Configuring network protection

This section contains information about manual configuration of policies and tasks, about user roles, about building an administration group structure and hierarchy of tasks.

Scenario: Configuring network protection

The Quick Start Wizard creates policies and tasks with the default settings. These settings may turn out to be sub-optimal or even disallowed by the organization. Therefore, we recommend that you fine-tune these policies and tasks and create other policies and tasks, if they are necessary for your network.

Prerequisites

Before you start, make sure that you have done the following:

• Installed Kaspersky Security Center Administration Server
• Installed Kaspersky Security Center 13.1 Web Console
• Completed the Kaspersky Security Center main installation scenario
• Completed the Quick Start Wizard or manually created the following policies and tasks in the Managed devices administration group:
  • Policy of Kaspersky Endpoint Security
  • Group task for updating Kaspersky Endpoint Security
  • Policy of Network Agent

Configuring network protection proceeds in stages:

1. Setup and propagation of Kaspersky application policies and policy profiles

   To configure and propagate settings for Kaspersky applications installed on the managed devices, you can use two different security management approaches—device-centric or user-centric. These two approaches can also be combined.

2. Configuring tasks for remote management of Kaspersky applications

   Check the tasks created with the Quick Start Wizard and fine-tune them, if necessary.

   How-to instructions: Setting up the group task for updating Kaspersky Endpoint Security.

   If necessary, create additional tasks to manage the Kaspersky applications installed on the client devices.

3. Evaluating and limiting the event load on the database

   Information about events during the operation of managed applications is transferred from a client device and registered in the Administration Server database. To reduce the load on the Administration Server, evaluate and limit the maximum number of events that can be stored in the database.

   How-to instructions: Setting the maximum number of events.

Results

Upon completion of this scenario, your network will be protected by configuration of Kaspersky applications, tasks, and events received by the Administration Server:

• The Kaspersky applications are configured according to the policies and policy profiles.
• The applications are managed through a set of tasks.
• The maximum number of events that can be stored in the database is set.

When the network protection configuration is complete, you can proceed to configuring regular updates to Kaspersky databases and applications.

Policy setup and propagation: Device-centric approach

When you complete this scenario, the applications will be configured on all of the managed devices in accordance with the application policies and policy profiles that you define.

Prerequisites

Before you start, make sure that you have installed Kaspersky Security Center Administration Server and Kaspersky Security Center 13.1 Web Console (optional). If you installed Kaspersky Security Center 13.1 Web Console, you might also want to consider user-centric security management as an alternative or additional option to the device-centric approach.

Stages

The scenario of device-centric management of Kaspersky applications consists of the following steps:

1. Configuring application policies

   Configure settings for Kaspersky applications installed on the managed devices by creating a policy for each application. The set of policies will be propagated to the client devices.

   When you configure the protection of your network in Quick Start Wizard, Kaspersky Security Center creates the default policy for the following applications:

   • Kaspersky Endpoint Security for Windows—for Windows-based client devices
   • Kaspersky Endpoint Security for Linux—for Linux-based client devices

   If you completed the configuration process by using this Wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky Endpoint Security policy.

   If you have a hierarchical structure of several Administration Servers and/or administration groups, the secondary Administration Servers and child administration groups inherit the policies from the primary Administration Server by default. You can force the inheritance by the child groups and secondary Administration Servers to prohibit any modifications of the settings configured in the upstream policy. If you want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The rest unlocked settings will be available for modification in the downstream policies. The created hierarchy of policies will allow you to effectively manage devices in the administration groups.

   How-to instructions:

   • Administration Console: Creating a policy
   • Kaspersky Security Center 13.1 Web Console: Creating a policy
2. Creating policy profiles (optional)

   If you want devices within a single administration group to run under different policy settings, create policy profiles for those devices. A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device.

   By using profile activation conditions, you can apply different policy profiles, for example, to the devices located in a specific unit or security group of Active Directory, having a specific hardware configuration, or marked with specific tags. Use tags to filter devices that meet specific criteria. For example, you can create a tag called Windows, mark all devices running Windows operating system with this tag, and then specify this tag as an activation condition for a policy profile. As a result, Kaspersky applications installed on all devices running Windows will be managed by their own policy profile.

   How-to instructions:

   • Administration Console:
     • Creating a policy profile
     • Creating a policy profile activation rule
   • Kaspersky Security Center 13.1 Web Console:
     • Creating a policy profile
     • Creating a policy profile activation rule
3. Propagating policies and policy profiles to the managed devices

   By default, the Administration Server automatically synchronizes with managed devices every 15 minutes. You can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization command. Also the synchronization is forced after you create or change a policy or a policy profile. During the synchronization, the new or changed policies and policy profiles are propagated to the managed devices.

   If you use Kaspersky Security Center 13.1 Web Console, you can check whether the policies and policy profiles were delivered to a device. Kaspersky Security Center specifies the delivery date and time in the properties of the device.

   How-to instructions:

   • Administration Console: Forced synchronization
   • Kaspersky Security Center 13.1 Web Console: Forced synchronization

Results

When the device-centric scenario is complete, the Kaspersky applications are configured according to the settings specified and propagated through the hierarchy of policies.

The configured application policies and policy profiles will be applied automatically to the new devices added to the administration groups.

About device-centric and user-centric security management approaches

You can manage security settings from the standpoint of device features and from the standpoint of user roles. The first approach is called device-centric security management and the second is called user-centric security management. To apply different application settings to different devices you can use either or both types of management in combination. To implement device-centric security management, you can use tools provided in Microsoft Management Console-based Administration Console or Kaspersky Security Center 13.1 Web Console. User-centric security management can be implemented through Kaspersky Security Center 13.1 Web Console only.

Device-centric security management enables you to apply different security application settings to managed devices depending on device-specific features. For example, you can apply different settings to devices allocated in different administration groups. You can also differentiate the devices by usage of those devices in Active Directory, or their hardware specifications.

User-centric security management enables you to apply different security application settings to different user roles. You can create several user roles, assign an appropriate user role to each user, and define different application settings to the devices owned by users with different roles. For example, you may want to apply different application settings to devices of accountants and human resources (HR) specialists. As a result, when user-centric security management is implemented, each department—accounts department and HR department—has its own settings configuration for Kaspersky applications. A settings configuration defines which application settings can be changed by users and which are forcibly set and locked by the administrator.

By using user-centric security management you can apply specific application settings to individual users. This may be required when an employee has a unique role in the company or when you want to monitor security incidents related to devices of a specific person. Depending on the role of this employee in the company, you can expand or limit the rights of this person to change application settings. For example, you might want to expand the rights of a system administrator who manages client devices in a local office.

You can also combine the device-centric and user-centric security management approaches. For example, you can configure a specific application policy for each administration group and then create policy profiles for one or several user roles of your enterprise. In this case, the policies and policy profiles are applied in the following order:

1. The policies created for device-centric security management are applied.
2. They are modified by the policy profiles according to the policy profile priorities.
3. The policies are modified by the policy profiles associated with user roles.

Manual setup of Kaspersky Endpoint Security policy

This section provides recommendations on how to configure the Kaspersky Endpoint Security policy, which is created by the Quick Start Wizard. You can perform the setup in the policy properties window.

When editing a setting, please keep in mind that you must click the lock icon above the relevant setting in order to allow using its value on a workstation.

Configuring the policy in the Advanced Threat Protection section

For a full description of the settings in this section, please refer to the Kaspersky Endpoint Security for Windows documentation.

In the Advanced Threat Protection section, you can configure the use of Kaspersky Security Network for Kaspersky Endpoint Security for Windows. You can also configure Kaspersky Endpoint Security for Windows modules, such as Behavior Detection, Exploit Prevention, Host Intrusion Prevention, and Remediation Engine.

In the Kaspersky Security Network subsection, we recommend that you enable the Use KSN Proxy option. Using this option helps to redistribute and optimize traffic on the network. If the Use KSN Proxy option is disabled, you can enable direct use of KSN servers.

Configuring the policy in the Essential Threat Protection section

For a full description of the settings in this section, please refer to the Kaspersky Endpoint Security for Windows documentation.

In the Essential Threat Protection section of the policy properties window, we recommend that you specify additional settings in the Firewall and File Threat Protection subsections.

The Firewall subsection contains settings that allow you to control the network activity of applications on the client devices. A client device uses a network to which one of the following statuses is assigned: public, local, or trusted. Depending on the network status, Kaspersky Endpoint Security can allow or deny network activity on a device. When you add a new network to your organization, you must assign an appropriate network status to it. For example, if the client device is a laptop, we recommend that this device use the public or trusted network, because the laptop is not always connected to the local network. In the Firewall subsection, you can check whether you correctly assigned statuses to the networks used in your organization.

To check the list of networks:

1. In the policy properties, go to Essential Threat Protection → Firewall.
2. In the Available networks section, click the Settings button.
3. In the Firewall window that opens, go to the Networks tab to view the list of networks.

In the File Threat Protection subsection, you can disable the scanning of network drives. Scanning network drives can place a significant load on network drives. It is more convenient to perform indirect scanning, on file servers.

To disable scanning of network drives:

1. In the policy properties, go to Essential Threat Protection → File Threat Protection.
2. In the Security level section, click the Settings button.
3. In the File Threat Protection window that opens, on the General tab clear the All network drives check box.

Configuring the policy in the General Settings section

For a full description of the settings in this section, please refer to the Kaspersky Endpoint Security for Windows documentation.

In the General Settings section of the policy properties window, we recommend that you specify additional settings in the Reports and Storage and Interface subsections.

In the Reports and Storage subsection, go to the Data transfer to Administration Server section. The About started application check box specifies whether the Administration Server database saves information about all versions of all software modules on the networked devices. If this check box is selected, the saved information may require a significant amount of disk space in the Kaspersky Security Center database (dozens of gigabytes). Clear the About started applications check box if it is selected in the top-level policy.

If Administration Console manages the Anti-Virus protection on the organization's network in centralized mode, disable the display of the Kaspersky Endpoint Security for Windows user interface on workstations. To do this, in the Interface subsection, go to the Interaction with user section, and then select Do not display option.

To enable password protection on workstations, in the Interface subsection, go to the Password protection section, click the Settings button, and then select the Enable password protection check box.

Configuring the policy in the Event configuration section

In the Event configuration section, you should disable the saving of any events on Administration Server, except for the following ones:

• On the Critical event tab:
  • Application autorun is disabled
  • Access denied
  • Application startup prohibited
  • Disinfection not possible
  • License Agreement violated
  • Could not load encryption module
  • Cannot start two tasks at the same time
  • Active threat detected. Start Advanced Disinfection
  • Network attack detected
  • Not all components were updated
  • Activation error
  • Error enabling portable mode
  • Error in interaction with Kaspersky Security Center
  • Error disabling portable mode
  • Error changing application components
  • Error applying file encryption / decryption rules
  • Policy cannot be applied
  • Process terminated
  • Network activity blocked
• On the Functional failure tab: Invalid task settings. Settings not applied
• On the Warning tab:
  • Self-Defense is disabled
  • Incorrect reserve key
  • User has opted out of the encryption policy
• On the Info tab: Application startup prohibited in test mode

Manual setup of the group update task for Kaspersky Endpoint Security

The optimal and recommended schedule option for Kaspersky Endpoint Security versions 10 and later is When new updates are downloaded to the repository when the Use automatically randomized delay for task starts check box is selected.

Manual setup of the group task for scanning a device with Kaspersky Endpoint Security

The Quick Start Wizard creates a group task for scanning a device. By default, the task is assigned a Run on Fridays at 7:00 PM schedule with automatic randomization, and the Run missed tasks check box is cleared.

This means that if devices in an organization are shut down on Fridays, for example, at 6:30 PM, the device scan task will never run. You must set up the most convenient schedule for this task based on the workplace rules adopted in the organization.

Scheduling the Find vulnerabilities and required updates task

The Quick Start Wizard creates the Find vulnerabilities and required updates task for Network Agent. By default, the task is assigned a Run on Tuesdays at 7:00 PM schedule with automatic randomization, and the Run missed tasks check box is selected.

If the organization's workplace rules provide for shutting down all devices at this time, the Find vulnerabilities and required updates task will run after the devices are turned on again, that is, on Wednesday morning. Such activity may be undesirable because a vulnerability scan may increase the load on CPUs and disk subsystems. You must set up the most convenient schedule for the task based on the workplace rules adopted in the organization.

Manual setup of the group task for updates installation and vulnerabilities fix

The Quick Start Wizard creates a group task for updates installation and vulnerabilities fix for Network Agent. By default, the task is set up to run every day at 01:00 AM, with automatic randomization, and the Run missed tasks option is not enabled.

If the organization's workplace rules provide for shutting down devices overnight, the update installation will never run. You must set up the most convenient schedule for the vulnerability scan task based on the workplace rules adopted in the organization. It is also important to keep in mind that installation of updates may require restarting the device.

Setting the maximum number of events in the event repository

In the Events repository section of the Administration Server properties window, you can edit the settings of events storage in the Administration Server database by limiting the number of event records and record storage term. When you specify the maximum number of events, the application calculates an approximate amount of storage space required for the specified number. You can use this approximate calculation to evaluate whether you have enough free space on the disk to avoid database overflow. The default capacity of the Administration Server database is 400,000 events. The maximum recommended capacity of the database is 45 million events.

If the number of events in the database reaches the maximum value specified by the administrator, the application deletes the oldest events and rewrites them with new ones. When the Administration Server deletes old events, it cannot save new events to the database. During this period of time, information about events that were rejected is written to the Kaspersky Event Log. The new events are queued and then saved to the database after the deletion operation is complete.

To limit the number of events that can be stored in the events repository on the Administration Server:

1. Right-click the Administration Server, and then select Properties.

   The Administration Server properties window opens.

2. In the workspace of the Events repository section, specify the maximum number of events stored in the database.
3. Click OK.

Additionally, you can change the settings of any task to save events related to the task progress, or save only task execution results. In doing so, you will reduce the number of events in the database, increase the speed of execution of scenarios associated with analysis of the event table in the database, and lower the risk that critical events will be overwritten by a large number of events.

Setting the maximum storage period for the information about fixed vulnerabilities

To set the maximum storage period in the database for the information about the vulnerabilities that have already been fixed on managed devices:

1. Right-click the Administration Server, and then select Properties.

   The Administration Server properties window opens.

2. In the workspace of the Events repository section, specify the maximum storage period for the information about the fixed vulnerabilities in the database.

   By default, the storage period is 90 days.

3. Click OK.

The maximum storage period for the information about the fixed vulnerabilities is limited to the specified number of days. After that, the Administration Server maintenance task will delete the outdated information from the database.

Managing tasks

Kaspersky Security Center manages applications installed on devices, by creating and running various tasks. Tasks are required for installing, launching, and stopping applications, scanning files, updating databases and software modules, and performing other actions on applications.

Tasks are subdivided into the following types:

• Group tasks. Tasks that are performed on the devices of the selected administration group.
• Administration Server tasks. Tasks that are performed on the Administration Server.
• Tasks for specific devices. Tasks that are performed on selected devices, regardless of whether they are included in any administration groups.
• Local tasks. Tasks that are performed on a specific device.

An application task can only be created if the management plug-in for that application is installed on the administrator's workstation.

You can compile a list of devices for which a task will be created by in one of the following ways:

• By selecting networked devices discovered by Administration Server.
• By specifying a list of devices manually. You can use an IP address (or IP range), NetBIOS name, or DNS name as the device address.
• Import a list of devices from a .txt file containing the addresses of devices to be added (each address must be placed in an individual line).

  If you import a list of devices from a file or create one manually, and devices are identified by their names, the list can only contain devices for which information has already been entered into the Administration Server database when those devices were connected or during device discovery.

For each application, you can create any number of group tasks, tasks for specific devices, or local tasks.

The exchange of task information between an application installed on a device and the Kaspersky Security Center database is carried out when Network Agent is connected to Administration Server.

You can make changes to the settings of tasks, view the progress of tasks, and copy, export, import, and delete tasks.

Tasks are started on a device only if the application for which the task was created is running. When the application is not running, all running tasks are canceled.

Results of completed tasks are saved in the event logs of Microsoft Windows and Kaspersky Security Center, both centrally on the Administration Server and locally on each device.

Do not include private data in task settings. For example, avoid specifying the domain administrator password.

Details of managing tasks for applications with multitenancy support

A group task for an application with multitenancy support is applied to the application depending on the hierarchy of Administration Servers and client devices. The virtual Administration Server from which the task is created must be in the same or a lower-level administration group than the client device on which the application is installed.

In events that correspond to task execution results, a service provider administrator is shown the information about the device on which the task executed. By contrast, a tenant administration is shown Multi-tenant node.

Creating a task

In Administration Console, you can create tasks directly in the folder of the administration group for which a group task is to be created, or in the workspace of the Tasks folder.

To create a group task in the folder of an administration group:

1. In the console tree, select the administration group for which you want to create a task.
2. In the group workspace, select the Tasks tab.
3. Run the task creation by clicking the Create a task button.

The Add Task Wizard starts. Follow the instructions of the Wizard.

To create a task in the workspace of the Tasks folder:

1. In the console tree, select the Tasks folder.
2. Run the task creation by clicking the Finish button.

The Add Task Wizard starts. Follow the instructions of the Wizard.

Do not include private data in task settings. For example, avoid specifying the domain administrator password.

Creating the Administration Server task

The Administration Server performs the following tasks:

• Automatic distribution of reports
• Downloading of updates to the repository of the Administration Server
• Backup of Administration Server data
• Maintenance of the database
• Windows Update synchronization
• Creation of an installation package based on the operating system (OS) image of a reference device

On a virtual Administration Server, only the automatic report delivery task and the installation package creation task based on the reference device OS image are available. The repository of the virtual Administration Server displays updates downloaded to the primary Administration Server. Backup of virtual Administration Server data is performed together with backup of primary Administration Server data.

To create the Administration Server task:

1. In the console tree, select the Tasks folder.
2. Start creation of the task in one of the following ways:
   • By selecting New → Task in the context menu of the Tasks folder in the console tree.
   • By clicking the Create a task button in the workspace of the Tasks folder.

The Add Task Wizard starts. Follow the instructions of the Wizard.

The Download updates to the repository of the Administration Server, Perform Windows Update synchronization, Database maintenance, and Backup of Administration Server data tasks can be created only once. If the Download updates to the repository of the Administration Server, Database maintenance, Backup of Administration Server data, and Perform Windows Update synchronization tasks have already been created for the Administration Server, they will not be displayed in the task type selection window of the Add Task Wizard.

Creating a task for specific devices

In Kaspersky Security Center, you can create tasks for specific devices. Devices that are in a set can be included in various administration groups or remain outside any administration groups. Kaspersky Security Center can perform the following main tasks for specific devices:

• Install an application remotely
• Send message to user
• Change the Administration Server
• Manage devices
• Verify updates
• Distribute installation packages
• Install application on secondary Administration Servers remotely
• Uninstall an application remotely

To create a task for specific devices:

1. In the console tree, select the Tasks folder.
2. Start creation of the task in one of the following ways:
   • By selecting New → Task in the context menu of the Tasks folder in the console tree.
   • By clicking the Create a task button in the workspace of the Tasks folder.

The Add Task Wizard starts. Follow the instructions of the Wizard.

Creating a local task

To create a local task for a device:

1. Select the Devices tab in the workspace of the group that includes the device.
2. From the list of devices on the Devices tab, select the device for which a local task must be created.
3. Start creating the task for the selected device in one of the following ways:
   • Click the Perform action button and select Create a task in the drop-down list.
   • Click the Create a task link in the workspace of the device.
   • Use the device properties as follows:
     1. In the context menu of the device, select Properties.
     2. In the device properties window that opens, select the Tasks section and click Add.

The Add Task Wizard starts. Follow the instructions of the Wizard.

Detailed instructions on how to create and configure local tasks are provided in the Guides for the respective Kaspersky applications.

Displaying an inherited group task in the workspace of a nested group

To enable the display of inherited tasks of a nested group in the workspace:

1. Select the Tasks tab in the workspace of a nested group.
2. In the workspace of the Tasks tab, click the Show inherited tasks button.

Inherited tasks are displayed in the list of tasks with one of the following icons:

• —If they were inherited from a group created on the primary Administration Server.
• —If they were inherited from a top-level group.

If the inheritance mode is enabled, inherited tasks can only be edited in the group in which they have been created. Inherited tasks cannot be edited in the group which inherits the tasks.

Automatically turning on devices before starting a task

Kaspersky Security Center doesn't run tasks on devices that are turned off. You can configure Kaspersky Security Center to turn on these devices automatically before starting a task, by using the Wake-on-LAN function.

To configure the automatic turning on of devices before starting a task:

1. In the task properties window, select the Schedule section.
2. To configure actions on devices, click the Advanced link.
3. In the Advanced window that opens, select the Activate the device before the task is started through Wake-on-LAN (min) check box, and then specify the time interval in minutes.

As a result, for the specified number of minutes before starting the task, Kaspersky Security Center turns on the devices and loads the operating system on them by using the Wake-on-LAN function. After the task is completed, the devices are automatically shut down if device users don't log in to the system. Note that Kaspersky Security Center automatically shuts down only the devices that are turned on by using the Wake-on-LAN function.

Kaspersky Security Center can start operating systems automatically only on the devices that support the Wake-on-LAN (WoL) standard.

Automatically turning off a device after a task is completed

Kaspersky Security Center allows you to configure a task in such a way that the devices to which it is distributed are automatically turned off after the task completes.

To automatically turn off a device after a task is complete:

1. In the task properties window, select the Schedule section.
2. Click the Advanced link to open the window for configuring actions on devices.
3. In the Advanced window that opens, select the Shut down device when task is complete check box.

Limiting task run time

To limit the time during which a task is run on devices:

1. In the task properties window, select the Schedule section.
2. Open the window intended for configuration of actions on client devices, by clicking Advanced.
3. In the Advanced window that opens, select the Stop if the task is taking longer than (min) check box and specify the time interval in minutes.

If the task is not yet complete on the device when the specified time interval expires, Kaspersky Security Center stops the task automatically.

Exporting a task

You can export group tasks and tasks for specific devices to a file. Administration Server tasks and local tasks are not available for export.

To export a task:

1. In the context menu of the task, select All tasks → Export.
2. In the Save as window that opens, specify the file name path.
3. Click the Save button.

The rights of local users are not exported.

Importing a task

You can import group tasks and tasks for specific devices. Administration Server tasks and local tasks are not available for import.

To import a task:

1. Select the list to which the task must be imported:
   • If you want to import the task to the list of group tasks, in the workspace of the relevant administration group select the Tasks tab.
   • If you want to import a task to the list of tasks for specific devices, select the Tasks folder in the console tree.
2. Select one of the following options to import the task:
   • In the context menu of the list of tasks, select All tasks → Import.
   • Click the Import task from file link in the task list management block.
3. In the window that opens, specify the path to the file from which you want to import a task.
4. Click the Open button.

The task is displayed in the list of tasks.

If the newly imported task has an identical name to an existing task, the name of the imported task is expanded with the (<next sequence number>) index, for example: (1), (2).

Converting tasks

You can use Kaspersky Security Center to convert tasks from earlier versions of Kaspersky applications into those from up-to-date versions of the applications.

Conversion is available for tasks of the following applications:

• Kaspersky Anti-Virus 6.0 for Windows Workstations MP4
• Kaspersky Endpoint Security 8 for Windows
• Kaspersky Endpoint Security 10 for Windows

To convert tasks:

1. In the console tree, select an Administration Server for which you want to convert tasks.
2. In the Administration Server context menu, select All Tasks → Policies and Tasks Batch Conversion Wizard.

The Policies and Tasks Batch Conversion Wizard starts. Follow the instructions of the Wizard.

After the Wizard completes its operation, new tasks are created that use the settings of tasks from earlier versions of the applications.

Starting and stopping a task manually

You can start and stop tasks manually using either of the following methods: through the context menu of the task, or through the properties window of the client device to which that task has been assigned.

Starting group tasks from the context menu of the device is only allowed to users included in the KLAdmins group.

To start or stop a task from the context menu or the properties window of the task:

1. In the list of tasks, select a task.
2. Start or stop the task in one of the following ways:
   • By selecting Start or Stop in the context menu of the task.
   • By clicking Start or Stop in the General section of the task properties window.

To start or stop a task from the context menu or the properties window of the client device:

1. In the list of devices, select the device.
2. Start or stop the task in one of the following ways:
   • By selecting All tasks → Run Task in the context menu of the device. Select the relevant task from the list of tasks.

     The list of devices to which the task is assigned will be replaced with the device that you have selected. The task starts.

   • By clicking the start button () or stop button () in the Tasks section of the device properties window.

Pausing and resuming a task manually

To pause or resume a running task manually:

1. In the list of tasks, select a task.
2. Pause or resume the task in one of the following ways:
   • By selecting Pause or Resume in the context menu of the task.
   • By selecting the General section in the task properties window and clicking Pause or Resume.

Monitoring task execution

To monitor task execution,

in the task properties window, select the General section.

In the middle part of the General section, the current task status is displayed.

Viewing task run results stored on the Administration Server

Kaspersky Security Center allows you to view the results for group tasks, tasks for specific devices, and Administration Server tasks. No run results can be viewed for local tasks.

To view the task results:

1. In the task properties window, select the General section.
2. Click the Results link to open the Task results window.

Configuring filtering of information about task run results

Kaspersky Security Center allows you to filter information about results for group tasks, tasks for specific devices, and Administration Server tasks. No filtering is available for local tasks.

To set up the filtering of information about task run results:

1. In the task properties window, select the General section.
2. Click the Results link to open the Task results window.

   The upper table contains a list of all devices for which the task is assigned. The lower table displays the results of the task performed on the selected device.

3. Right-click the relevant table to open the context menu and select Filter.
4. In the Set filter window that opens, define the filter settings in the Events, Devices, and Time sections. Click OK.

The Task results window displays information that meets the settings specified in the filter.

Modifying a task. Rolling back changes

To modify a task:

1. In the console tree, select the Tasks folder.
2. In the workspace of the Tasks folder, select a task and proceed to the task properties window using the context menu.
3. Make the relevant changes.

   In the Exclusions from task scope section, you can set up the list of subgroups to which the task is not applied.

4. Click Apply.

The changes made to the task will be saved in the task properties window, in the Revision history section.

You can roll back changes made to a task, if necessary.

To roll back changes made to a task:

1. In the console tree, select the Tasks folder.
2. Select the task in which changes must be rolled back, and proceed to the task properties window using the context menu.
3. In the task properties window, select the Revision history section.
4. In the list of task revisions, select the number of the revision to which you need to roll back changes.
5. Click the Advanced button and select the Roll back value in the drop-down list.

Comparing tasks

You can compare tasks of the same type: for example, you can compare two virus scan tasks, but you cannot compare a virus scan task and an update installation task. After the comparison, you have a report that displays which settings of the tasks match and which settings differ. You can print the task comparison report or save it as a file. You may need task comparison when different units within a company are assigned various tasks of the same type. For example, employees at the accounting department have a task of virus scanning only local disks on their computers, while employees at the sales department communicate with customers so they have a task of scanning both local disks and email. You do not have to view all the task settings to quickly notice such difference; you can simply compare the tasks instead.

Only tasks of the same type can be compared.

Tasks can only be compared in pairs.

You can compare tasks in one of following ways: by selecting one task and comparing it to another, or by comparing any two tasks from the list of tasks.

To select one task and compare it to another:

1. In the console tree, select the Tasks folder.
2. In the workspace of the Tasks folder, select the task that you want to compare to another.
3. In the context menu of the task, select All tasks → Compare to another task.
4. In the Select a task window, select the task for comparison.
5. Click OK.

A report in HTML format that compares the two tasks is displayed.

To compare any two tasks from the list of tasks:

1. In the console tree, select the Tasks folder.
2. In the Tasks folder, in the list of tasks, press the Shift or Ctrl key to select two tasks of the same type.
3. In the context menu, select Compare.

A report in HTML format that compares the selected tasks is displayed.

When tasks are compared, if the passwords differ, asterisks (******) are displayed in the task comparison report.

If the password has been changed in the task properties, asterisks (******) are displayed in the revision comparison report (******).

Accounts to start tasks

You can specify an account under which the task should be run.

For example, to perform an on-demand scan task, you must have access rights to the object being scanned, and to perform an update task, you need authorized proxy server user rights. The capability to specify an account for the task run allows you to avoid problems with on-demand scan tasks and update tasks in case the user running a task does not have the required access rights.

During the execution of remote installation/uninstallation tasks, the specified account is used to download to client devices the files required to install/uninstall an application in case Network Agent is not installed or unavailable. If Network Agent is installed and available, the account is used if in accordance with task settings, file delivery is performed only by using Microsoft Windows utilities from the shared folder. In this case, the account must have the following rights on the device:

• Right to start applications remotely.
• Rights to use the Admin$ resource.
• Right to Log On As Service.

If the files are delivered to devices through Network Agent, the account will not be used. All file copying and installation operations are then performed by the Network Agent (LocalSystem account).

Change Tasks Password Wizard

For a non-local task, you can specify an account under which the task must be run. You can specify the account during task creation or in the properties of an existing task. If the specified account is used in accordance with security instructions of the organization, these instructions might require changing the account password from time to time. When the account password expires and you set a new one, the tasks will not start until you specify the new valid password in the task properties.

The Change Tasks Password Wizard enables you to automatically replace the old password with the new one in all tasks in which the account is specified. Alternatively, you can do it manually in the properties of each task.

To start the Change Tasks Password Wizard:

1. In the console tree, select the Tasks node.
2. In the context menu of the node, select Change Tasks Password Wizard.

Follow the instructions of the Wizard.

Step 1. Specifying credentials

In the Account and Password fields, specify new credentials that are currently valid in your system (for example, in Active Directory). When you switch to the next step of the wizard, Kaspersky Security Center checks if the specified account name matches the account name in the properties of each non-local task. If the account names match, the password in the task properties will be automatically replaced with the new one.

If you fill in the Old password (optional) field, Kaspersky Security Center replaces the password only for those tasks in which both the account name and the old password are found. The replacement is performed automatically. In all other cases you have to choose an action to take in the next step of the wizard.

Step 2. Selecting an action to take

If you have not specified the old password on the first step of the Wizard or the specified old password has not matched the passwords in the tasks, you need to choose an action to take for the found tasks.

For each task that has the Approval required status, decide whether you want to remove the password in the task properties or replace it with the new one. If you choose to remove the password, the task is switched to run under the default account.

Step 3. Viewing the results

On the last step of the Wizard, view the results for each of the found task. To complete the Wizard, click the Finish button.

Creating a hierarchy of administration groups subordinate to a virtual Administration Server

After the virtual Administration Server is created, it contains by default an administration group named Managed devices.

The procedure for creating a hierarchy of administration groups subordinate to a virtual Administration Server is the same as the procedure for creating a hierarchy of administration groups subordinate to the physical Administration Server.

You cannot add secondary and virtual Administration Servers to administration groups subordinate to a virtual Administration Server. This is due to limitations of virtual Administration Servers.

Policies and policy profiles

In Kaspersky Security Center 13.1 Web Console, you can create policies for Kaspersky applications. This section describes policies and policy profiles, and provides instructions for creating and modifying them.

Hierarchy of policies, using policy profiles

This section provides information about how to apply policies to devices in administration groups. This section also provides information about policy profiles supported in Kaspersky Security Center, starting from version 10 Service Pack 1.

Hierarchy of policies

In Kaspersky Security Center, you use policies for defining a single collection of settings to multiple devices. For example, the policy scope of application P defined for administration group G includes managed devices with application P installed that have been deployed in group G and all of its subgroups, except for subgroups where the Inherit from parent group check box is cleared in the properties.

A policy differs from any local setting by lock icons () next to its settings. If a setting (or a group of settings) is locked in the policy properties, you must, first, use this setting (or group of settings) when creating effective settings and, second, you must write the settings or group of settings to the downstream policy.

Creation of the effective settings on a device can be described as follows: the values of all settings that have not been locked are taken from the policy, then they are overwritten with the values of local settings, and then the resulting collection is overwritten with the values of locked settings taken from the policy.

Policies of the same application affect each other through the hierarchy of administration groups: Locked settings from the upstream policy overwrite the same settings from the downstream policy.

There is a special policy for out-of-office users. This policy takes effect on a device when the device switches into out-of-office mode. Out-of-office policies do not affect other policies through the hierarchy of administration groups.

The out-of-office policy will not be supported in further versions of Kaspersky Security Center. Policy profiles will be used instead of out-of-office policies.

Policy profiles

Applying policies to devices only through the hierarchy of administration groups may be inconvenient in many circumstances. It may be necessary to create several instances of a single policy that differ in one or two settings for different administration groups, and synchronize the contents of those policies in the future.

To help you avoid such problems, Kaspersky Security Center, starting from version 10 Service Pack 1, supports policy profiles. A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the client device (computer or mobile device). Activation of a profile modifies the policy settings that were active on the device before the profile was activated. Those settings take values that have been specified in the profile.

The following restrictions are currently imposed on policy profiles:

• A policy can include a maximum 100 profiles.
• A policy profile cannot contain other profiles.
• A policy profile cannot contain notification settings.

Contents of a profile

A policy profile contains the following constituent parts:

• Name Profiles with identical names affect each other through the hierarchy of administration groups with common rules.
• Subset of policy settings. Unlike the policy, which contains all the settings, a profile only contains settings that are actually required (locked settings).
• Activation condition is a logical expression with the device properties. A profile is active (supplements the policy) only when the profile activation condition becomes true. In all other cases, the profile is inactive and ignored. The following device properties can be included in that logical expression:
  • Status of out-of-office mode.
  • Properties of network environment—Name of the active rule for Network Agent connection.
  • Presence or absence of specified tags on the device.
  • Device location in Active Directory unit: explicit (the device is right in the specified OU), or implicit (the device is in an OU, which is within the specified OU at any nesting level).
  • Device's membership in an Active Directory security group (explicit or implicit).
  • Device owner's membership in an Active Directory security group (explicit or implicit).
• Profile disabling check box. Disabled profiles are always ignored and their respective activation conditions are not verified.
• Profile priority. The activation conditions of different profiles are independent, so several profiles can be activated simultaneously. If active profiles contain non-overlapping collections of settings, no problems will arise. However, if two active profiles contain different values of the same setting, an ambiguity will occur. This ambiguity is to be avoided through profile priorities: The value of the ambiguous variable will be taken from the profile that has the higher priority (the one that is rated higher in the list of profiles).

Behavior of profiles when policies affect each other through the hierarchy

Profiles with the same name are merged according to the policy merge rules. Profiles of an upstream policy have a higher priority than profiles of a downstream policy. If editing settings is prohibited in the upstream policy (it is locked), the downstream policy uses the profile activation conditions from the upstream one. If editing settings is allowed in the upstream policy, the profile activation conditions from the downstream policy are used.

Since a policy profile may contain the Device is offline property in its activation condition, profiles completely replace the feature of policies for out-of-office users, which will no longer be supported.

A policy for out-of-office users may contain profiles, but its profiles can only be activated after the device switches into out-of-office mode.

Inheritance of policy settings

A policy is specified for an administration group. Policy settings can be inherited, that is, received in the subgroups (child groups) of the administration group for which they were set. Hereinafter, a policy for a parent group is also referred to as a parent policy.

You can enable or disable two options of inheritance: Inherit settings from parent policy and Force inheritance of settings in child policies:

• If you enable Inherit settings from parent policy for a child policy and lock some settings in the parent policy, then you cannot change these settings for the child group. You can, however, change the settings that are not locked in the parent policy.
• If you disable Inherit settings from parent policy for a child policy, then you can change all the settings in the child group, even if some settings are locked in the parent policy.
• If you enable Force inheritance of settings in child policies in the parent group, this enables the Inherit settings from parent policy for each child policy. In this case, you cannot disable this option for any child policy. All the settings that are locked in the parent policy are forcibly inherited in the child groups, and you cannot change these settings in the child groups.
• In policies for the Managed devices group, the Inherit settings from parent policy does not affect any settings, because the Managed devices group does not have any upstream groups and therefore does not inherit any policies.

By default, the Inherit settings from parent policy option is enabled for a new policy.

If a policy has profiles, all the child policies inherit these profiles.

Page top

Managing policies

The applications installed on client devices are centrally configured by defining policies.

Policies created for applications in an administration group are displayed in the workspace, on the Policies tab. Before the name of each policy, an icon with its status is displayed.

After a policy is deleted or revoked, the application continues working with the settings specified in the policy. Those settings subsequently can be modified manually.

A policy is applied as follows: if a device is running resident tasks (real-time protection tasks), they keep running with the new setting values. Any periodic tasks (on-demand scan, update of application databases) that are started keep running with the values unchanged. Next time, they will be run with the new setting values.

Policies for applications with multitenancy support are inherited to lower-level administration groups as well as to upper-level administration groups: the policy is propagated to all client devices on which the application is installed.

If Administration Servers are structured hierarchically, secondary Administration Servers receive policies from the primary Administration Server and distribute them to client devices. When inheritance is enabled, policy settings can be modified on the primary Administration Server. After this, any changes made to the policy settings are propagated to inherited policies on secondary Administration Servers.

If the connection is terminated between the primary and secondary Administration Servers, the policy on the secondary Server continues, using the applied settings. Policy settings modified on the primary Administration Server are distributed to a secondary Administration Server after the connection is re-established.

If inheritance is disabled, policy settings can be modified on a secondary Administration Server independently from the primary Administration Server.

If the connection between Administration Server and a client device is interrupted, the client device starts running under the out-of-office policy (if it is defined), or the policy keeps running under the applied settings until the connection is re-established.

The results of policy distribution to the secondary Administration Server are displayed in the policy properties window of the console on the primary Administration Server.

The results of policy distribution to client devices are displayed in the policy properties window of the Administration Server to which they are connected.

Do not use private data in policy settings. For example, avoid specifying the domain administrator password.

Creating a policy

In Administration Console, you can create policies directly in the folder of the administration group for which a policy is to be created, or in the workspace of the Policies folder.

To create a policy in the folder of an administration group:

1. In the console tree, select an administration group for which you want to create a policy.
2. In the workspace of the group, select the Policies tab.
3. Run the New Policy Wizard by clicking the New policy button.

The New Policy Wizard starts. Follow the instructions of the Wizard.

To create a policy in the workspace of the Policies folder:

1. In the console tree, select the Policies folder.
2. Run the New Policy Wizard by clicking the New policy button.

The New Policy Wizard starts. Follow the instructions of the Wizard.

You can create several policies for one application from the group, but only one policy can be active at a time. When you create a new active policy, the previous active policy becomes inactive.

When creating a policy, you can specify a minimum set of parameters required for the application to function properly. All other values are set to the default values applied during the local installation of the application. You can change the policy after it is created.

Do not use private data in policy settings. For example, avoid specifying the domain administrator password.

Settings of Kaspersky applications that are changed after policies are applied are described in detail in their respective Guides.

After the policy is created, the settings locked from editing (marked with the lock icon ()) take effect on client devices regardless of which settings were previously specified for the application.

Displaying inherited policy in a subgroup

To enable the display of inherited policies for a nested administration group:

1. In the console tree, select the administration group for which inherited policies have to be displayed.
2. In the workspace of the selected group, select the Policies tab.
3. In the context menu of the list of policies, select View → Inherited policies.

Inherited policies are displayed in the list of policies with the following icon:

• —If they were inherited from a group created on the primary Administration Server.
• —If they were inherited from a top-level group.

When the settings inheritance mode is enabled, inherited policies are only available for modification in the group in which they were created. Modification of inherited policies is not available in the group that inherits them.

Activating a policy

To make a policy active for the selected group:

1. In the workspace of the group, on the Policies tab select the policy that you have to make active.
2. To activate the policy, perform one of the following actions:
   • In the context menu of the policy, select Active policy.
   • In the policy properties window open the General section and select Active policy from the Policy status settings group.

The policy becomes active for the selected administration group.

When a policy is applied to a large number of client devices, both the load on the Administration Server and the network traffic increase significantly for some time.

Activating a policy automatically at the Virus outbreak event

To make a policy perform automatic activation at a Virus outbreak event:

1. In the Administration Server properties window, open the Virus outbreak section.
2. Open the Policy activation window by clicking the Configure policies to activate when a Virus outbreak event occurs link and add the policy to the selected list of policies that are activated when a virus outbreak is detected.

If a policy has been activated on the Virus outbreak event, you can return to the previous policy only by using the manual mode.

Applying an out-of-office policy

The out-of-office policy takes effect on a device if it is disconnected from the corporate network.

To apply an out-of-office policy:

In the policy properties window, open the General section and in the Policy status settings group, select Out-of-office policy.

The out-of-office policy will be applied to the devices if they are disconnected from the corporate network.

Modifying a policy. Rolling back changes

To edit a policy:

1. In the console tree, select the Policies folder.
2. In the workspace of the Policies folder, select a policy and proceed to the policy properties window using the context menu.
3. Make the relevant changes.
4. Click Apply.

The changes made to the policy will be saved in the policy properties, in the Revision history section.

You can roll back changes made to the policy, if necessary.

To roll back changes made to the policy:

1. In the console tree, select the Policies folder.
2. Select the policy in which changes must to be rolled back, and proceed to the policy properties window using the context menu.
3. In the policy properties window, select the Revision history section.
4. In the list of policy revisions, select the number of the revision to which you need to roll back changes.
5. Click the Advanced button and select the Roll back value in the drop-down list.

Comparing policies

You can compare two policies for a single managed application. After the comparison, you have a report that displays which policy settings match and which settings differ. For example, you may have to compare policies if different administrators in their respective offices have created multiple policies for a single managed application, or if a single top-level policy has been inherited by all local offices and modified for each office. You can compare policies in one of the following ways: by selecting one policy and comparing it to another, or by comparing any two policies from the list of policies.

To compare one policy to another:

1. In the console tree, select the Policies folder.
2. In the workspace of the Policies folder, select the policy that you require to compare to another.
3. In the context menu of the policy, select Compare policy to another policy.
4. In the Select policy window, select the policy to which your policy must be compared.
5. Click OK.

A report in HTML format is displayed for the comparison of the two policies for the same application.

To compare any two policies from the list of policies:

1. In the Policies folder, in the list of policies, use the Shift or Ctrl key to select two policies for a single managed application.
2. In the context menu, select Compare.

A report in HTML format is displayed for the comparison of the two policies for the same application.

The report on comparison of policy settings for Kaspersky Endpoint Security for Windows also provides details of the comparison of policy profiles. You can minimize the results of policy profile comparison. To minimize the section, click the arrow icon () next to the section name.

Deleting a policy

To delete a policy:

1. In the workspace of an administration group, on the Policies tab, select the policy that you want to delete.
2. Delete the policy in one of the following ways:
   • By selecting Delete in the context menu of the policy.
   • By clicking the Delete policy link in the information box for the selected policy.

Copying a policy

To copy a policy:

1. In the workspace of the required group, on the Policies tab select a policy.
2. In the context menu of the policy, select Copy.
3. In the console tree, select a group to which you want to add the policy.

   You can add a policy to the group from which it was copied.

4. From the context menu of the list of policies for the selected group, on the Policies tab select Paste.

The policy is copied with all its settings and is applied to the devices within the group to which it was copied. If you paste the policy into the same group from which it has been copied, the (<next sequence number>) index is automatically added to the policy name, for example: (1), (2).

An active policy becomes inactive while it is copied. If necessary, you can make it active.

Exporting a policy

To export a policy:

1. Export a policy in one of the following ways:
   • By selecting All tasks → Export in the context menu of the policy.
   • By clicking the Export policy to file link in the information box for the selected policy.
2. In the Save as window that opens, specify the policy file name and path. Click the Save button.

Importing a policy

To import a policy:

1. In the workspace of the relevant group, on the Policies tab select one of the following ways of importing policies:
   • By selecting All tasks → Import in the context menu of the list of policies.
   • By clicking the Import policy from file button in the management block for policy list.
2. In the window that opens, specify the path to the file from which you want to import a policy. Click the Open button.

The imported policy is displayed in the policy list. The settings and profiles of the policy are also imported. Regardless of the policy status that was selected during the export, the imported policy is inactive. You can change the policy status in the policy properties.

If the newly imported policy has a name identical to that of an existing policy, the name of the imported policy is expanded with the (<next sequence number>) index, for example: (1), (2).

Converting policies

Kaspersky Security Center can convert policies from earlier versions of managed Kaspersky applications to the up-to-date versions of the same applications. Converted policies keep the current administrator's settings specified before the update, as well as include new settings from the up-to-date versions of the applications. Management plug-ins for Kaspersky applications determine whether conversion is available for the policies of these applications. For information about converting policies for each supported Kaspersky application, refer to the relevant Help from the following list:

• Kaspersky applications for workstations:
  • Kaspersky Endpoint Security for Windows
  • Kaspersky Endpoint Security for Linux
  • Kaspersky Endpoint Security for Linux Elbrus Edition
  • Kaspersky Endpoint Security for Linux ARM Edition
  • Kaspersky Endpoint Security for Mac
  • Kaspersky Endpoint Agent
  • Kaspersky Embedded Systems Security for Windows
• Kaspersky Industrial CyberSecurity:
  • Kaspersky Industrial CyberSecurity for Nodes
  • Kaspersky Industrial CyberSecurity for Linux Nodes
  • Kaspersky Industrial CyberSecurity for Networks (centralized deployment is not supported)
• Kaspersky applications for mobile devices:
  • Kaspersky Endpoint Security for Android
  • Kaspersky Security for iOS
• Kaspersky applications for file servers:
  • Kaspersky Security for Windows Server
  • Kaspersky Endpoint Security for Windows
  • Kaspersky Endpoint Security for Linux
• Kaspersky applications for virtual machines:
  • Kaspersky Security for Virtualization Light Agent
  • Kaspersky Security for Virtualization Agentless
• Kaspersky applications for mail systems and SharePoint / collaboration servers:
  • Kaspersky Security for Linux Mail Server
  • Kaspersky Secure Mail Gateway
  • Kaspersky Security for Microsoft Exchange Servers
• Kaspersky applications for detection of targeted attacks:
  • Kaspersky Sandbox
  • Kaspersky Endpoint Detection and Response Optimum
  • Kaspersky Managed Detection and Response
• Kaspersky applications for KasperskyOS devices:
  • Kaspersky IoT Secure Gateway
  • Kaspersky Security Management Suite (plug-in for Kaspersky Thin Client)

To convert policies:

1. In the console tree, select the Administration Server for which you want to convert policies.
2. In the Administration Server context menu, select All Tasks → Policies and Tasks Batch Conversion Wizard.

The Policies and tasks batch conversion wizard starts. Follow the instructions of the wizard.

After the wizard completes, new policies are created that use the current administrator's settings of policies and the new settings from the up-to-date versions of Kaspersky applications.

Managing policy profiles

This section describes managing policy profiles and provides information about viewing the profiles of a policy, changing a policy profile priority, creating a policy profile, modifying a policy profile, copying a policy profile, creating a policy profile activation rule, and deleting a policy profile.

About the policy profile

Policy profile is a named collection of settings of a policy that is activated on a client device (computer or mobile device) when the device satisfies specified activation rules. Activation of a profile modifies the policy settings that were active on the device before the profile was activated. Those settings take values that have been specified in the profile.

Policy profiles are necessary for devices within a single administration group to run under different policy settings. For example, a situation may occur when policy settings have to be modified for some devices in an administration group. In this case, you can configure policy profiles for such a policy, which allows you to edit policy settings for selected devices in the administration group. For example, the policy prohibits running any GPS navigation software on all devices in the Users administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by the user employed as a courier. You can tag that device as simply "Courier" and reconfigure the policy profile so that it allows GPS navigation software to run only on the device tagged as "Courier", while preserving all the remaining policy settings. In this case, if a device tagged as "Courier" appears in the Users administration group, it will be allowed to run GPS navigation software. Running GPS navigation software will still be prohibited on other devices in the Users administration group unless they are tagged as "Courier", too.

Profiles are only supported by the following policies:

• Policies of Kaspersky Endpoint Security 10 Service Pack 1 for Windows or later
• Policies of Kaspersky Endpoint Security 10 Service Pack 1 for Mac
• Policies of the Kaspersky Mobile Device Management plug-in ranging from version 10 Service Pack 1 to version 10 Service Pack 3 Maintenance Release 1
• Policies of the Kaspersky Device Management for iOS plug-in
• Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Windows
• Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Linux

Policy profiles simplify the management of the client devices that the policies apply to:

• The policy profile settings may differ from the policy settings.
• You do not have to maintain and manually apply several instances of a single policy that differ only by a few settings.
• You do not have to allocate a separate policy for out-of-office users.
• You can export and import policy profiles, as well as create new policy profiles based on existing ones.
• A single policy can have multiple active policy profiles. Only profiles that meet the activation rules effective on the device will be applied to that device.
• Profiles are subject to the policy hierarchy. An inherited policy includes all profiles of the higher-level policy.

Priorities of profiles

Profiles that have been created for a policy are sorted in descending order of priority. For example, if profile X is higher in the list of profiles than profile Y, then X has a higher priority than the latter. Multiple profiles can be simultaneously applied to a single device. If values of a setting vary in different profiles, the value from the highest-priority profile will be applied on the device.

Profile activation rules

A policy profile is activated on a client device when an activation rule is triggered. Activation rules are a set of conditions that, when met, start the policy profile on a device. An activation rule can contain the following conditions:

• Network Agent on a client device connects to the Administration Server that has a specified set of connection settings, such as Administration Server address, port number, and so forth.
• The client device is offline.
• The client device has been assigned specified tags.
• The client device is explicitly (the device is immediately located in the specified unit) or implicitly (the device is located in a unit that is in the specified unit at any nesting level) located in a specific unit of Active Directory, the device or its owner is located in a security group of Active Directory.
• The client device belongs to a specified owner, or the owner of the device is included in an internal security group of Kaspersky Security Center.
• The owner of the client device has been assigned a specified role.

Policies in the hierarchy of administration groups

If you are creating a policy in a low-level administration group, this new policy inherits all profiles of the active policy from the higher-level group. Profiles with identical names are merged. Policy profiles for the higher-level group have the higher priority. For example, in administration group A, policy P(A) has profiles X1, X2, and X3 (in descending order of priority). In administration group B, which is a subgroup of group A, policy P(B) has been created with profiles X2, X4, X5. Then policy P(B) will be modified with policy P(A) so that the list of profiles in policy P(B) will appear as follows: X1, X2, X3, X4, X5 (in descending order of priority). The priority of profile X2 will depend on the initial state of X2 of policy P(B) and X2 of policy P(A). After the policy P(B) is created, the policy P(A) is no longer displayed in subgroup B.

The active policy is recalculated every time you run Network Agent, enable and disable offline mode, or edit the list of tags assigned to the client device. For example, the RAM size has been increased on the device, which, in turn, has activated the policy profile that is applied on devices with large RAM size.

Properties and restrictions of policy profiles

Profiles have the following properties:

• Profiles of an inactive policy have no impact on client devices.
• If a policy is set to the Out-of-office policy status, profiles of the policy will also be applied when a device is disconnected from the corporate network.
• Profiles do not support static analysis of access to executable files.
• A policy profile cannot contain any settings of event notifications.
• If UDP port 15000 is used for connecting a device to Administration Server, the corresponding policy profile is activated within one minute after you assign a tag to the device.
• You can use rules for Network Agent connection to the Administration Server, when you create policy profile activation rules.

Creating a policy profile

Profile creation is available only for the policies of the following applications:

• Kaspersky Endpoint Security 10 Service Pack 1 for Windows and later versions
• Kaspersky Endpoint Security 10 Service Pack 1 for Mac
• Kaspersky Mobile Device Management plug-in versions 10 Service Pack 1 to 10 Service Pack 3 Maintenance Release 1
• Kaspersky Device Management for iOS plug-in
• Kaspersky Security for Virtualization 5.1 Light Agent for Windows and Linux

To create a policy profile:

1. In the console tree, select the administration group for whose policy you have to create a policy profile.
2. In the workspace of the administration group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profiles section in the policy properties window and click the Add button.

   The New Policy Profile Wizard starts.

5. In the Policy profile name window of the Wizard, specify the following:
   1. Name of the policy profile

      The profile name cannot include more than 100 characters.

   2. Policy profile status (Enabled or Disabled)

      We recommend that you create and enable inactive policy profiles only after you are completely finished with the settings and conditions of policy profile activation.

6. Select the After closing the New Policy Profile Wizard, proceed to configuring the policy profile activation rule check box to start the New Policy Profile Activation Rule Wizard. Follow the Wizard steps.
7. Edit the policy profile settings in the policy profile properties window, in the way you require.
8. Save the changes by clicking OK.

   The profile is saved. The profile will be activated on devices that meet the activation rules.

You can create multiple profiles for a single policy. Profiles that have been created for a policy are displayed in the policy properties, in the Policy profiles section. You can modify a policy profile and change the profile priority, as well as remove the profile.

Modifying a policy profile

Editing the settings of a policy profile

The capability to edit a policy profile is only available for policies of Kaspersky Endpoint Security for Windows.

To modify a policy profile:

1. In the console tree, select the administration group for which the policy profile has to be modified.
2. In the workspace of the group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profiles section in the policy properties.

   This section contains a list of profiles that have been created for the policy. Profiles are displayed in the list in accordance with their priorities.

5. Select a policy profile and click the Properties button.
6. Configure the profile in the properties window:
   • If necessary, in the General section, change the profile name and enable or disable the profile using the Enable profile check box.
   • In the Activation rules section, edit the profile activation rules.
   • Edit the policy settings in the corresponding sections.
7. Click OK.

The modified settings will take effect either after the device is synchronized with the Administration Server (if the policy profile is active), or after an activation rule is triggered (if the policy profile is inactive).

Changing the priority of a policy profile

The priorities of policy profiles define the activation order of profiles on a client device. Priorities are used if identical activation rules are set for different policy profiles.

For example, two policy profiles have been created: Profile 1 and Profile 2 that differ by the respective values of a single setting (Value 1 and Value 2). The priority of Profile 1 is higher than that of Profile 2. Moreover, there are also profiles with priorities that are lower than that of Profile 2. The activation rules for those profiles are identical.

When an activation rule is triggered, Profile 1 will be activated. The setting on the device will take Value 1. If you remove Profile 1, then Profile 2 will have the highest priority, so the setting will take Value 2.

On the list of policy profiles, profiles are displayed in accordance with their respective priorities. The profile with the highest priority is ranked first. You can change the priority of a profile by using the up arrow and the down arrow buttons.

Deleting a policy profile

To delete a policy profile:

1. In the console tree, select the administration group whose policy profile you want to delete.
2. In the workspace of the administration group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profiles section in the properties of the policy of Kaspersky Endpoint Security.
5. Select the policy profile that you want to delete and click the Delete button.

The policy profile will be deleted. The active status will pass either to another policy profile whose activation rules are triggered on the device, or to the policy.

Creating a policy profile activation rule

Expand all | Collapse all

To create a policy profile activation rule:

1. In the console tree, select the administration group for which you have to create a policy profile activation rule.
2. In the workspace of the group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Select the Policy profiles section in the policy properties window.
5. Select the policy profile for which you need to create an activation rule, and click the Properties button.

   The policy profile properties window opens.

   If the list of policy profiles is empty, you can create a policy profile.

6. Select the Activation rules section, and click the Add button.

   The New Policy Profile Activation Rule Wizard starts.

7. In the Policy profile activation rules window, select the check boxes next to the conditions that must affect activation of the policy profile that you are creating:
   • General rules for policy profile activation

     Select this check box to set up policy profile activation rules on the device depending on the status of the device offline mode, rule for connection to Administration Server, and tags assigned to the device.

   • Rules for Active Directory usage

     Select this check box to set up rules for policy profile activation on the device depending on the presence of the device in an Active Directory organizational unit (OU), or on membership of the device (or its owner) in an Active Directory security group.

   • Rules for a specific device owner

     Select this check box to set up rules for policy profile activation on the device depending on the device owner.

   • Rules for hardware specifications

     Select this check box to set up rules for policy profile activation on the device depending on the memory volume and the number of logical processors.

   The number of additional windows of the Wizard depends on the settings that you select at this step. You can modify policy profile activation rules later.

8. In the General conditions window, specify the following settings:
   • In the Device is offline field, in the drop-down list specify the condition for device presence on the network:
     • Yes

       The device is in an external network, which means that the Administration Server is not available.

     • No

       The device is on the network, so the Administration Server is available.

     • No value is selected

       The criterion will not be applied.

   • In the The device is in the specified network location box, use the drop-down lists to set up the policy profile activation if the Administration Server connection rule is executed / not executed on this device:
     • Executed / Not executed

       Condition of policy profile activation (whether the rule is executed or not).

     • Rule name

       Network location description of the device for connection to the Administration Server, whose conditions must be met (or must not be met) for activation of the policy profile.

       A network location description of devices for connection to an Administration Server can be created or configured in a Network Agent switching rule.

   The General conditions window is displayed if the General rules for policy profile activation check box is selected.

9. In the Conditions using tags window, specify the following settings:
   • Tag list

     In the list of tags, specify the rule for device inclusion in the policy profile by selecting the check boxes next to the relevant tags.

     You can add new tags to the list by entering them in the field over the list and clicking the Add button.

     The policy profile includes devices with descriptions containing all the selected tags. If check boxes are cleared, the criterion is not applied. By default, these check boxes are cleared.

   • Apply to devices without the specified tags

     Enable this option if you have to invert your selection of tags.

     If this option is enabled, the policy profile includes devices with descriptions that contain none of the selected tags. If this option is disabled, the criterion is not applied.

     By default, this option is disabled.

   The Conditions using tags window is displayed if the General rules for policy profile activation check box is selected.

10. In the Conditions using Active Directory window, specify the following settings:
    • Device owner's membership in Active Directory security group

      If this option is enabled, the policy profile is activated on the device whose owner is a member of the specified security group. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Device membership in Active Directory security group

      If this option is enabled, the policy profile is activated on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Device allocation in Active Directory organizational unit

      If this option is enabled, the policy profile is activated on the device which is included in the specified Active Directory organizational unit (OU). If this option is disabled, the profile activation criterion is not applied.

      By default, this option is disabled.

    The Conditions using Active Directory window is displayed if the Rules for Active Directory usage check box is selected.

11. In the Conditions using the device owner window, specify the following settings:
    • Device owner

      Enable this option to configure and enable the rule for profile activation on the device according to its owner. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device belongs to the specified owner ("=" sign).
      • The device does not belong to the specified owner ("#" sign).

        If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the device owner when the option is enabled. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • The device owner is included in an internal security group

      Enable this option to configure and enable the rule of profile activation on the device by the owner's membership in an internal security group of Kaspersky Security Center. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device owner is a member of the specified security group ("=" sign).
      • The device owner is not a member of the specified security group ("#" sign).

        If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify a security group of Kaspersky Security Center. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Activate policy profile by specific role of device owner

      Select this option to configure and enable the rule of profile activation on the device depending on the owner's role. Add the role manually from the list of existing roles.

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured.

    The Conditions using the device owner window opens if the Rules for a specific device owner check box is selected.

12. In the Conditions using equipment specifications window, specify the following settings:
    • RAM size, in MB

      Enable this option to configure and enable the rule of profile activation on the device by the RAM volume available on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device RAM size is less than the specified value ("<" sign).
      • The device RAM size is greater than the specified value (">" sign).

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the RAM volume on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Number of logical processors

      Enable this option to configure and enable the rule of profile activation on the device by the number of logical processors on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The number of logical processors on the device is less than or equal to the specified value ("<" sign).
      • The number of logical processors on the device is greater than or equal to the specified value (">" sign).

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the number of logical processors on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    The Conditions using equipment specifications window is displayed if the Rules for hardware specifications check box is selected.

13. In the Name of policy profile activation rule window, in the Rule name field, specify a name for the rule.

The profile will be saved. The profile will be activated on the device when activation rules are triggered.

Policy profile activation rules created for the profile are displayed in the policy profile properties in the Activation rules section. You can modify or remove any policy profile activation rule.

Multiple activation rules can be triggered simultaneously.

Device moving rules

We recommend that you automate the allocation of devices to administration groups through device moving rules. A device moving rule consists of three main parts: a name, an execution condition (logical expression with the device attributes), and a target administration group. A rule moves a device to the target administration group if the device attributes meet the rule execution condition.

All device moving rules have priorities. The Administration Server checks the device attributes as to whether they meet the execution condition of each rule, in ascending order of priority. If the device attributes meet the execution condition of a rule, the device is moved to the target group, so the rule processing is complete for this device. If the device attributes meet the conditions of multiple rules, the device is moved to the target group of the rule with the highest priority (that is, has the highest rank in the list of rules).

Device moving rules can be created implicitly. For example, in the properties of an installation package or a remote installation task, you can specify the administration group to which the device must be moved after Network Agent is installed on it. Also, device moving rules can be created explicitly by the administrator of Kaspersky Security Center, in the list of moving rules. The list is located in Administration Console, in the properties of the Unassigned devices group.

By default, a device moving rule is intended for one-time initial allocation of devices to administration groups. The rule moves devices from the Unassigned devices group only once. If a device once was moved by this rule, the rule will never move it again, even if you return the device to the Unassigned devices group manually. This is the recommended way of applying moving rules.

You can move devices that have already been allocated to some of the administration groups. To do this, in the properties of a rule, clear the Move only devices that do not belong to an administration group check box.

Applying moving rules to devices that have already been allocated to some of the administration groups, significantly increases the load on the Administration Server.

You can create a moving rule that would affect a single device repeatedly.

We strongly recommend that you avoid moving a single device from one group to another repeatedly (for example, in order to apply a special policy to that device, run a special group task, or update the device through a specific distribution point).

Such scenarios are not supported, because they increase the load on Administration Server and network traffic to an extreme degree. These scenarios also conflict with the operating principles of Kaspersky Security Center (particularly in the area of access rights, events, and reports). Another solution must be found, for example, through the use of policy profiles, tasks for device selections, assignment of Network Agents according to the standard scenario, and so on.

Cloning device moving rules

When you have to create multiple device-moving rules with similar settings, you can clone an existing rule and then change the settings of the cloned rule. For example, this is useful when you must have several identical device-moving rules with different IP ranges and target groups.

To clone a device moving rule:

1. Open the main application window.
2. In the Unassigned devices folder, click Configure rules.

   The Properties: Unassigned devices window opens.

3. In the Move devices section, select the device moving rule that you want to clone.
4. Click Clone rule.

A clone of the selected device moving rule will be added at the end of the list.

A new rule is created in the disabled state. You can edit and enable the rule at any time.

Software categorization

The main tool for monitoring the running of applications are Kaspersky categories (hereinafter also referred to as KL categories). KL categories help Kaspersky Security Center administrators to simplify the support of software categorization and minimize traffic going to managed devices.

User categories must only be created for applications that cannot be classified in any of the existing KL categories (for example, for custom-made software). User categories are created on the basis of an application installation package (MSI) or a folder with installation packages.

If a large collection of software is available, which has not been categorized through KL categories, it may be useful to create an automatically updated category. The checksums of executable files will be automatically added to this category on every modification of the folder containing distribution packages.

Do not create automatically updated categories of software for the folders My Documents, %windir%, %ProgramFiles%, and %ProgramFiles(x86)%. The pool of files in these folders is subject to frequent changes, which leads to an increased load on Administration Server and increased network traffic. You must create a dedicated folder with the collection of software and periodically add new items to it.

Prerequisites for installing applications on devices of a client organization

The process of remote installation of applications on devices of a client organization is identical to the remote installation process within an enterprise.

To install applications on devices of a client organization, the following actions must be performed:

• Before installing applications on devices of the client organization for the first time, install Network Agent on them.

  When configuring the Network Agent installation package by the service provider, in Kaspersky Security Center, adjust the following settings in the properties window of the installation package:

  • In the Connection section, in the Administration Server string, specify the address of the same virtual Administration Server that was specified during local installation of Network Agent on the distribution point.
  • In the Advanced section, select the Connect to Administration Server by using connection gateway check box. In the Connection gateway address string, specify the distribution point address. You can use either the device IP address or device name in the Windows network.
• Select Using operating system resources through distribution points as the download method for the Network Agent installation package. You can select the download method as follows:
  • If you install application by using the remote installation task, you can specify the download method in one of the following ways:
    • When creating a remote installation task in the Settings window
    • In the remote installation task properties window, through the Settings section
  • If you install applications using the Remote Installation Wizard, you can select the download method in the Settings window of this Wizard.
• The account used by the distribution point for authorization must have access to the Admin$ resource on all client devices.

Viewing and editing local application settings

The Kaspersky Security Center administration system allows you to remotely manage local application settings on devices through Administration Console.

Local application settings are the settings of an application that are specific for a device. You can use Kaspersky Security Center to set local application settings for devices included in administration groups.

Detailed descriptions of settings of Kaspersky applications are provided in respective Guides.

To view or change the local settings of an application:

1. In the workspace of the group to which the relevant device belongs, select the Devices tab.
2. In the device properties window, in the Applications section, select the relevant application.
3. Open the application properties window by double-clicking the application name or by clicking the Properties button.

The local settings window of the selected application opens so that you can view and edit those settings.

You can change the values of settings that have not been barred from modification by a group policy (that is, those not marked with the lock icon () in a policy).