.

5. In the New profile window that opens, configure the connection profile:
   • Profile name

     In the entry field you can view or change the connection profile name.

   • Administration Server

     Address of the Administration Server to which the client device must connect during profile activation.

   • Port

     Port number that is used for connection.

   • SSL port

     Port number for connection if using the SSL protocol.

   • Use SSL

     If this option is enabled, the connection is established through a secure port, by using SSL protocol.

     By default, this option is enabled. We recommend that you do not disable this option so your connection remains secured.

   • Click the Configure connection through proxy server link to configure connection through a proxy server. Select the Use proxy server option if you want to use a proxy server when connecting to the internet. If this option is selected, the fields are available for entering settings. Specify the following settings for proxy server connection:
     • Proxy server address

       Address of the proxy server used for Kaspersky Security Center connection to the internet.

     • Port number

       Number of the port through which Kaspersky Security Center proxy connection will be established.

     • Proxy server authentication

       If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.

       This entry field is available if the Use proxy server check box is selected.

     • User name (this field is available if the Proxy server authentication option is selected)

       User account under which connection to the proxy server is established (this field is available if the Proxy server authentication check box is selected).

     • Password (this field is available if the Proxy server authentication option is selected)

       Password set by the user under whose account the proxy server connection is established (this field is available if the Proxy server authentication check box is selected).

       To see the entered password, click and hold the Show button for as long as you require.

   • Connection gateway settings

     Address of the gateway through which client devices connect to the Administration Server.

   • Enable out-of-office mode

     If this option is enabled, in case of connection through this profile, applications installed on the client device use policy profiles for devices in out-of-office mode, as well as out-of-office policies. If no out-of-office policy has been defined for the application, the active policy will be used.

     If this option is disabled, applications will use active policies.

     By default, this option is disabled.

   • Use to receive updates only

     If this option is enabled, the profile will only be used for downloading updates by applications installed on the client device. For other operations, connection to the Administration Server will be established with the initial connection settings defined during Network Agent installation.

     By default, this option is enabled.

   • Synchronize connection settings with the Administration Server settings specified in this profile

     If this option is enabled, Network Agent connects to Administration Server using the settings specified in the profile properties.

     If this option is disabled, Network Agent connects to Administration Server using the original settings that have been specified during installation.

     This option is available if the Use to receive updates only option is disabled.

     By default, this option is disabled.

6. Select the Enable out-of-office mode when Administration Server is not available option to allow the applications installed on a client device to use policy profiles for devices in out-of-office mode, as well as out-of-office policies, at any connection attempt if the Administration Server is not available. If no out-of-office policy has been defined for the application, the active policy will be used.

A profile for connecting Network Agent to Administration Server is created for out-of-office users. When Network Agent connects to Administration Server using this profile, applications installed on the client device will use policies for devices in out-of-office mode, or out-of-office policies.

About switching Network Agent to other Administration Servers

The initial settings of the Network Agent connection to Administration Server are defined when installing the Network Agent. To switch the Network Agent to other Administration Servers, you can use the switching rules. This feature is supported only for Network Agents installed on devices running Windows.

The switching rules can trigger on changing the following network parameters:

• Default gateway address.
• IP address of the Dynamic Host Configuration Protocol (DHCP) server.
• DNS suffix of the subnet.
• IP address of the network DNS server.
• Windows domain accessibility.
• Subnet address and mask.
• IP address of the network WINS server.
• DNS or NetBIOS name of the client device.
• SSL connection address accessibility.

If rules for switching the Network Agent to other Administration Servers have been created, the Network Agent responds to changes in the network parameters as follows:

• If the network settings comply with one of the rules created, Network Agent connects to the Administration Server specified in this rule. Applications installed on client devices switch to out-of-office policies, provided such behavior is enabled by a rule.
• If none of the rules apply, Network Agent reverts to the default settings of connection to the Administration Server specified during the installation. Applications installed on client devices switch back to active policies.
• If the Administration Server is not accessible, Network Agent uses out-of-office policies.

Network Agent switches to the out-of-office policy only if the Enable out-of-office mode when Administration Server is not available option is enabled in the Network Agent policy settings.

The settings of Network Agent connection to Administration Server are saved in a connection profile. In the connection profile, you can create rules for switching client devices to out-of-office policies, and you can configure the profile so that it could only be used for downloading updates.

Creating a Network Agent switching rule by network location

Expand all | Collapse all

Network Agent-switching by network location is available only on devices running Windows.

To create a rule for Network Agent switching from one Administration Server to another if network settings change:

1. In the console tree, select the administration group containing the devices for which you need to create a Network Agent switching rule by the network location description.
2. Do one of the following:
   • If you want to create a rule for all devices in the group, go to the group workspace and select a Network Agent policy on the Policies tab. Open the properties window of the selected policy.
   • If you want to create a rule for a device selected from a group, go to the group workspace, select the device on the Devices tab, and perform the following actions:
     1. Open the properties window of the selected device.
     2. In the Applications section of the device properties window, select Network Agent.
     3. Open the Network Agent properties window.
3. In the properties window that opens, in the Connectivity section, select the Connection profiles subsection.
4. In the Network location settings section, click the Add button.
5. In the New description window that opens, configure the network location description and switching rule. Specify the following network location description settings:
   • Network location description name

     The name of a network location description cannot be longer than 255 characters nor contain special symbols, such as ("*<>?\/:|).

   • Use connection profile

     In the drop-down list you can specify the connection profile that Network Agent uses to connect to the Administration Server. This profile will be used when the network location description conditions are met. The connection profile contains the settings for Network Agent connection to the Administration Server; it also defines when client devices must switch to out-of-office policies. The profile is used only for downloading updates.

6. In the Switch conditions section, click the Add button to create a list of network location description conditions.

   The conditions in a rule are combined by using the logical AND operator. To trigger a switching rule by the network location description, all of the rule switching conditions must be met.

7. In the drop-down list, select the value that corresponds to the change in characteristics of the network to which the client device is connected:
   • Default connection gateway address—The address of the main network gateway has changed.
   • DHCP server address—The IP address of the network Dynamic Host Configuration Protocol (DHCP) server has changed.
   • DNS domain—The DNS suffix of the subnet has changed.
   • DNS server address—The IP address of the network DNS server has changed.
   • Windows domain accessibility—Changes the status of the Windows domain to which the client device is connected.
   • Subnet—Changes the subnet address and mask.
   • WINS server address—The IP address of the network WINS server has changed.
   • Name resolvability—The DNS or NetBIOS name of the client device has changed.
   • SSL connection address accessibility—The client device can or cannot (depending on the option that you select) establish an SSL connection with a specified Server (name:port). For each server, you can additionally specify an SSL certificate. In this case, the Network Agent verifies the Server certificate in addition to checking the capability of an SSL connection. If the certificate does not match, the connection fails.
8. In the window that opens, specify the condition for Network Agent to be switched to another Administration Server. The name of the window depends on the value selected during the previous step. Specify the following settings of the switching condition:
   • Value

     In the field, you can add one or several values for the condition being created.

   • Matches at least one value from the list

     If this option is selected, the condition will be met regardless of any value specified in the Value list.

     By default, this option is selected.

   • Does not match any of the values in the list

     If this option is selected, the condition is met if its value is not in the Value list.

9. In the New description window, select the Description enabled option to enable the use of the new network location description.

A new switching rule by the network location description is created; any time its conditions are met, the Network Agent uses the connection profile specified in the rule to connect to the Administration Server.

The network location descriptions are checked for a match to the network layout in the order of their appearance in the list. If a network matches several descriptions, the first one will be used.

You can change the order of rules on the list using the Up button () and Down button ().

Encrypt communication with SSL/TLS

To fix vulnerabilities on your organization's corporate network, you can enable traffic encryption using SSL/TLS. You can enable SSL/TLS on Administration Server and iOS MDM Server. Kaspersky Security Center supports SSL v3 as well as Transport Layer Security (TLS v1.0, 1.1, and 1.2). You can select encryption protocol and cipher suites. Kaspersky Security Center uses a self-signed certificates. Additional configuration of the iOS devices is not required. You can also use your own certificates. Kaspersky specialists recommend to use certificates issued by trusted certificate authorities.

Administration Server

To configure allowed encryption protocols and cipher suites on the Administration Server:

1. Use the klscflag utility to configure allowed encryption protocols and cipher suites on the Administration Server. Enter the following command at the Windows command prompt, using administrator rights:

   klscflag -fset -pv ".core/.independent" -s Transport -n SrvUseStrictSslSettings -v <value> -t d

   Specify the <value> parameter of the command:

   • 0—All of the supported encryption protocols and cipher suites are enabled
   • 1—SSL v2 is disabled

     Cipher suites:

     • AES256-GCM-SHA384
     • AES256-SHA256
     • AES256-SHA
     • CAMELLIA256-SHA
     • AES128-GCM-SHA256
     • AES128-SHA256
     • AES128-SHA
     • SEED-SHA
     • CAMELLIA128-SHA
     • IDEA-CBC-SHA
     • RC4-SHA
     • RC4-MD5
     • DES-CBC3-SHA
   • 2—SSL v2 and SSL v3 are disabled (default value)

     Cipher suites:

     • AES256-GCM-SHA384
     • AES256-SHA256
     • AES256-SHA
     • CAMELLIA256-SHA
     • AES128-GCM-SHA256
     • AES128-SHA256
     • AES128-SHA
     • SEED-SHA
     • CAMELLIA128-SHA
     • IDEA-CBC-SHA
     • RC4-SHA
     • RC4-MD5
     • DES-CBC3-SHA
   • 3—only TLS v1.2.

     Cipher suites:

     • AES256-GCM-SHA384
     • AES256-SHA256
     • AES256-SHA
     • CAMELLIA256-SHA
     • AES128-GCM-SHA256
     • AES128-SHA256
     • AES128-SHA
     • CAMELLIA128-SHA
2. Restart the following Kaspersky Security Center 13.1 services:
   • Administration Server
   • Web Server
   • Activation Proxy

iOS MDM Server

The connection between the iOS devices and the iOS MDM Server is encrypted default.

To configure allowed encryption protocols and cipher suites on the iOS MDM Server:

1. Open the system registry of the client device that has iOS MDM Server installed (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset

3. Create a key with the StrictSslSettings name.
4. Specify DWORD as the key type.
5. Set the key value:
   • 2—SSL v3 is disabled (TLS 1.0, TLS 1.1, TLS 1.2 are allowed)
   • 3—only TLS 1.2 (default value)
6. Restart the Kaspersky Security Center 13.1 iOS MDM Server service.

Notifications of events

This section describes how to select a method for delivering administrator notifications about events on client devices, and how to configure event notification settings.

It also describes how to test the distribution of event notifications by using the Eicar test virus.

Configuring event notification

Expand all | Collapse all

Kaspersky Security Center allows you to select a method of notifying the administrator of events on client devices and to configure notification:

• Email. When an event occurs, the application sends a notification to email addresses specified. You can edit the text of the notification.
• SMS. When an event occurs, the application sends a notification to the phone numbers specified. You can configure SMS notifications to be sent through the mail gateway.
• Executable file. When an event occurs on a device, the executable file is started on the administrator's workstation. Using the executable file, the administrator can receive the parameters of any event that has occurred.

To configure notification of events occurring on client devices:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. Click the Configure notifications and event export link and select the Configure notifications value in the drop-down list.

   This opens the Properties: Events window.

4. In the Notification section, select a notification method (by email, by SMS, or by running an executable file) and define the notification settings:
   • Email

     The Email tab allows you to configure email notifications for events.

     In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons.

     In the SMTP servers field, specify mail server addresses, by separating them with semicolons. You can use the IP address or DNS name of the SMTP server as the address.

     In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

     If you enable the Use DNS MX lookup option, you can use several MX records of the IP addresses for the same DNS name of the SMTP server. The same DNS name may have several MX records with different values of priority of receiving email messages. Administration Server attempts to send email notifications to the SMTP server in ascending order of MX records priority. By default, this option is disabled.

     If you enable the Use DNS MX lookup option and do not enable usage of TLS settings, we recommend that you use the DNSSEC settings on your server device as an additional measure of protection for sending email notifications.

     Click the Settings link to define additional notification settings:

     • Subject name (subject name of an email message)
     • Sender email address
     • ESMTP authentication settings

     You have to specify an account for authentication on an SMTP server if the ESMTP authentication option is enabled for the SMTP server.

     • TLS settings for the SMTP server:
       • Do not use TLS

       You can select this option if you want to disable encryption of email messages.

       • Use TLS if supported by SMTP server

       You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP server does not support TLS, Administration Server connects the SMTP server without using TLS.

       • Always use TLS, check the server certificate for validity

       You can select this option if you want to use TLS authentication settings. If the SMTP server does not support TLS, Administration Server cannot connect the SMTP server.

     We recommend that you use this option for better protection of the connection with an SMTP server. If you select this option, you can set authentication settings for a TLS connection.

     If you choose Always use TLS, check the server certificate for validity value, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can specify a certificate for client authentication on the SMTP server.

     You can specify TLS settings for an SMTP server:

     • Browse for an SMTP server certificate file:

     You can receive a file with the list of certificates from a trusted certification authority and upload the file to Administration Server. Kaspersky Security Center checks whether the certificate of an SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to an SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

     • Browse for a client certificate file:

     You can use a certificate that you received from any source, for example, from any trusted certification authority. You must specify the certificate and its private key by using one of the following certificate types:

     • X-509 certificate:

     You must specify a file with the certificate and a file with the private key. Both files do not depend on each other and the order of loading of the files is not significant. When both files are loaded, you must specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

     • pkcs12 container:

     You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

     The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details of the event. The list of substitute parameters is available by clicking the button to the right of the field.

     If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

     Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send over the specified time interval.

     Click the Send test message button to check if you have configured notifications properly. The application should send a test notification to the email addresses that you specified.

   • SMS

     The SMS tab allows you to configure the transmission of SMS notifications of various events to a cell phone. SMS messages are sent through a mail gateway.

     In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons. The notifications will be delivered to the phone numbers associated with the specified email addresses.

     In the SMTP servers field, specify mail server addresses, by separating them with semicolons. You can use the IP address or the Windows network name (NetBIOS name) of the device as the address.

     In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

     Click the Settings link to define additional notification settings:

     • Subject name (subject name of an email message)
     • Sender email address
     • ESMTP authentication settings

     If necessary, you can specify an account for authentication on an SMTP server if the option of ESMTP authentication is enabled for the SMTP server.

     • TLS settings for an SMTP server

     You can disable usage of TLS, use TLS if the SMTP server supports this protocol, or you can force usage of TLS only. If you choose to use only TLS, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, if you choose to use only TLS, you can specify a certificate for client authentication on the SMTP server.

     • Browse for an SMTP server certificate file

     You can receive a file with the list of certificates from a trusted certification authority and upload the file to Kaspersky Security Center. Kaspersky Security Center checks whether the certificate of the SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to the SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

     You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details of the event. The list of substitute parameters is available by clicking the button to the right of the field.

     If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

     Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send during the specified time interval.

     Click the Send test message button to check whether you configured notifications properly. The application should send a test notification to the recipient that you specified.

   • Executable file to be run

     If this notification method is selected, in the entry field you can specify the application that will start when an event occurs.

     Clicking the Configure numeric limit of notifications link allows you to specify the maximum number of notifications that the application can send during the specified time interval.

     Clicking the Send test message button allows you to check whether you configured notifications properly: the application sends a test notification to the email addresses that you specified.

5. In the Notification message field, enter the text that the application will send when an event occurs.

   You can use the drop-down list to the right of the text field to add substitution settings with event details (for example, event description, or time of occurrence).

   If the notification text contains a percent (%), you must specify it twice in succession to allow message sending. For example, "CPU load is 100%%".

6. Click the Send test message button to check whether notification has been configured correctly.

   The application sends a test notification to the specified user.

7. Click OK to save the changes.

The re-adjusted notification settings are applied to all events that occur on client devices.

You can override notification settings for certain events in the Event configuration section of the Administration Server settings, of a policy settings, or of an application settings.

Testing notifications

To check whether event notifications are sent, the application uses the notification of the EICAR test "virus" detection on client devices.

To verify sending of event notifications:

1. Stop the real-time file system protection task on a client device and copy the EICAR test "virus" to that client device. Now re-enable real-time protection of the file system.
2. Run a scan task for client devices in an administration group or for specific devices, including one with the EICAR "virus".

   If the scan task is configured correctly, the test "virus" will be detected. If notifications are configured correctly, you are notified that a virus has been detected.

   In the workspace of the Administration Server node, on the Events tab, the Recent events selection displays a record of detection of a "virus".

The EICAR test "virus" contains no code that can do harm to your device. However, most manufacturers' security applications identify this file as virus. You can download the test "virus" from the official EICAR website.

Event notifications displayed by running an executable file

Kaspersky Security Center can notify the administrator about events on client devices by running an executable file. The executable file must contain another executable file with placeholders of the event to be relayed to the administrator.

Placeholders for describing an event

Page top

Configuring the interface

Expand all | Collapse all

You can configure the Kaspersky Security Center interface:

• Show and hide objects in the console tree, workspace, and properties windows of objects (folders, sections), depending on the features being used.
• Show and hide elements of the main window (for example, console tree or standard menus such as Actions and View).

To configure the Kaspersky Security Center interface in accordance with the currently used set of features:

1. In the console tree, select the Administration Server node.
2. On the menu bar of the main application window, select View → Configure interface.
3. In the Configure interface window that opens, configure the display of interface elements using the following check boxes:
   • Display Vulnerability and Patch Management

     If this option is enabled, the Remote installation folder displays the Deploy device images subfolder, and the Repositories folder displays the Hardware subfolder.

     This option is disabled by default if the Quick Start Wizard has not finished. This option is enabled by default after the Quick Start Wizard has finished.

   • Display data encryption and protection

     If this option is enabled, the console tree displays the Data encryption and protection folder.

     By default, this option is enabled.

   • Display endpoint control settings

     If this option is enabled, the following subsections are displayed in the Security Controls section of the properties window of the Kaspersky Endpoint Security for Windows policy:

     • Application Control
     • Device Control
     • Web Control
     • Adaptive Anomaly Control

     If this option is disabled, these subsections are not displayed in the Security Controls section.

     By default, this option is enabled.

   • Display Mobile Device Management

     If this option is enabled, the Mobile Device Management feature is available. After you restart the application, the console tree displays the Mobile devices folder.

     By default, this option is enabled.

   • Display secondary Administration Servers

     If the check box is selected, the console tree displays the nodes of secondary and virtual Administration Servers within administration groups. The features connected with secondary and virtual Administration Servers—for example, creation of tasks for remote installation of applications on secondary Administration Servers—are available at that.

     By default, this check box is cleared.

   • Display security settings sections

     If this option is enabled, the Security section is displayed in the properties window of Administration Server, administration groups and other objects. This option allows you to give users and user groups custom permissions for working with objects.

     By default, this option is disabled.

4. Click OK.

To apply some of the changes, you have to close the main application window and then open it again.

To configure the display of elements in the main application window:

1. On the menu bar of the main application window, select View → Configure.
2. In the Configure view window that opens, configure the display of main window elements by using check boxes.
3. Click OK.