Configuring network protection

This section contains information about manual configuration of policies and tasks, about user roles, about building an administration group structure and hierarchy of tasks.

Scenario: Configuring network protection

The Quick Start Wizard creates policies and tasks with the default settings. These settings may turn out to be sub-optimal or even disallowed by the organization. Therefore, we recommend that you fine-tune these policies and tasks and create other policies and tasks, if they are necessary for your network.

Prerequisites

Before you start, make sure that you have done the following:

• Installed Kaspersky Security Center Administration Server
• Installed Kaspersky Security Center 13.1 Web Console
• Completed the Kaspersky Security Center main installation scenario
• Completed the Quick Start Wizard or manually created the following policies and tasks in the Managed devices administration group:
  • Policy of Kaspersky Endpoint Security
  • Group task for updating Kaspersky Endpoint Security
  • Policy of Network Agent

Configuring network protection proceeds in stages:

1. Setup and propagation of Kaspersky application policies and policy profiles

   To configure and propagate settings for Kaspersky applications installed on the managed devices, you can use two different security management approaches—device-centric or user-centric. These two approaches can also be combined.

2. Configuring tasks for remote management of Kaspersky applications

   Check the tasks created with the Quick Start Wizard and fine-tune them, if necessary.

   How-to instructions: Setting up the group task for updating Kaspersky Endpoint Security.

   If necessary, create additional tasks to manage the Kaspersky applications installed on the client devices.

3. Evaluating and limiting the event load on the database

   Information about events during the operation of managed applications is transferred from a client device and registered in the Administration Server database. To reduce the load on the Administration Server, evaluate and limit the maximum number of events that can be stored in the database.

   How-to instructions: Setting the maximum number of events.

Results

Upon completion of this scenario, your network will be protected by configuration of Kaspersky applications, tasks, and events received by the Administration Server:

• The Kaspersky applications are configured according to the policies and policy profiles.
• The applications are managed through a set of tasks.
• The maximum number of events that can be stored in the database is set.

When the network protection configuration is complete, you can proceed to configuring regular updates to Kaspersky databases and applications.

About device-centric and user-centric security management approaches

You can manage security settings from the standpoint of device features and from the standpoint of user roles. The first approach is called device-centric security management and the second is called user-centric security management. To apply different application settings to different devices you can use either or both types of management in combination. To implement device-centric security management, you can use tools provided in Microsoft Management Console-based Administration Console or Kaspersky Security Center 13.1 Web Console. User-centric security management can be implemented through Kaspersky Security Center 13.1 Web Console only.

Device-centric security management enables you to apply different security application settings to managed devices depending on device-specific features. For example, you can apply different settings to devices allocated in different administration groups. You can also differentiate the devices by usage of those devices in Active Directory, or their hardware specifications.

User-centric security management enables you to apply different security application settings to different user roles. You can create several user roles, assign an appropriate user role to each user, and define different application settings to the devices owned by users with different roles. For example, you may want to apply different application settings to devices of accountants and human resources (HR) specialists. As a result, when user-centric security management is implemented, each department—accounts department and HR department—has its own settings configuration for Kaspersky applications. A settings configuration defines which application settings can be changed by users and which are forcibly set and locked by the administrator.

By using user-centric security management you can apply specific application settings to individual users. This may be required when an employee has a unique role in the company or when you want to monitor security incidents related to devices of a specific person. Depending on the role of this employee in the company, you can expand or limit the rights of this person to change application settings. For example, you might want to expand the rights of a system administrator who manages client devices in a local office.

You can also combine the device-centric and user-centric security management approaches. For example, you can configure a specific application policy for each administration group, and then create policy profiles for one or several user roles of your enterprise. In this case the policies and policy profiles are applied in the following order:

1. The policies created for device-centric security management are applied.
2. They are modified by the policy profiles according to the policy profile priorities.
3. The policies are modified by the policy profiles associated with user roles.

Policy setup and propagation: Device-centric approach

When you complete this scenario, the applications will be configured on all of the managed devices in accordance with the application policies and policy profiles that you define.

Prerequisites

Before you start, make sure that you have installed Kaspersky Security Center Administration Server and Kaspersky Security Center 13.1 Web Console (optional). If you installed Kaspersky Security Center 13.1 Web Console, you might also want to consider user-centric security management as an alternative or additional option to the device-centric approach.

Stages

The scenario of device-centric management of Kaspersky applications consists of the following steps:

1. Configuring application policies

   Configure settings for Kaspersky applications installed on the managed devices by creating a policy for each application. The set of policies will be propagated to the client devices.

   When you configure the protection of your network in Quick Start Wizard, Kaspersky Security Center creates the default policy for the following applications:

   • Kaspersky Endpoint Security for Windows—for Windows-based client devices
   • Kaspersky Endpoint Security for Linux—for Linux-based client devices

   If you completed the configuration process by using this Wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky Endpoint Security policy.

   If you have a hierarchical structure of several Administration Servers and/or administration groups, the secondary Administration Servers and child administration groups inherit the policies from the primary Administration Server by default. You can force the inheritance by the child groups and secondary Administration Servers to prohibit any modifications of the settings configured in the upstream policy. If you want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The rest unlocked settings will be available for modification in the downstream policies. The created hierarchy of policies will allow you to effectively manage devices in the administration groups.

   How-to instructions:

   • Administration Console: Creating a policy
   • Kaspersky Security Center 13.1 Web Console: Creating a policy
2. Creating policy profiles (optional)

   If you want devices within a single administration group to run under different policy settings, create policy profiles for those devices. A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device.

   By using profile activation conditions, you can apply different policy profiles, for example, to the devices located in a specific unit or security group of Active Directory, having a specific hardware configuration, or marked with specific tags. Use tags to filter devices that meet specific criteria. For example, you can create a tag called Windows, mark all devices running Windows operating system with this tag, and then specify this tag as an activation condition for a policy profile. As a result, Kaspersky applications installed on all devices running Windows will be managed by their own policy profile.

   How-to instructions:

   • Administration Console:
     • Creating a policy profile
     • Creating a policy profile activation rule
   • Kaspersky Security Center 13.1 Web Console:
     • Creating a policy profile
     • Creating a policy profile activation rule
3. Propagating policies and policy profiles to the managed devices

   By default, the Administration Server automatically synchronizes with managed devices every 15 minutes. You can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization command. Also the synchronization is forced after you create or change a policy or a policy profile. During the synchronization, the new or changed policies and policy profiles are propagated to the managed devices.

   If you use Kaspersky Security Center 13.1 Web Console, you can check whether the policies and policy profiles were delivered to a device. Kaspersky Security Center specifies the delivery date and time in the properties of the device.

   How-to instructions:

   • Administration Console: Forced synchronization
   • Kaspersky Security Center 13.1 Web Console: Forced synchronization

Results

When the device-centric scenario is complete, the Kaspersky applications are configured according to the settings specified and propagated through the hierarchy of policies.

The configured application policies and policy profiles will be applied automatically to the new devices added to the administration groups.

Policy setup and propagation: User-centric approach

This section describes the scenario of user-centric approach to the centralized configuration of Kaspersky applications installed on the managed devices. When you complete this scenario, the applications will be configured on all of the managed devices in accordance with the application policies and policy profiles that you define.

This scenario can be implemented through Kaspersky Security Center Web Console version 13 or later.

Prerequisites

Before you start, make sure that you have successfully installed Kaspersky Security Center Administration Server and Kaspersky Security Center 13.1 Web Console, and completed the main installation scenario. You might also want to consider device-centric security management as an alternative or additional option to the user-centric approach. Learn more about two management approaches.

Process

The scenario of user-centric management of Kaspersky applications consists of the following steps:

1. Configuring application policies

   Configure settings for Kaspersky applications installed on the managed devices by creating a policy for each application. The set of policies will be propagated to the client devices.

   When you configure the protection of your network in Quick Start Wizard, Kaspersky Security Center creates the default policy for Kaspersky Endpoint Security. If you completed the configuration process by using this Wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky Endpoint Security policy.

   If you have a hierarchical structure of several Administration Servers and/or administration groups, the secondary Administration Servers and child administration groups inherit the policies from the primary Administration Server by default. You can force the inheritance by the child groups and secondary Administration Servers to prohibit any modifications of the settings configured in the upstream policy. If you want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The rest unlocked settings will be available for modification in the downstream policies. The created hierarchy of policies will allow you to effectively manage devices in the administration groups.

   How-to instructions: Creating a policy

2. Specifying owners of the devices

   Assign the managed devices to the corresponding users.

   How-to instructions: Assigning a user as a device owner

3. Defining user roles typical for your enterprise

   Think about different kinds of work that the employees of your enterprise typically perform. You must divide all employees in accordance with their roles. For example, you can divide them by departments, professions, or positions. After that you will need to create a user role for each group. Keep in mind that each user role will have its own policy profile containing application settings specific for this role.

4. Creating user roles

   Create and configure a user role for each group of employees that you defined on the previous step or use the predefined user roles. The user roles will contain set of rights of access to the application features.

   How-to instructions: Creating a user role

5. Defining the scope of each user role

   For each of the created user roles, define users and/or security groups and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

   How-to instructions: Editing the scope of a user role

6. Creating policy profiles

   Create a policy profile for each user role in your enterprise. The policy profiles define which settings will be applied to the applications installed on users' devices depending on the role of each user.

   How-to instructions: Creating a policy profile

7. Associating policy profiles with the user roles

   Associate the created policy profiles with the user roles. After that: the policy profile becomes active for a user that has the specified role. The settings configured in the policy profile will be applied to the Kaspersky applications installed on the user's devices.

   How-to instructions: Associating policy profiles with roles

8. Propagating policies and policy profiles to the managed devices

   By default, the Administration Server automatically synchronizes with managed devices every 15 minutes. During the synchronization, the new or changed policies and policy profiles are propagated to the managed devices. You can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization command. When synchronization is complete, the policies and policy profiles are delivered and applied to the installed Kaspersky applications.

   You can check whether the policies and policy profiles were delivered to a device. Kaspersky Security Center specifies the delivery date and time in the properties of the device.

   How-to instructions: Forced synchronization

Results

When the user-centric scenario is complete, the Kaspersky applications are configured according to the settings specified and propagated through the hierarchy of policies and policy profiles.

For a new user, you will have to create a new account, assign the user one of the created user roles, and assign the devices to the user. The configured application policies and policy profiles will be automatically applied to the devices of this user.

Network Agent policy settings

Expand all | Collapse all

To configure the Network Agent policy:

1. Go to DEVICES → POLICIES & PROFILES.
2. Click the name of the Network Agent policy.

The properties window of the Network Agent policy opens.

General

On this tab you can modify the policy status and specify the inheritance of policy settings:

• Under Policy status, you can select one of the policy modes:
  • Active

    If this option is selected, the policy becomes active.

    By default, this option is selected.

  • Inactive

    If this option is selected, the policy becomes inactive, but it is still stored in the Policies folder. If required, the policy can be activated.

• In the Settings inheritance settings group, you can configure the policy inheritance:
  • Inherit settings from parent policy

    If this option is enabled, the policy setting values are inherited from the upper-level group policy and, therefore, are locked.

    By default, this option is enabled.

  • Force inheritance of settings in child policies

    If this option is enabled, after policy changes are applied, the following actions will be performed:

    • The values of the policy settings will be propagated to the policies of administration subgroups, that is, to the child policies.
    • In the Settings inheritance block of the General section in the properties window of each child policy, the Inherit settings from parent policy option will be automatically enabled.

    If this option is enabled, the child policies settings are locked.

    By default, this option is disabled.

Event configuration

This tab allows you to configure event logging and event notification. Events are distributed according to importance level in the following sections on the Event configuration tab:

• Functional failure
• Warning
• Info

In each section, the event type list shows the types of events and the default event storage term on the Administration Server (in days). Clicking the Properties button lets you specify the settings of event logging and notifications about events selected in the list. By default, common notification settings specified for the entire Administration Server are used for all event types. However, you can change specific settings for required event types.

For example, in the Warning section, you can configure the Incident has occurred event type. Such events may happen, for instance, when the free disk space of a distribution point is less than 2 GB (at least 4 GB are required to install applications and download updates remotely). To configure the Incident has occurred event, click it and specify where to store the occurred events and how to notify about them.

If Network Agent detected an incident, you can manage this incident by using the settings of a managed device.

Application settings

Settings

In the Settings section, you can configure the Network Agent policy:

• Distribute files through distribution points only

  If this option is enabled, Network Agents on managed devices retrieve updates from distribution points only.

  If this option is disabled, Network Agents on managed devices retrieve updates from distribution points or from Administration Server.

  Note that the security applications on managed devices retrieve updates from the source set in the update task for each security application. If you enable the Distribute files through distribution points only option, make sure that Kaspersky Security Center is set as an update source in the update tasks.

  By default, this option is disabled.

• Enable NAP

  This option is deprecated. We do not recommend to use it.

  If the check box is selected, Kaspersky Security Center SHV (SHV) is used to check the system health status on the client device. This check box is available if Kaspersky Security Center SHV is installed on the device.

  By default, this check box is cleared.

• Maximum size of event queue, in MB

  In this field you can specify the maximum space on the drive that an event queue can occupy.

  The default value is 2 megabytes (MB).

• Application is allowed to retrieve policy's extended data on device

  Network Agent installed on a managed device transfers information about the applied security application policy to the security application (for example, Kaspersky Endpoint Security for Windows). You can view the transferred information in the security application interface.

  Network Agent transfers the following information:

  • Time of the policy delivery to the managed device
  • Name of the active or out-of-office policy at the moment of the policy delivery to the managed device
  • Name and full path to the administration group that contained the managed device at the moment of the policy delivery to the managed device
  • List of active policy profiles

    You can use the information to ensure the correct policy is applied to the device and for troubleshooting purposes. By default, this option is disabled.

• Protect Network Agent service against unauthorized removal or termination, and to prevent changes to the settings

  After Network Agent is installed on a managed device, the component cannot be removed or reconfigured without required privileges. The Network Agent service cannot be stopped.

  By default, this option is disabled.

• Use uninstallation password

  If this option is enabled, by clicking the Modify button you can specify the password for Network Agent remote uninstallation.

  By default, this option is disabled.

Repositories

In the Repositories section, you can select the types of objects whose details will be sent from Network Agent to Administration Server. If modification of some settings in this section is prohibited by the Network Agent policy, you cannot modify these settings. The settings in the Repositories section are available only on devices running Windows:

• Details of installed applications
• Include information about patches

  Information about patches of applications installed on client devices is sent to the Administration Server. Enabling this option may increase the load on the Administration Server and DBMS, as well as cause increased volume of the database.

  By default, this option is enabled. It is available only for Windows.

• Details of Windows Update updates

  If this option is enabled, information about Microsoft Windows Update updates that must be installed on client devices is sent to the Administration Server.

  Sometimes, even if the option is disabled, updates are displayed in the device properties in the Available updates section. This might happen if, for example, the devices of the organization had vulnerabilities that could be fixed by these updates.

  By default, this option is enabled. It is available only for Windows.

• Details of software vulnerabilities and corresponding updates

  If this option is enabled, information about vulnerabilities in third-party software (including Microsoft software), detected on managed devices, and about software updates to fix third-party vulnerabilities (not including Microsoft software) is sent to the Administration Server.

  Selecting this option (Details of software vulnerabilities and corresponding updates) increases the network load, Administration Server disk load, and Network Agent resource consumption.

  By default, this option is enabled. It is available only for Windows.

  To manage software updates of Microsoft software, use the Details of Windows Update updates option.

• Hardware registry details

Software updates and vulnerabilities

In the Software updates and vulnerabilities section, you can configure search and distribution of Windows updates, as well as enable scanning of executable files for vulnerabilities. The settings in the Software updates and vulnerabilities section are available only on devices running Windows:

• You can limit Windows updates that users can install on their devices manually by using Windows Update.

  On devices running Windows 10, if Windows Update has already found updates for the device, the new option that you select under Allow users to manage installation of Windows Update updates will be applied only after the updates found are installed.

  Select an item in the drop-down list:

  • Allow users to install all applicable Windows Update updates

    Users can install all of the Microsoft Windows Update updates that are applicable to their devices.

    Select this option if you do not want to interfere in the installation of updates.

    When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.

  • Allow users to install only approved Windows Update updates

    Users can install all of the Microsoft Windows Update updates that are applicable to their devices and that are approved by you.

    For example, you may want to first check the installation of updates in a test environment and make sure that they do not interfere with the operation of devices, and only then allow the installation of these approved updates on client devices.

    When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.

  • Do not allow users to install Windows Update updates

    Users cannot install Microsoft Windows Update updates on their devices manually. All of the applicable updates are installed as configured by you.

    Select this option if you want to manage the installation of updates centrally.

    For example, you may want to optimize the update schedule so that the network does not become overloaded. You can schedule after-hours updates, so that they do not interfere with user productivity.

• In the Windows Update search mode settings group, you can select the update search mode:
  • Active

    If this option is selected, Administration Server with support from Network Agent initiates a request from Windows Update Agent on the client device to the update source: Windows Update Servers or WSUS. Next, Network Agent passes information received from Windows Update Agent to Administration Server.

    The option takes effect only if Connect to the update server to update data option of the Find vulnerabilities and required updates task is selected.

    By default, this option is selected.

  • Passive

    If you select this option, Network Agent periodically passes Administration Server information about updates retrieved at the last synchronization of Windows Update Agent with the update source. If no synchronization of Windows Update Agent with an update source is performed, information about updates on Administration Server becomes out-of-date.

    Select this option if you want to get updates from the memory cache of the update source.

  • Disabled

    If this option is selected, Administration Server does not request any information about updates.

    Select this option if, for example, you want to test the updates on your local device first.

• Scan executable files for vulnerabilities when running them

  If this option is enabled, executable files are scanned for vulnerabilities when they are run.

  By default, this option is enabled.

Restart management

In the Restart management section, you can specify the action to be performed if the operating system of a managed device has to be restarted for correct use, installation, or uninstallation of an application. The settings in the Restart management section are available only on devices running Windows:

• Do not restart the operating system

  Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

• Restart the operating system automatically if necessary

  Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

• Prompt user for action

  The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

  By default, this option is selected.

  • Repeat the prompt every (min)

    If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

    By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

    If this option is disabled, the prompt is displayed only once.

  • Force restart after (min)

    After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

    By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

• Force closure of applications in blocked sessions

  Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

  If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

  If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

  By default, this option is disabled.

Windows Desktop Sharing

In the Windows Desktop Sharing section, you can enable and configure the audit of the administrator's actions performed on a remote device when desktop access is shared. The settings in the Windows Desktop Sharing section are available only on devices running Windows:

• Enable audit

  If this option is enabled, audit of the administrator's actions is enabled on the remote device. Records of the administrator's actions on the remote device are logged:

  • In the event log on the remote device
  • In a file with the syslog extension located in the Network Agent installation folder on the remote device
  • In the event database of Kaspersky Security Center

  Audit of the administrator's actions is available when the following conditions are met:

  • The Vulnerability and Patch Management license is in use
  • The administrator has the right to start shared access to the desktop of the remote device

  If this option is disabled, the audit of the administrator's actions is disabled on the remote device.

  By default, this option is disabled.

• Masks of files to monitor when read

  The list contains file masks. When the audit is enabled, the application monitors the administrator's reading files that match the masks and saves information about files read. The list is available if the Enable audit check box is selected. You can edit file masks and add new ones to the list. Each new file mask should be specified in the list on a new line.

  By default, the following file masks are specified:*.txt, *.rtf, *.doc, *.xls, *.docx, *.xlsx, *.odt, *.pdf.

• Masks of files to monitor when modified

  The list contains masks of files on the remote device. When audit is enabled, the application monitors changes made by the administrator in files that match masks, and saves information about those modifications. The list is available if the Enable audit check box is selected. You can edit file masks and add new ones to the list. Each new file mask should be specified in the list on a new line.

  By default, the following file masks are specified:*.txt, *.rtf, *.doc, *.xls, *.docx, *.xlsx, *.odt, *.pdf.

Manage patches and updates

In the Manage patches and updates section, you can configure download and distribution of updates, as well as installation of patches, on managed devices:

• Automatically install applicable updates and patches for components that have the Undefined status

  If this option is enabled, Kaspersky patches that have the Undefined approval status are automatically installed on managed devices immediately after they are downloaded from update servers. Automatic installation of patches that have the Undefined status is available for Kaspersky Security Center 10 Service Pack 2 and later.

  If this option is disabled, Kaspersky patches that have been downloaded and tagged with the Undefined status will be installed only after you change their status to Approved.

  By default, this option is enabled.

• Download updates and anti-virus databases from Administration Server in advance (recommended)

  If this option is enabled, the offline model of update download is used. When the Administration Server receives updates, it notifies Network Agent (on devices where it is installed) of the updates that will be required for managed applications. When Network Agent receives information about these updates, it downloads the relevant files from the Administration Server in advance. At the first connection with Network Agent, the Administration Server initiates an update download. After Network Agent downloads all the updates to a client device, the updates become available for applications on that device.

  When a managed application on a client device attempts to access Network Agent for updates, Network Agent checks whether it has all required updates. If the updates are received from the Administration Server not more than 25 hours before they were requested by the managed application, Network Agent does not connect to the Administration Server but supplies the managed application with updates from the local cache instead. Connection with the Administration Server may not be established when Network Agent provides updates to applications on client devices, but connection is not required for updating.

  If this option is disabled, the offline model of update download is not used. Updates are distributed according to the schedule of the update download task.

  By default, this option is enabled.

Network

The Network section includes three subsections:

• Connectivity
• Connection profiles (only for Windows)
• Connection schedule

In the Connectivity subsection, you can configure the connection to Administration Server, enable the use of a UDP port, and specify the UDP port number.

In the Connection profiles settings group, no new items can be added to the Administration Server connection profiles list so the Add button is inactive. The preset connection profiles cannot be modified, either.

• In the Connect to Administration Server settings group, you can configure connection to the Administration Server and specify the time interval for synchronization between client devices and the Administration Server:
  • Synchronization interval (min)

    Network Agent synchronizes the managed device with the Administration Server. We recommend that you set the synchronization interval (also referred to as the heartbeat) to 15 minutes per 10,000 managed devices.

    If the synchronization interval is set to less than 15 minutes, synchronization is performed every 15 minutes. If synchronization interval is set to 15 minutes or more, synchronization is performed at the specified synchronization interval.

  • Compress network traffic

    If this option is enabled, the speed of data transfer by Network Agent is increased by means of a decrease in the amount of information being transferred and a consequent decreased load on the Administration Server.

    The workload on the CPU of the client computer may increase.

    By default, this check box is enabled.

  • Open Network Agent ports in Microsoft Windows Firewall

    If this option is enabled, a UDP port, necessary for the work of Network Agent, is added to the Microsoft Windows Firewall exclusion list.

    By default, this option is enabled.

  • Use connection gateway on distribution point (if available) under default connection settings

    If this option is enabled, the connection gateway on the distribution point is used under the settings specified in the administration group properties.

    By default, this option is enabled.

• Use UDP port

  If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to the KSN proxy server is 15111.

• UDP port number

  In this field you can enter the UDP port number. The default port number is 15000.

  The decimal system is used for records.

  If the client device runs Windows XP Service Pack 2, the integrated firewall blocks UDP port 15000. This port should be opened manually.

• Use distribution point to force connection to the Administration Server

  Select this option if you selected the Use this distribution point as a push server option in the distribution point settings window. Otherwise, the distribution point will not act as a push server.

In the Connection profiles subsection of the Network section, you can specify the network location settings and enable out-of-office mode when Administration Server is not available. The settings in the Connection profiles section are available only on devices running Windows:

• Network location settings

  Network location settings define the characteristics of the network to which the client device is connected and specify rules for Network Agent switching from one Administration Server connection profile to another when those network characteristics are altered.

• Administration Server connection profiles

  In this section, you can view and add profiles for Network Agent connection to the Administration Server. In this section, you can also create rules for switching Network Agent to different Administration Servers when the following events occur:

  • When the client device connects to a different local network
  • When the device loses connection with the local network of the organization
  • When the connection gateway address is changed or the DNS server address is modified

  Connection profiles are supported only for devices running Windows and macOS.

• Enable out-of-office mode when Administration Server is not available

  If this option is enabled, in case of connection through this profile, applications installed on the client device use policy profiles for devices in out-of-office mode, as well as out-of-office policies. If no out-of-office policy has been defined for the application, the active policy will be used.

  If this option is disabled, applications will use active policies.

  By default, this option is disabled.

In the Connection schedule subsection, you can specify the time intervals during which Network Agent sends data to the Administration Server:

• Connect when necessary

  If this option is selected, the connection is established when Network Agent has to send data to the Administration Server.

  By default, this option is selected.

• Connect at specified time intervals

  If this option is selected, Network Agent connects to the Administration Server at a specified time. You can add several connection time periods.

Network polling by distribution points

In the Network polling by distribution points section, you can configure automatic polling of the network. The polling settings are available only on devices running Windows. You can use the following options to enable the polling and set its frequency:

• Windows network

  If the option is enabled, the Administration Server automatically polls the network according to the schedule that you configured by clicking the Set quick polling schedule and Set full polling schedule links.

  If this option is disabled, the Administration Server polls the network with the interval specified in the Frequency of network polls (min) field.

  The device discovery interval for Network Agent versions prior to 10.2 can be configured in the Frequency of polls from Windows domains (min) (for quick Windows network poll) and Frequency of network polls (min) (for full Windows network poll) fields.

  By default, this option is disabled.

• IP ranges

  If the option is enabled, the Administration Server automatically polls IP ranges according to the schedule that you configured by clicking the Set polling schedule link.

  If this option is disabled, the Administration Server does not poll IP ranges.

  The frequency of IP range polling for Network Agent versions prior to 10.2 can be configured in the Poll interval (min) field. The field is available if the option is enabled.

  By default, this option is disabled.

• Active Directory

  If the option is enabled, the Administration Server automatically polls Active Directory according to the schedule that you configured by clicking the Set polling schedule link.

  If this option is disabled, the Administration Server does not poll Active Directory.

  The frequency of Active Directory polling for Network Agent versions prior to 10.2 can be configured in the Poll interval (min) field. The field is available if this option is enabled.

  By default, this option is disabled.

Network settings for distribution points

In the Network settings for distribution points section, you can specify the internet access settings:

• Use proxy server
• Address
• Port number
• Bypass proxy server for local addresses

  If this option is enabled, no proxy server is used to connect to devices on the local network.

  By default, this option is disabled.

• Proxy server authentication

  If this check box is enabled, in the entry fields you can specify the credentials for proxy server authentication.

  By default, this check box is disabled.

• User name
• Password

KSN Proxy (distribution points)

In the KSN Proxy (distribution points) section, you can configure the application to use the distribution point to forward KSN requests from the managed devices:

• Enable KSN Proxy on distribution point side

  The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.

  The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky. By default, the KSN statement is located in %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\ksneula.

  By default, this option is disabled. Enabling this option takes effect only if the Use Administration Server as a proxy server and I agree to use Kaspersky Security Network options are enabled in the Administration Server properties window.

  You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.

• Forward KSN requests to Administration Server

  The distribution point forwards KSN requests from the managed devices to the Administration Server.

  By default, this option is enabled.

• Access KSN Cloud / Private KSN directly over the Internet

  The distribution point forwards KSN requests from managed devices to the KSN Cloud or Private KSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or Private KSN.

  The distribution points that have Network Agent version 11 (or earlier) installed cannot access Private KSN directly. If you want to reconfigure the distribution points to send KSN requests to Private KSN, enable the Forward KSN requests to Administration Server option for each distribution point.

  The distribution points that have Network Agent version 12 (or later) installed can access Private KSN directly.

• Port

  The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.

• UDP port

  If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to the KSN proxy server is 15111.

Revision history

The Revision history tab allows you to view the list of the policy revisions and roll back changes made to the policy, if necessary.

Network Agent policy settings available for a specific operating system are given in the table below.

Network Agent policy settings

Manual setup of Kaspersky Endpoint Security policy

This section provides recommendations on how to configure the Kaspersky Endpoint Security policy, which is created by the Quick Start Wizard of Kaspersky Security Center 13.1 Web Console. Setup is performed in the policy properties window.

When editing a setting, please keep in mind that you must click the lock icon above the relevant setting in order to allow using its value on a workstation.

Configuring Kaspersky Security Network

Kaspersky Security Network (KSN) is the infrastructure of cloud services that contains information about the reputation of files, web resources, and software. Kaspersky Security Network enables Kaspersky Endpoint Security for Windows to respond faster to different kinds of threats, enhances the performance of the protection components, and decreases the likelihood of false positives.

To specify recommended KSN settings:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Click the policy of Kaspersky Endpoint Security for Windows.

   The properties window of the selected policy opens.

3. In the policy properties, go to Application settings → Advanced Threat Protection → Kaspersky Security Network.
4. Make sure that the Use KSN Proxy option is enabled. Using this option helps to redistribute and optimize traffic on the network.
5. [optional] Enable use of KSN servers if the KSN proxy service is not available. KSN servers may be located either on the side of Kaspersky (when Global KSN is used) or on the side of third parties (when Private KSN is used).
6. Click OK.

The recommended KSN settings are specified.

Checking the list of the networks protected by Firewall

Make sure that Kaspersky Endpoint Security for Windows Firewall protects all your networks. By default, Firewall protects networks with the following types of connection:

• Public network. Anti-virus applications, firewalls, or filters do not protect devices in such a network.
• Local network. Access to files and printers is restricted for devices in this network.
• Trusted network. Devices in such a network are protected from attacks and unauthorized access to files and data.

If you configured a custom network, make sure that Firewall protects it. For this purpose, check the list of the networks in the Kaspersky Endpoint Security for Windows policy properties. The list may not contain all the networks.

For more information about Firewall, see the Kaspersky Endpoint Security for Windows Help.

To check the list of networks:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Click the policy of Kaspersky Endpoint Security for Windows.

   The properties window of the selected policy opens.

3. In the policy properties, go to Application settings → Essential Threat Protection → Firewall.
4. Under Available networks, click the Network settings link.

   The Network connections window opens. This window displays the list of networks.

5. If the list has a missing network, add it.

Excluding software details from the Administration Server memory

We recommend that Administration Server does not save information about software modules that are started on the network devices. As a result, the Administration Server memory does not overrun.

You can disable saving this information in the Kaspersky Endpoint Security for Windows policy properties. For a description of these properties, see the Kaspersky Endpoint Security for Windows Help.

To disable saving information about installed software modules:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Click the policy of Kaspersky Endpoint Security for Windows.

   The properties window of the selected policy opens.

3. In the policy properties, go to Application settings → General Settings → Reports and Storage.
4. Under Data transfer to Administration Server, disable the About started applications check box if it is still enabled in the top-level policy.

   When this check box is enabled, the Administration Server database saves information about all versions of all software modules on the networked devices. This information may require a significant amount of disk space in the Kaspersky Security Center database (dozens of gigabytes).

The information about installed software modules is no longer saved to the Administration Server database.

Saving important policy events in the Administration Server database

To avoid the Administration Server database overflow, we recommend that you save only important events to the database.

To configure registration of important events in the Administration Server database:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Click the policy of Kaspersky Endpoint Security for Windows.

   The properties window of the selected policy opens.

3. In the policy properties, open the Event configuration tab.
4. In the Critical section, click Add event and select check boxes next to the following events only:
   • End User License Agreement violated
   • Application autorun is disabled
   • Activation error
   • Active threat detected. Advanced Disinfection should be started
   • Disinfection impossible
   • Previously opened dangerous link detected
   • Process terminated
   • Network activity blocked
   • Network attack detected
   • Application startup prohibited
   • Access denied (local bases)
   • Access denied (KSN)
   • Local update error
   • Cannot start two tasks at the same time
   • Error in interaction with Kaspersky Security Center
   • Not all components were updated
   • Error applying file encryption / decryption rules
   • Error enabling portable mode
   • Error disabling portable mode
   • Could not load encryption module
   • Policy cannot be applied
   • Error changing application components
5. Click OK.
6. In the Functional failure section, click Add event and select check box next to the event Invalid task settings. Settings not applied.
7. Click OK.
8. In the Warning section, click Add event and select check boxes next to the following events only:
   • Self-Defense is disabled
   • Protection components are disabled
   • Incorrect reserve key
   • Legitimate software that can be used to harm your computer or personal data was detected (local bases)
   • Legitimate software that can be used to harm your computer or personal data was detected (KSN)
   • Object deleted
   • Object disinfected
   • User has opted out of the encryption policy
   • File restored from KATA Quarantine
   • File moved to KATA Quarantine
   • Application startup blockage message to administrator
   • Device access blockage message to administrator
   • Web page access blockage message to administrator
9. Click OK.
10. In the Info section, click Add event and select check boxes next to the following events only:
    • A backup copy of the object was created
    • Application startup prohibited in test mode
11. Click OK.

Registration of important events in the Administration Server database is configured.

Manual setup of the group update task for Kaspersky Endpoint Security

The optimal and recommended schedule option for Kaspersky Endpoint Security is When new updates are downloaded to the repository when the Use automatically randomized delay for task starts check box is selected.

Granting offline access to the external device blocked by Device Control

In Device Control component of Kaspersky Endpoint Security for Windows policy, you can manage user access to external devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the client device from infection when such external devices are connected, and prevent loss or leaks of data.

If you need to grant temporary access to the external device blocked by Device Control but it is not possible to add the device to the list of trusted devices, you can grant temporary offline access to the external device. Offline access means that the client device has no access to the network.

You can grant offline access to the external device blocked by Device Control only if the Allow request for temporary access option is enabled in the settings of Kaspersky Endpoint Security for Windows policy, in the Application settings → Security Controls → Device Control section.

Granting offline access to the external device blocked by Device Control includes the following stages:

1. In the Kaspersky Endpoint Security for Windows dialog window, device user who wants to have access to the blocked external device, generates a request access file and sends it to the Kaspersky Security Center administrator.
2. Getting this request, the Kaspersky Security Center administrator creates an access key file and send it to the device user.
3. In the Kaspersky Endpoint Security for Windows dialog window, the device user activates the access key file and obtains temporary access to the external device.

To grant temporary access to the external device blocked by Device Control:

1. In the main menu, go to DEVICES → MANAGED DEVICES.

   The list of managed devices is displayed.

2. In this list, select the user's device that requests access to the external device blocked by Device Control.

   You can select only one device.

3. Above the list of managed devices, click the ellipsis button (), and then click the Grant access to the device in offline mode button.
4. In the Application settings window that opens, in the Device Control section, click the Browse button.
5. Select the request access file that you have received from the user, and then click the Open button. The file should have the AKEY format.

   The details of the locked device to which the user has requested access is displayed.

6. Specify the value of the Access duration setting.

   This setting defines the length of time for which you grant the user access to the locked device. The default value is the value that was specified by the user when creating the request access file.

7. Specify the value of the Activation period setting.

   This setting defines the time period during which the user can activate access to the blocked device by using the provided access key.

8. Click the Save button.

   This opens the standard Save access key window of Microsoft Windows.

9. Select the destination folder in which you want to save the file containing the access key for the blocked device.
10. Click the Save button.

As a result, when you send the user the access key file and the user activates it in the Kaspersky Endpoint Security for Windows dialog window, the user has temporary access to the blocked device for the specific period.

Removing applications or software updates remotely

Expand all | Collapse all

To remove applications or software updates remotely from selected devices:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Proceed through the Wizard by using the Next button.

3. For the Kaspersky Security Center application, select the Uninstall application remotely task type.
4. Specify the name for the task that you are creating.

   A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

5. Select devices to which the task will be assigned.
6. Select what kind of software you want to remove, and then select specific applications, updates, or patches that you want to remove:
   • Uninstall managed application

     A list of Kaspersky applications is displayed. Select the application that you want to remove.

   • Uninstall incompatible application

     A list of applications incompatible with Kaspersky security applications or Kaspersky Security Center is displayed. Select the check boxes next to the applications that you want to remove.

   • Uninstall application from applications registry

     By default, Network Agents send the Administration Server information about the applications installed on the managed devices. The list of installed applications is stored in the applications registry.

     To select an application from the applications registry:

     1. Click the Application to uninstall field, and then select the application that you want to remove.
     2. Specify the uninstallation options:
        • Uninstallation mode

          Select how you want to remove the application:

          • Define uninstallation command automatically

            If the application has an uninstallation command defined by the application vendor, Kaspersky Security Center uses this command. We recommend that you select this option.

          • Specify uninstallation command

            Select this option if you want to specify your own command for the application uninstallation.

            We recommend that you first try to remove the application by using the Define uninstallation command automatically option. If the uninstallation through the automatically defined command fails, then use your own command.

            Type an installation command into the field, and then specify the following option:

            Use this command for uninstallation only if the default command was not autodetected

            Kaspersky Security Center checks whether or not the selected application has an uninstallation command defined by the application vendor. If the command is found, Kaspersky Security Center will use it instead of the command specified in the Command for application uninstallation field.

            We recommend that you enable this option.

        • Perform restart after successful application uninstallation

          If the application requires the operating system to be restarted on the managed device after successful uninstallation, the operating system is restarted automatically.

   • Uninstall the specified application update, patch, or third-party application

     A list of updates, patches, and third-party applications is displayed. Select the item that you want to remove.

     The displayed list is a general list of applications and updates, and it does not correspond to the applications and updates installed on the managed devices. Before selecting an item, we recommend that you ensure that the application or update is installed on the devices defined in the task scope. You can view the list of devices on which the application or update is installed, via the properties window.

     To view the list of devices:

     1. Click the name of the application or update.

        The properties window opens.

     2. Open the Devices section.

        You can also view the list of installed applications and updates in the device properties window.

7. Specify how client devices will download the Uninstallation utility:
   • Using Network Agent

     The files are delivered to client devices by Network Agent installed on those client devices.

     If this option is disabled, the files are delivered using Microsoft Windows tools.

     We recommend that you enable this option if the task has been assigned to devices that have Network Agents installed.

   • Using operating system resources through Administration Server

     The files are transmitted to client devices by using the Administration Server operating system tools. You can enable this option if no Network Agent is installed on the client device, but the client device is on the same network as the Administration Server.

   • Using operating system resources through distribution points

     The files are transmitted to client devices by using operating system tools through distribution points. You can enable this option if there is at least one distribution point on the network.

     If the Using Network Agent option is enabled, the files are delivered by using operating system tools only if Network Agent tools are unavailable.

   • Maximum number of concurrent downloads

     The maximum allowed number of client devices to which Administration Server can simultaneously transmit the files. The larger this number, the faster the application will be uninstalled, but the load on Administration Server is higher.

   • Maximum number of uninstallation attempts

     If, when running the Uninstall application remotely task, Kaspersky Security Center fails to uninstall an application on a managed device within the number of installer runs specified by the parameter, Kaspersky Security Center stops delivering the Uninstallation utility to this managed device and does not start the installer on the device anymore.

     The Maximum number of uninstallation attempts parameter allows you to save the resources of the managed device, as well as reduce traffic (uninstallation, MSI file run, and error messages).

     Recurring task start attempts may indicate a problem on the device and which prevents uninstallation. The administrator should resolve the problem within the specified number of uninstallation attempts and then restart the task (manually or by a schedule).

     If uninstallation is not achieved eventually, the problem is considered unresolvable and any further task starts are seen as costly in terms of unnecessary consumption of resources and traffic.

     When the task is created, the attempts counter is set to 0. Each run of the installer that returns an error on the device increments the counter reading.

     If the number of attempts specified in the parameter has been exceeded and the device is ready for application uninstallation, you can increase the value of the Maximum number of uninstallation attempts parameter and start the task to uninstall the application. Alternatively, you can create a new Uninstall application remotely task.

   • Verify operating system type before downloading

     Before transmitting the files to client devices, Kaspersky Security Center checks if the Installation utility settings are applicable to the operating system of the client device. If the settings are not applicable, Kaspersky Security Center does not transmit the files and does not attempt to install the application. For example, to install some application to devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.

8. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. If necessary, add the accounts that will be used to start the remote uninstallation task:
   • No account required (Network Agent installed)

     If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running.

     If Network Agent has not been installed on client devices, this option is not available.

   • Account required (Network Agent is not used)

     Select this option if Network Agent is not installed on the devices for which you assign the Uninstall application remotely task.

     Specify the user account under which the application installer will be run. Click the Add button, select Account, and then specify the user account credentials.

     You can specify multiple user accounts if, for example, none of them have all the required rights on all devices for which you assign the task. In this case, all added accounts are used for running the task, in consecutive order, top-down.

10. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
11. Click the Finish button.

    The task is created and displayed in the list of tasks.

12. Click the name of the created task to open the task properties window.
13. In the task properties window, specify the general task settings.
14. Click the Save button.
15. Run the task manually or wait for it to launch according to the schedule you specified in the task settings.

Upon completion of the remote uninstallation task, the selected application will be removed from the selected devices.

Rolling back an object to a previous revision

You can roll back changes made to an object, if necessary. For example, you may have to revert the settings of a policy to their state on a specific date.

To roll back changes made to an object:

1. In the object's properties window, open the Revision history tab.
2. In the list of object revisions, select the revision that you want to roll back changes for.
3. Click the Roll back button.
4. Click OK to confirm the operation.

The object is now rolled back to the selected revision. The list of object revisions displays a record of the action that was taken. The revision description displays information about the number of the revision to which you reverted the object.

Rolling back operation is available only for policy and task objects.

Tasks

This section describes tasks used by Kaspersky Security Center.

About tasks

Kaspersky Security Center manages Kaspersky security applications installed on devices by creating and running tasks. Tasks are required for installing, launching, and stopping applications, scanning files, updating databases and software modules, and performing other actions on applications.

Tasks for a specific application can be created using Kaspersky Security Center 13.1 Web Console only if the management plug-in for that application is installed on Kaspersky Security Center 13.1 Web Console Server.

Tasks can be performed on the Administration Server and on devices.

The tasks that are performed on the Administration Server include the following:

• Automatic distribution of reports
• Downloading of updates to the repository
• Backup of Administration Server data
• Maintenance of the database

The following types of tasks are performed on devices:

• Local tasks—Tasks that are performed on a specific device

  Local tasks can be modified either by the administrator, using Administration Console tools, or by the user of a remote device (for example, through the security application interface). If a local task has been modified simultaneously by the administrator and the user of a managed device, the changes made by the administrator will take effect because they have a higher priority.

• Group tasks—Tasks that are performed on all devices of a specific group

  Unless otherwise specified in the task properties, a group task also affects all subgroups of the selected group. A group task also affects (optionally) devices that have been connected to secondary and virtual Administration Servers deployed in the group or any of its subgroups.

• Global tasks—Tasks that are performed on a set of devices, regardless of whether they are included in any group.

For each application, you can create any number of group tasks, global tasks, or local tasks.

You can make changes to the settings of tasks, view the progress of tasks, and copy, export, import, and delete tasks.

A task is started on a device only if the application for which the task was created is running.

Execution results of tasks are saved in the operating system event log on each device, in the operating system event log on the Administration Server, and in the Administration Server database.

Do not include private data in task settings. For example, avoid specifying the domain administrator password.

About task scope

The scope of a task is the set of devices on which the task is performed. The types of scope are as follows:

• For a local task, the scope is the device itself.
• For an Administration Server task, the scope is the Administration Server.
• For a group task, the scope is the list of devices included in the group.

When creating a global task, you can use the following methods to specify its scope:

• Specifying certain devices manually.

  You can use an IP address (or IP range), NetBIOS name, or DNS name as the device address.

• Importing a list of devices from a TXT file with the device addresses to be added (each address must be placed on an individual line).

  If you import a list of devices from a file or create a list manually, and if devices are identified by their names, the list can only contain devices for which information has already been entered into the Administration Server database. Moreover, the information must have been entered when those devices were connected or during device discovery.

• Specifying a device selection.

  Over time, the scope of a task changes as the set of devices included in the selection change. A selection of devices can be made on the basis of device attributes, including software installed on a device, and on the basis of tags assigned to devices. Device selection is the most flexible way to specify the scope of a task.

  Tasks for device selections are always run on a schedule by the Administration Server. These tasks cannot be run on devices that lack connection to the Administration Server. Tasks whose scope is specified by using other methods are run directly on devices and therefore do not depend on the device connection to the Administration Server.

Tasks for device selections are not run on the local time of a device; instead, they are run on the local time of the Administration Server. Tasks whose scope is specified by using other methods are run on the local time of a device.

Creating a task

To create a task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Follow its instructions.

3. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
4. Click the Finish button.

The task is created and displayed in the list of tasks.

Starting a task manually

The application starts tasks according to the schedule settings specified in the properties of each task. You can start a task manually at any time.

To start a task manually:

1. In the main menu, go to DEVICES → TASKS.
2. In the task list, select the check box next to the task that you want to start.
3. Click the Start button.

The task starts. You can check the task status in the Status column or by clicking the Result button.

Viewing the task list

You can view the list of tasks that are created in Kaspersky Security Center.

To view the list of tasks,

In the main menu, go to DEVICES → TASKS.

The list of tasks is displayed. The tasks are grouped by the names of applications to which they are related. For example, the Uninstall application remotely task is related to the Administration Server, and the Find vulnerabilities and required updates task refers to the Network Agent.

To view properties of a task,

Click the name of the task.

The task properties window is displayed with several named tabs. For example, the Task type is displayed on the General tab, and the task schedule—on the Schedule tab.

General task settings

Expand all | Collapse all

This section contains the settings that you can view and configure for most of your tasks. The list of settings available depends on the task you are configuring.

Settings specified during task creation

You can specify the following settings when creating a task. Some of these settings can also be modified in the properties of the created task.

• Operating system restart settings:
  • Do not restart the device

    Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

  • Restart the device

    Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

  • Prompt user for action

    The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

    By default, this option is selected.

  • Repeat prompt every (min)

    If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

    By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

    If this option is disabled, the prompt is displayed only once.

  • Restart after (min)

    After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

    By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

  • Force closure of applications in blocked sessions

    Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

    If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

    If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

    By default, this option is disabled.

• Task scheduling settings:
  • Scheduled start setting:
    • Every N hours

      The task runs regularly, with the specified interval in hours, starting from the specified date and time.

      By default, the task runs every six hours, starting from the current system date and time.

    • Every N days

      The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

      By default, the task runs every day, starting from the current system date and time.

    • Every N weeks

      The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

      By default, the task runs every Monday at the current system time.

    • Every N minutes

      The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

      By default, the task runs every 30 minutes, starting from the current system time.

    • Daily (daylight saving time is not supported)

      The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

      We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

      By default, the task starts every day at the current system time.

    • Weekly

      The task runs every week on the specified day and at the specified time.

    • By days of week

      The task runs regularly, on the specified days of week, at the specified time.

      By default, the task runs every Friday at 6:00:00 PM.

    • Monthly

      The task runs regularly, on the specified day of the month, at the specified time.

      In months that lack the specified day, the task runs on the last day.

      By default, the task runs on the first day of each month, at the current system time.

    • Manually

      The task does not run automatically. You can only start it manually.

      By default, this option is enabled.

    • Every month on specified days of selected weeks

      The task runs regularly, on the specified days of each month, at the specified time.

      By default, no days of month are selected; the default start time is 6:00:00 PM.

    • When new updates are downloaded to the repository

      The task runs after updates are downloaded to the repository. For example, you may want to use this schedule for the find vulnerabilities and required updates task.

    • On virus outbreak

      The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

      • Anti-virus for workstations and file servers
      • Anti-virus for perimeter defense
      • Anti-virus for mail systems

      By default, all application types are selected.

      You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

    • On completing another task

      The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

  • Run missed tasks

    This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

    If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

    If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

    By default, this option is enabled.

  • Use automatically randomized delay for task starts

    If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

    The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

    If this option is disabled, the task starts on client devices according to the schedule.

  • Use randomized delay for task starts within an interval of (min)

    If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

    If this option is disabled, the task starts on client devices according to the schedule.

    By default, this option is disabled. The default time interval is one minute.

• Devices to which the task will be assigned:
  • Select networked devices detected by Administration Server

    The task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.

    For example, you may want to use this option in a task of installing Network Agent on unassigned devices.

  • Specify device addresses manually or import addresses from list

    You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

    You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

  • Assign task to a device selection

    The task is assigned to devices included in a device selection. You can specify one of the existing selections.

    For example, you may want to use this option to run a task on devices with a specific operating system version.

  • Assign task to an administration group

    The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

    For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

• Account settings:
  • Default account

    The task will be run under the same account as the application that performs this task.

    By default, this option is selected.

  • Specify an account

    Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

  • Account

    Account under which the task is run.

  • Password

    Password of the account under which the task will be run.

Settings specified after task creation

You can specify the following settings only after a task is created.

• Advanced scheduling settings:
  • Activate the device before the task is started through Wake-on-LAN (min)

    The operating system on the device starts at the specified time before the task is started. The default time period is five minutes.

    Enable this option if you want the task to run on all of the client devices from the task scope, including those devices that are turned off when the task is about to start.

    If you want the device to be automatically turned off after the task is complete, enable the Shut down device when task is complete option. This option can be found in the same window.

    By default, this option is disabled.

  • Turn off device after task completion

    For example, you may want to enable this option for an install update task that installs updates to client devices each Friday after business hours, and then turns off these devices for the weekend.

    By default, this option is disabled.

  • Stop task if it has been running longer than (min)

    After the specified time period expires, the task is stopped automatically, whether it is completed or not.

    Enable this option if you want to interrupt (or stop) tasks that take too long to execute.

    By default, this option is disabled. The default task execution time is 120 minutes.

• Notification settings:
  • Store task history block:
    • Store in the Administration Server database for (days)

      Application events related to execution of the task on all client devices from the task scope are stored on the Administration Server during the specified number of days. When this period elapses, the information is deleted from the Administration Server.

      By default, this option is enabled.

    • Store in the OS event log on device

      Application events related to execution of the task are stored locally in Windows Event Log of each client device.

      By default, this option is disabled.

    • Store in the OS event log on Administration Server

      Application events related to execution of the task on all client devices from the task scope are stored centrally in Windows Event Log of the Administration Server operating system (OS).

      By default, this option is disabled.

    • Save all events

      If this option is selected, all events related to the task are saved to the event logs.

    • Save events related to task progress

      If this option is selected, only events related to the task execution are saved to the event logs.

    • Save only task execution results

      If this option is selected, only events related to the task results are saved to the event logs.

  • Notify administrator of task execution results

    You can select the methods by which administrators receive notifications about task execution results: by email, by SMS, and by running an executable file. To configure notification, click the Settings link.

    By default, all notification methods are disabled.

  • Notify of errors only

    If this option is enabled, administrators are only notified when a task execution completes with an error.

    If this option is disabled, administrators are notified after every task execution completion.

    By default, this option is enabled.

• Security settings.
• Task scope settings.

  Depending on how the task scope is determined, the following settings are present:

  • Devices

    If the scope of a task is determined by an administration group, you can view this group. No changes are available here. However, you can set Exclusions from task scope.

    If the scope of a task is determined by a list of devices, you can modify this list by adding and removing devices.

  • Device selection

    You can change the device selection to which the task is applied.

  • Exclusions from task scope

    You can specify groups of devices to which the task is not applied. Groups to be excluded can only be subgroups of the administration group to which the task is applied.

• Revision history.

Starting the Change Tasks Password Wizard

For a non-local task, you can specify an account under which the task must be run. You can specify the account during task creation or in the properties of an existing task. If the specified account is used in accordance with security instructions of the organization, these instructions might require changing the account password from time to time. When the account password expires and you set a new one, the tasks will not start until you specify the new valid password in the task properties.

The Change Tasks Password Wizard enables you to automatically replace the old password with the new one in all tasks in which the account is specified. Alternatively, you can change this password manually in the properties of each task.

To start the Change Tasks Password Wizard:

1. On the DEVICES tab, select TASKS.
2. Click Manage credentials of accounts for starting tasks.

Follow the instructions of the Wizard.

Step 1. Specifying credentials

Expand all | Collapse all

Specify new credentials that are currently valid in your system (for example, in Active Directory). When you switch to the next step of the Wizard, Kaspersky Security Center checks if the specified account name matches the account name in the properties of each non-local task. If the account names match, the password in the task properties will be automatically replaced with the new one.

To specify the new account, select an option:

• Use current account

  The Wizard uses the name of the account under which you are currently signed in to Kaspersky Security Center 13.1 Web Console. Then manually specify the account password in the Current password to use in tasks field.

• Specify a different account

  Specify the name of the account under which the tasks must be started. Then specify the account password in the Current password to use in tasks field.

If you fill in the Previous password (optional; if you want to replace it with the current one) field, Kaspersky Security Center replaces the password only for those tasks in which both the account name and the old password are found. The replacement is performed automatically. In all other cases you have to choose an action to take in the next step of the Wizard.

Step 2. Selecting an action to take

If you did not specify the previous password in the first step of the Wizard or if the specified old password has not matched the passwords in the task properties, you must choose an action to take for the tasks found.

To choose an action for a task:

1. Select the check box next to the task for which you want to choose an action.
2. Perform one of the following:
   • To remove the password in the task properties, click Delete credentials.

     The task is switched to run under the default account.

   • To replace the password with a new one, click Enforce the password change even if the old password is wrong or not provided.
   • To cancel the password change, click No action is selected.

The chosen actions are applied after you move to the next step of the Wizard.

Step 3. Viewing the results

On the last step of the Wizard, view the results for each of the found tasks. To complete the Wizard, click the Finish button.

Managing client devices

This section describes how to manage devices in the administration groups.

Settings of a managed device

Expand all | Collapse all

To view the settings of a managed device:

1. Select DEVICES → MANAGED DEVICES.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the required device.

The properties window of the selected device is displayed.

The following tabs are displayed in the upper part of the properties window representing the main groups of the settings:

• General

  This tab comprises the following sections:

  • The General section displays general information about the client device. Information is provided on the basis of data received during the last synchronization of the client device with the Administration Server:
    • Name

      In this field, you can view and modify the client device name in the administration group.

    • Description

      In this field, you can enter an additional description for the client device.

    • Device status

      Status of the client device assigned on the basis of the criteria defined by the administrator for the status of anti-virus protection on the device and the activity of the device on the network.

    • Protection last updated

      Date the anti-virus databases or applications were last updated on the device.

    • Connected to Administration Server

      Date and time Network Agent installed on the client device last connected to the Administration Server.

    • Last visible

      Date and time the device was last visible on the network.

    • Network Agent version
    • Created
    • Device owner
    • Do not disconnect from the Administration Server

      If this option is enabled, continuous connectivity between the managed device and the Administration Server is maintained. You may want to use this option if you are not using push servers, which provide such connectivity.

      If this option is disabled and push servers are not in use, the managed device only connects to the Administration Server to synchronize data or to transmit information.

      The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

      This option is disabled by default on managed devices. This option is enabled by default on the device where the Administration Server is installed and stays enabled even if you try to disable it.

  • The Network section displays the following information about the network properties of the client device:
    • IP address

      Device IP address.

    • Windows domain

      Windows domain or workgroup, which contains the device.

    • DNS name

      Name of the DNS domain of the client device.

    • NetBIOS name

      Windows network name of the client device.

    • IPv6 address
  • The System section provides information about the operating system installed on the client device:
    • Operating system
    • CPU architecture
    • Device name
    • Virtual machine types
    • Dynamic virtual machine as part of VDI
  • The Protection section provides information about the current status of anti-virus protection on the client device:
    • Visible
    • Device status

      Status of the client device assigned on the basis of the criteria defined by the administrator for the status of anti-virus protection on the device and the activity of the device on the network.

    • Status description
    • Protection status

      This field shows the current status of real-time protection on the client device.

      When the status changes on the device, the new status is displayed in the device properties window only after the client device is synchronized with the Administration Server.

    • Last full scan

      Date and time the last virus scan was performed on the client device.

    • Virus detected

      Total number of threats detected on the client device since installation of the anti-virus application (first scan), or since the last reset of the threat counter.

    • Objects that have failed disinfection

      Number of unprocessed files on the client device.

      This field ignores the number of unprocessed files on mobile devices.

    • Disk encryption status

      The current status of file encryption on the local drives of the device.

  • The Device status defined by application section provides information about the device status that is defined by the managed application installed on the device. This device status can differ from the one defined by Kaspersky Security Center.
• Applications

  This tab lists all Kaspersky applications installed on the client device. You can click the application name to view general information about the application, a list of events that have occurred on the device, and the application settings.

• Active policies and policy profiles

  This tab lists the policies and policy profiles which are currently active on the managed device.

• Tasks

  In the Tasks tab, you can manage client device tasks: view the list of existing tasks, create new ones, remove, start, and stop tasks, modify their settings, and view execution results. The list of tasks is provided based on data received during the last session of client synchronization with the Administration Server. The Administration Server requests the task status details from the client device. If connection is not established, the status is not displayed.

• Events

  The Events tab displays events logged on the Administration Server for the selected client device.

• Incidents

  In the Incidents tab, you can view, edit, and create incidents for the client device. Incidents can be created either automatically, through managed Kaspersky applications installed on the client device, or manually by the administrator. For example, if some users regularly move malware from their removable drives to devices, the administrator can create an incident. The administrator can provide a brief description of the case and recommended actions (such as disciplinary actions to be taken against a user) in the text of the incident, and can add a link to the user or users.

  An incident for which all of the required actions have been taken is called processed. The presence of unprocessed incidents can be chosen as the condition for a change of the device status to Critical or Warning.

  This section contains a list of incidents that have been created for the device. Incidents are classified by severity level and type. The type of an incident is defined by the Kaspersky application, which creates the incident. You can highlight processed incidents in the list by selecting the check box in the Processed column.

• Tags

  In the Tags tab, you can manage the list of keywords that are used for finding client devices: view the list of existing tags, assign tags from the list, configure auto-tagging rules, add new tags and rename old tags, and remove tags.

• Advanced

  This tab comprises the following sections:

  • Applications registry. In this section, you can view the registry of applications installed on the client device and their updates; you can also set up the display of the applications registry.

    Information about installed applications is provided if Network Agent installed on the client device sends required information to the Administration Server. You can configure sending of information to the Administration Server in the properties window of Network Agent or its policy, in the Repositories section. Information about installed applications is provided only for devices running Windows.

    Network Agent provides information about the applications based on data received from the system registry.

    Clicking an application name opens a window that contains the application details and a list of the update packages installed for the application.

  • Executable files. This section displays executable files found on the client device.
  • Distribution points. This section provides a list of distribution points with which the device interacts.
    • Export to file

      Click the Export to file button to save to a file a list of distribution points with which the device interacts. By default, the application exports the list of devices to a CSV file.

    • Properties

      Click the Properties button to view and configure the distribution point with which the device interacts.

  • Hardware registry. In this section, you can view information about hardware installed on the client device.
  • Available updates. This section displays a list of software updates found on this device but not installed yet.
  • Software vulnerabilities. This section provides information about vulnerabilities in third-party applications installed on client devices.

    To save the vulnerabilities to a file, select the check boxes next to the vulnerabilities that you want to save, and then click the Export rows to CSV file button or Export rows to TXT file button.

    The section contains the following settings:

    • Show only vulnerabilities that can be fixed

      If this option is enabled, the section displays vulnerabilities that can be fixed by using a patch.

      If this option is disabled, the section displays both vulnerabilities that can be fixed by using a patch, and vulnerabilities for which no patch has been released.

      By default, this option is enabled.

    • Vulnerability properties

      Click a software vulnerability name in the list to view the properties of the selected software vulnerability in a separate window. In the window, you can do the following:

      • Ignore software vulnerability on this managed device (in Administration Console or in Kaspersky Security Center 13.1 Web Console).
      • View the list of recommended fixes for the vulnerability.
      • Manually specify the software updates to fix the vulnerability (in Administration Console or in Kaspersky Security Center 13.1 Web Console).
      • View vulnerability instances.
      • View the list of existing tasks to fix vulnerability and create new tasks to fix vulnerability.

  • Remote diagnostics. In this section, you can perform remote diagnostics of client devices.

Creating administration groups

Immediately after Kaspersky Security Center installation, the hierarchy of administration groups contains only one administration group, called Managed devices. When creating a hierarchy of administration groups, you can add devices, including virtual machines, to the Managed devices group, and add nested groups (see the figure below).

Viewing administration groups hierarchy

To create an administration group:

1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. In the administration group structure, select the administration group that is to include the new administration group.
3. Click the Add button.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click the Add button.

A new administration group with the specified name appears in the hierarchy of administration groups.

The application allows creating a hierarchy of administration groups based on the structure of Active Directory or the domain network's structure. Also, you can create a structure of groups from a text file.

To create a structure of administration groups:

1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. Click the Import button.

The New Administration Group Structure Wizard starts. Follow the instructions of the Wizard.

Adding devices to an administration group manually

You can move devices to administration groups automatically by creating device moving rules or manually by moving devices from one administration group to another or by adding devices to a selected administration group. This section describes how to manually add devices to an administration group.

To add manually one or more devices to a selected administration group:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the Current path: <current path> link above the list.
3. In the window that opens, select the administration group to which you want to add the devices.
4. Click the Add devices button.

   The Move Devices Wizard starts.

5. Make a list of the devices that you want to add to the administration group.

   You can add only devices for which information has already been added to the Administration Server database either upon connection of the device or after device discovery.

   Select how you want to add devices to the list:

   • Click the Add devices button, and then specify the devices in one of the following ways:
     • Select devices from the list of devices detected by the Administration Server.
     • Specify a device IP address or an IP range.
     • Specify the NetBIOS name or DNS name of a device.

       The device name field must not contain space characters or the following prohibited characters: \ / * ; : ` ~ ! @ # $ ^ & ( ) = + [ ] { } | , < > %

   • Click the Import devices from file button to import a list of devices from a .txt file. Each device address or name must be specified on a separate line.

     The file must not contain space characters or the following prohibited characters: \ / * ; : ` ~ ! @ # $ ^ & ( ) = + [ ] { } | , < > %

6. View the list of devices to be added to the administration group. You can edit the list by adding or removing devices.
7. After making sure that the list is correct, click the Next button.

The Wizard processes the device list and displays the result. The successfully processed devices are added to the administration group and are displayed in the list of devices under names generated by Administration Server.

Moving devices to an administration group manually

You can move devices from one administration group to another, or from the group of unassigned devices to an administration group.

To move one or several devices to a selected administration group:

1. Open the administration group from which you want to move the devices. To do this, perform one of the following:
   • To open an administration group, go to DEVICES → MANAGED DEVICES, click the path link in the Current path field, and select an administration group in the left-side pane that opens.
   • To open the UNASSIGNED DEVICES group, go to DISCOVERY & DEPLOYMENT → UNASSIGNED DEVICES.
2. Select the check boxes next to the devices that you want to move to a different group.
3. Click the Move to group button.
4. In the hierarchy of administration groups, select the check box next to the administration group to which you want to move the selected devices.
5. Click the Move button.

The selected devices are moved to the selected administration group.

Creating device moving rules

Expand all | Collapse all

You can set up device moving rules, that is, rules that automatically allocate devices to administration groups.

To create a moving rule:

1. In the main menu, go to the DEVICES → MOVING RULES tab.
2. Click Add.
3. In the window that opens, specify the following information on the General tab:
   • Rule name

     Enter a name for the new rule.

     If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is added to the name, for example: (1).

   • Administration group

     Select the administration group into which the devices are to be moved automatically.

   • Apply rule

     You can select one of the following options:

     • Run once for each device.

       The rule is applied once for each device that matches your criteria.

     • Run once for each device, then at every Network Agent reinstallation.

       The rule is applied once for each device that matches your criteria, then only when Network Agent is reinstalled on these devices.

     • Rule applied continuously.

       The rule is applied according to the schedule which the Administration Server sets up automatically (usually every several hours).

   • Move only devices that do not belong to an administration group

     If this option is enabled, only unassigned devices will be moved to the selected group.

     If this option is disabled, devices that already belong to other administration groups, as well as unassigned devices, will be moved to the selected group.

   • Enable rule

     If this option is enabled, the rule is enabled and starts working after it is saved.

     If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.

4. On the Rule conditions tab, specify at least one criterion by which the devices are moved to an administration group.
5. Click Save.

The moving rule is created. It is displayed in the list of moving rules.

The higher the position is on the list, the higher the priority of the rule. To increase or decrease the priority of a moving rule, move the rule up or down in the list, respectively, using the mouse.

If the device attributes meet the conditions of multiple rules, the device is moved to the target group of the rule with the highest priority (that is, has the highest rank in the list of rules).

Copying device moving rules

Expand all | Collapse all

You can copy moving rules, for example, if you want to have several identical rules for different target administration groups.

To copy an existing a moving rule:

1. In the main menu, go to the DEVICES → MOVING RULES tab.

   You can also select DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT, and then select MOVING RULES on the menu.

   The list of moving rules is displayed.

2. Select the check box next to the rule you want to copy.
3. Click Copy.
4. In the window that opens, change the following information on the General tab—or make no changes if you only want to copy the rule without changing its settings:
   • Rule name

     Enter a name for the new rule.

     If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is added to the name, for example: (1).

   • Administration group

     Select the administration group into which the devices are to be moved automatically.

   • Apply rule

     You can select one of the following options:

     • Run once for each device.

       The rule is applied once for each device that matches your criteria.

     • Run once for each device, then at every Network Agent reinstallation.

       The rule is applied once for each device that matches your criteria, then only when Network Agent is reinstalled on these devices.

     • Rule applied continuously.

       The rule is applied according to the schedule which the Administration Server sets up automatically (usually every several hours).

   • Move only devices that do not belong to an administration group

     If this option is enabled, only unassigned devices will be moved to the selected group.

     If this option is disabled, devices that already belong to other administration groups, as well as unassigned devices, will be moved to the selected group.

   • Enable rule

     If this option is enabled, the rule is enabled and starts working after it is saved.

     If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.

5. On the Rule conditions tab, specify at least one criterion for the devices that you want to be moved automatically.
6. Click Save.

The new moving rule is created. It is displayed in the list of moving rules.

Viewing and configuring the actions when devices show inactivity

Expand all | Collapse all

If client devices within a group are inactive, you can get notifications about it. You can also automatically delete such devices.

To view or configure the actions when the devices in the group show inactivity:

1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. Click the name of the required administration group.

   The administration group properties window opens.

3. In the properties window, go to the Settings tab.
4. In the Inheritance section, enable or disable the following options:
   • Inherit from parent group

     The settings in this section will be inherited from the parent group in which the client device is included. If this option is enabled, the settings under Device activity on the network are locked from any changes.

     This option is available only if the administration group has a parent group.

     By default, this option is enabled.

   • Force inheritance of settings in child groups

     The setting values will be distributed to child groups but in the properties of the child groups these settings are locked.

     By default, this option is disabled.

5. In the Device activity section, enable or disable the following options:
   • Notify the administrator if the device has been inactive for longer than (days)

     If this option is enabled, the administrator receives notifications about inactive devices. You can specify the time interval after which the Device has remained inactive on the network in a long time event is created. The default time interval is 7 days.

     By default, this option is enabled.

   • Remove the device from the group if it has been inactive for longer than (days)

     If this option is enabled, you can specify the time interval after which the device is automatically removed from the group. The default time interval is 60 days.

     By default, this option is enabled.

6. Click Save.

Your changes are saved and applied.

About device statuses

Kaspersky Security Center assigns a status to each managed device. The particular status depends on whether the conditions defined by the user are met. In some cases, when assigning a status to a device, Kaspersky Security Center takes into consideration the device's visibility flag on the network (see the table below). If Kaspersky Security Center does not find a device on the network within two hours, the visibility flag of the device is set to Not Visible.

The statuses are the following:

• Critical or Critical / Visible
• Warning or Warning / Visible
• OK or OK / Visible

The table below lists the default conditions that must be met to assign the Critical or Warning status to a device, with all possible values.

Conditions for assigning a status to a device

Kaspersky Security Center allows you to set up automatic switching of the status of a device in an administration group when specified conditions are met. When specified conditions are met, the client device is assigned one of the following statuses: Critical or Warning. When specified conditions are not met, the client device is assigned the OK status.

Different statuses may correspond to different values of one condition. For example, by default, if the Databases are outdated condition has the More than 3 days value, the client device is assigned the Warning status; if the value is More than 7 days, the Critical status is assigned.

If you upgrade the Kaspersky Security Center from the previous version, the values of the Databases are outdated condition for assigning the status to Critical or Warning do not change.

When Kaspersky Security Center assigns a status to a device, for some conditions (see the Condition description column) the visibility flag is taken into consideration. For example, if a managed device was assigned the Critical status because the Databases are outdated condition was met, and later the visibility flag was set for the device, then the device is assigned the OK status.

Configuring the switching of device statuses

You can change conditions to assign the Critical or Warning status to a device.

To enable changing the device status to Critical:

1. Open the properties window in one of the following ways:
   • In the Policies folder, in the context menu of an Administration Server policy, select Properties.
   • Select Properties in the context menu of an administration group.
2. In the Properties window that opens, in the Sections pane, select Device status.
3. In the right pane, in the Set to Critical if these are specified section, select the check box next to a condition in the list.

   You can change only settings that are not locked in the parent policy.

4. Set the required value for the selected condition.

   You can set values for some, but not all, conditions.

5. Click OK.

When specified conditions are met, the managed device is assigned the Critical status.

To enable changing the device status to Warning:

1. Open the properties window in one of the following ways:
   • In the Policies folder, in the context menu of the Administration Server policy, select Properties.
   • Select Properties in the context menu of the administration group.
2. In the Properties window that opens, in the Sections pane select Device status.
3. In the right pane, in the Set to Warning if these are specified section, select the check box next to a condition in the list.

   You can change only settings that are not locked in the parent policy.

4. Set the required value for the selected condition.

   You can set values for some, but not all, conditions.

5. Click OK.

When specified conditions are met, the managed device is assigned the Warning status.

Remotely connecting to the desktop of a client device

The administrator can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.

Upon establishing the connection with the device, the administrator gains full access to information stored on this device and can manage applications installed on it.

Remote connection must be allowed in the operating system settings of the target managed device. For example, in Windows 10, this option is called Allow Remote Assistance connections to this computer (you can find this option at Control Panel → System and Security → System → Remote settings). If you have a license for the Vulnerability and Patch Management feature, you can enable this option forcibly when you establish connection to a managed device. If you do not have the license, enable this option locally on the target managed device. If this option is disabled, remote connection is not possible.

To establish remote connection to a device, you must have two utilities:

• Kaspersky utility named klsctunnel. This utility must be stored on the administrator's workstation. You use this utility for tunneling the connection between a client device and the Administration Server.

  Kaspersky Security Center allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.

  Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:

  • The remote device is connected to a local network that uses the NAT mechanism.
  • The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
• Standard Microsoft Windows component named Remote Desktop Connection. Connection to a remote desktop is established through the standard Windows utility mstsc.exe in accordance with the utility's settings.

  Connection to the current remote desktop session of the user is established without the user's knowledge. Once the administrator connects to the session, the device user is disconnected from the session without an advance notification.

To connect to the desktop of a client device:

1. In MMC-based Administration Console, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window that opens, go to Administration Server connection settings → Connection ports.
3. Make sure that the Open RDP port for Kaspersky Security Center 13.1 Web Console option is enabled.
4. In Kaspersky Security Center 13.1 Web Console, go to DEVICES → MANAGED DEVICES.
5. In the Current path field above the list of managed devices, click the path link.
6. In the left-side pane that opens, select the administration group that contains the device to which you want to obtain access.
7. Select the check box next to the name of the device to which you want to obtain access.
8. Click the Connect to Remote Desktop button.

   The Remote Desktop (Windows only) window opens.

9. Enable the Allow remote desktop connection on managed device option. In this case, the connection will be established even if remote connections are currently prohibited in the operating system settings on the managed device.

   This option is only available if you have a license for the Vulnerability and Patch Management feature.

10. Click the Download button to download the klsctunnel utility.
11. Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large Object (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.

    A BLOB is valid for 3 minutes. If it has expired, reopen the Remote Desktop (Windows only) window to generate a new BLOB.

12. Run the klsctunnel utility.

    The utility window opens.

13. Paste the copied text into the text field.
14. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
15. Click the Open port button.

    The Remote Desktop Connection login window opens.

16. Specify the credentials of the account under which you are currently logged in to Kaspersky Security Center 13.1 Web Console.
17. Click the Connect button.

When connection to the device is established, the desktop is available in the Remote Desktop Connection window of Microsoft Windows.

Connecting to devices through Windows Desktop Sharing

The administrator can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.

The administrator can connect to an existing session on a client device without disconnecting the user in this session. In this case, the administrator and the session user on the device share access to the desktop.

To establish remote connection to a device, you must have two utilities:

• Kaspersky utility named klsctunnel. This utility must be stored on the administrator's workstation. You use this utility for tunneling the connection between a client device and the Administration Server.

  Kaspersky Security Center allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.

  Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:

  • The remote device is connected to a local network that uses the NAT mechanism.
  • The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
• Windows Desktop Sharing. When connecting to an existing session of the remote desktop, the session user on the device receives a connection request from the administrator. No information about remote activity on the device and its results will be saved in reports created by Kaspersky Security Center.

  The administrator can configure an audit of user activity on a remote client device. During the audit, the application saves information about files on the client device that have been opened and/or modified by the administrator.

To connect to the desktop of a client device through Windows Desktop Sharing, the following conditions must be met:

• Microsoft Windows Vista or a later Windows operating system is installed on the client device.
• Microsoft Windows Vista or later is installed on the administrator's workstation. The type of operating system of the device hosting Administration Server imposes no restrictions on connection through Windows Desktop Sharing.

  To check whether the Windows Desktop Sharing feature is included in your Windows edition, make sure that there is CLSID\{32BE5ED2-5C86-480F-A914-0FF8885A1B3F} key in the Windows Registry.

• Microsoft Windows Vista or later is installed on the client device.
• Kaspersky Security Center uses a license for Vulnerability and patch management.

To connect to the desktop of a client device through Windows Desktop Sharing:

1. In MMC-based Administration Console, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window that opens, go to Administration Server connection settings → Connection ports.
3. Make sure that the Open RDP port for Kaspersky Security Center 13.1 Web Console option is enabled.
4. In Kaspersky Security Center 13.1 Web Console, go to DEVICES → MANAGED DEVICES.
5. In the Current path field above the list of managed devices, click the path link.
6. In the left-side pane that opens, select the administration group that contains the device to which you want to obtain access.
7. Select the check box next to the name of the device to which you want to obtain access.
8. Click the Windows Desktop Sharing button.

   The Windows Desktop Sharing Wizard opens.

9. Click the Download button to download the klsctunnel utility, and wait for the download process to complete.

   If you already have the klsctunnel utility, skip this step.

10. Click the Next button.
11. Select the session on the device to which you want to connect, and then click the Next button.
12. On the target device, in the dialog box that opens, the user must allow a desktop sharing session. Otherwise, the session is not possible.

    After the device user confirms the desktop sharing session, the next page of the Wizard opens.
    

13. Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large OBject (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.

    A BLOB is valid for 3 minutes. If it has expired, generate a new BLOB.

14. Run the klsctunnel utility.

    The utility window opens.

15. Paste the copied text into the text field.
16. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
17. Click the Open port button.

Desktop sharing starts in a new window. If you want to interact with the device, click the menu icon () in the upper-left corner of the window, and then select Interactive mode.

Device selections

Device selections are a tool for filtering devices according to specific conditions. You can use device selections to manage several devices: for example, to view a report about only these devices or to move all of these devices to another group.

Kaspersky Security Center provides a broad range of predefined selections (for example, Devices with Critical status, Protection is disabled, Active threats are detected). Predefined selections cannot be deleted. You can also create and configure additional user-defined selections.

In user-defined selections, you can set the search scope and select all devices, managed devices, or unassigned devices. Search parameters are specified in the conditions. In the device selection you can create several conditions with different search parameters. For example, you can create two conditions and specify different IP ranges in each of them. If several conditions are specified, a selection displays the devices that meet any of the conditions. By contrast, search parameters within a condition are superimposed. If both an IP range and the name of an installed application are specified in a condition, only those devices will be displayed where both the application is installed and the IP address belongs to the specified range.

To view the device selection:

1. In the main menu, go to DEVICES → DEVICE SELECTIONS or DISCOVERY & DEPLOYMENT → DEVICE SELECTIONS section.
2. In the selection list, click the name of the relevant selection.

The device selection result is displayed.

Creating a device selection

To create a device selection:

1. In the main menu, go to DEVICES → DEVICE SELECTIONS.

   A page with a list of device selections is displayed.

2. Click the Add button.

   The Device selection settings window opens.

3. Enter the name of the new selection.
4. Specify the type of the devices that you want to include in the device selection.
5. Click the Add button.
6. In the window that opens, specify conditions that must be met for including devices in this selection, and then click the OK button.
7. Click the Save button.

The device selection is created and added to the list of device selections.

Configuring a device selection

Expand all | Collapse all

To configure a device selection:

1. In the main menu, go to DEVICES → DEVICE SELECTIONS.

   A page with a list of device selections is displayed.

2. Click the relevant user-defined device selection.

   The Device selection settings window opens.

3. On the General tab, specify conditions that must be met for including devices in this selection.
4. Click the Save button.

The settings are applied and saved.

Below are descriptions of the conditions for assigning devices to a selection. Conditions are combined by using the OR logical operator: the selection will contain devices that comply with at least one of the listed conditions.

General

In the General section, you can change the name of the selection condition and specify whether that condition must be inverted:

Invert selection condition

Network

In the Network section, you can specify the criteria that will be used to include devices in the selection according to their network data:

• Device name or IP address

  Windows network name (NetBIOS name) of the device or IPv4 address.

• Windows domain

  Displays all devices included in the specified Windows domain.

• Administration group

  Displays devices included in the specified administration group.

• Description

  Text in the device properties window: In the Description field of the General section.

  To describe text in the Description field, you can use the following characters:

  • Within a word:
    • *. Replaces any string with any number of characters.

    Example:

    To describe words such as Server or Server's, you can enter Server*.

    • ?. Replaces any single character.

    Example:

    To describe words such as Window or Windows, you can enter Windo?.

    Asterisk (*) or question mark (?) cannot be used as the first character in the query.

  • To find several words:
    • Space. Displays all the devices whose descriptions contain any of the listed words.

    Example:

    To find a phrase that contains Secondary or Virtual words, you can include Secondary Virtual line in your query.

    • +. When a plus sign precedes a word, all search results will contain this word.

    Example:

    To find a phrase that contains both Secondary and Virtual, enter the +Secondary+Virtual query.

    • -. When a minus sign precedes a word, no search results will contain this word.

    Example:

    To find a phrase that contains Secondary and does not contain Virtual, enter the +Secondary-Virtual query.

    • "<some text>". Text enclosed in quotation marks must be present in the text.

    Example:

    To find a phrase that contains Secondary Server word combination, you can enter "Secondary Server" in the query.

• IP range

  If this option is enabled, you can enter the initial and final IP addresses of the IP range in which the relevant devices must be included.

  By default, this option is disabled.

Tags

In the Tags section, you can configure criteria for including devices into a selection based on key words (tags) that were previously added to the descriptions of managed devices:

• Apply if at least one specified tag matches

  If this option is enabled, the search results will show devices with descriptions that contain at least one of the selected tags.

  If this option is disabled, the search results will only show devices with descriptions that contain all the selected tags.

  By default, this option is disabled.

• Tag must be included

  If this option is selected, the search results will display the devices whose descriptions contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

  By default, this option is selected.

• Tag must be excluded

  If this option is selected, the search results will display the devices whose descriptions do not contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

Active Directory

In the Active Directory section, you can configure criteria for including devices into a selection based on their Active Directory data:

• Device is in an Active Directory organizational unit

  If this option is enabled, the selection includes devices from the Active Directory unit specified in the entry field.

  By default, this option is disabled.

• Include child organizational units

  If this option is enabled, the selection includes devices from all child organizational units of the specified Active Directory organizational unit.

  By default, this option is disabled.

• This device is a member of an Active Directory group

  If this option is enabled, the selection includes devices from the Active Directory group specified in the entry field.

  By default, this option is disabled.

Network activity

In the Network activity section, you can specify the criteria that will be used to include devices in the selection according to their network activity:

• This device is a distribution point

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection includes devices that act as distribution points.
  • No. Devices that act as distribution points are not included in the selection.
  • No value is selected. The criterion will not be applied.
• Do not disconnect from the Administration Server

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Enabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is selected.
  • Disabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is cleared.
  • No value is selected. The criterion will not be applied.
• Connection profile switched

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection will include devices that connected to the Administration Server after the connection profile was switched.
  • No. The selection will not include devices that connected to the Administration Server after the connection profile was switched.
  • No value is selected. The criterion will not be applied.
• Last connected to Administration Server

  You can use this check box to set a search criterion for devices according to the time they last connected to the Administration Server.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last connection was established between Network Agent installed on the client device and the Administration Server. The selection will include devices that fall within the specified interval.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• New devices detected by network poll

  Searches for new devices that have been detected by network polling over the last few days.

  If this option is enabled, the selection only includes new devices that have been detected by device discovery over the number of days specified in the Detection period (days) field.

  If this option is disabled, the selection includes all devices that have been detected by device discovery.

  By default, this option is disabled.

• Device is visible

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The application includes in the selection devices that are currently visible in the network.
  • No. The application includes in the selection devices that are currently invisible in the network.
  • No value is selected. The criterion will not be applied.

Application

In the Application section, you can configure criteria for including devices in a selection based on the selected managed application:

• Application name

  In the drop-down list, you can set a criterion for including devices in a selection when search is performed by the name of a Kaspersky application.

  The list provides only the names of applications with management plug-ins installed on the administrator's workstation.

  If no application is selected, the criterion will not be applied.

• Application version

  In the entry field, you can set a criterion for including devices in a selection when search is performed by the version number of a Kaspersky application.

  If no version number is specified, the criterion will not be applied.

• Critical update name

  In the entry field, you can set a criterion for including devices in a selection when search is performed by application name or by update package number.

  If the field is left blank, the criterion will not be applied.

• Modules last updated

  You can use this option to set a criterion for searching devices by time of the last update of modules of applications installed on those devices.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last update of modules of applications installed on those devices was performed.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• Device is managed through Kaspersky Security Center 13.1

  In the drop-down list, you can include in the selection the devices managed through Kaspersky Security Center:

  • Yes. The application includes in the selection devices managed through Kaspersky Security Center.
  • No. The application includes devices in the selection if they are not managed through Kaspersky Security Center.
  • No value is selected. The criterion will not be applied.
• Security application is installed

  In the drop-down list, you can include in the selection all devices with the security application installed:

  • Yes. The application includes in the selection all devices with the security application installed.
  • No. The application includes in the selection all devices with no security application installed.
  • No value is selected. The criterion will not be applied.

Operating system

In the Operating system section, you can specify the criteria that will be used to include devices in the selection according to their operating system type.

• Operating system version

  If the check box is selected, you can select an operating system from the list. Devices with the specified operating systems installed are included in the search results.

• Operating system bit size

  In the drop-down list, you can select the architecture for the operating system, which will determine how the moving rule is applied to the device (Unknown, x86, AMD64, or IA64). By default, no option is selected in the list so that the operating system's architecture is not defined.

• Operating system service pack version

  In this field, you can specify the package version of the operating system (in the X.Y format), which will determine how the moving rule is applied to the device. By default, no version value is specified.

• Operating system build

  This setting is applicable to Windows operating systems only.

  The build number of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later build number. You can also configure searching for all build numbers except the specified one.

• Operating system release ID

  This setting is applicable to Windows operating systems only.

  The release identifier (ID) of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later release ID. You can also configure searching for all release ID numbers except the specified one.

Device status

In the Device status section, you can configure criteria for including devices into a selection based on the description of the devices status from a managed application:

• Device status

  Drop-down list in which you can select one of the device statuses: OK, Critical, or Warning.

• Device status description

  In this field, you can select the check boxes next to conditions that, if met, assign one of the following statuses to the device: OK, Critical, or Warning.

• Device status defined by application

  Drop-down list, in which you can select the real-time protection status. Devices with the specified real-time protection status are included in the selection.

Protection components

In the Protection components section, you can set up the criteria for including devices in a selection based on their protection status:

• Databases released

  If this option is selected, you can search for client devices by anti-virus database release date. In the entry fields you can set the time interval, on the basis of which the search is performed.

  By default, this option is disabled.

• Database records count

  If this option is enabled, you can search for client devices by number of database records. In the entry fields you can set the lower and upper threshold values for anti-virus database records.

  By default, this option is disabled.

• Last scanned

  If this check option is enabled, you can search for client devices by time of the last virus scan. In the entry fields you can specify the time period within which the last virus scan was performed.

  By default, this option is disabled.

• Total number of threats detected

  If this option is enabled, you can search for client devices by number of viruses detected. In the entry fields you can set the lower and upper threshold values for the number of viruses found.

  By default, this option is disabled.

Applications registry

In the Applications registry section, you can set up the criteria to search for devices according to applications installed on them:

• Application name

  Drop-down list in which you can select an application. Devices on which the specified application is installed, are included in the selection.

• Application version

  Entry field in which you can specify the version of selected application.

• Vendor

  Drop-down list in which you can select the manufacturer of an application installed on the device.

• Application status

  A drop-down list in which you can select the status of an application (Installed, Not installed). Devices on which the specified application is installed or not installed, depending on the selected status, will be included in the selection.

• Find by update

  If this option is enabled, search will be performed using the details of updates for applications installed on the relevant devices. After you select the check box, the Application name, Application version, and Application status fields change to Update name, Update version, and Status respectively.

  By default, this option is disabled.

• Incompatible security application name

  Drop-down list in which you can select third-party security applications. During the search, devices on which the specified application is installed, are included in the selection.

• Application tag

  In the drop-down list, you can select the application tag. All devices that have installed applications with the selected tag in the description are included in the device selection.

• Apply to devices without the specified tags

  If this option is enabled, the selection includes devices with descriptions that contain none of the selected tags.

  If this option is disabled, the criterion is not applied.

  By default, this option is disabled.

Hardware registry

In the Hardware registry section, you can configure criteria for including devices into a selection based on their installed hardware:

• Device

  In the drop-down list, you can select a unit type. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Vendor

  In the drop-down list, you can select the name of a unit manufacturer. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Device name

  Name of the device in the Windows network. The device with the specified name is included in the selection.

• Description

  Description of the device or hardware unit. Devices with the description specified in this field are included in the selection.

  A device's description in any format can be entered in the properties window of that device. The field supports the full-text search.

• Device vendor

  Name of the device manufacturer. Devices produced by the manufacturer specified in this field are included in the selection.

  You can enter the manufacturer's name in the properties window of a device.

• Serial number

  All hardware units with the serial number specified in this field will be included in the selection.

• Inventory number

  Equipment with the inventory number specified in this field will be included in the selection.

• User

  All hardware units of the user specified in this field will be included in the selection.

• Location

  Location of the device or hardware unit (for example, at the HQ or a branch office). Computers or other devices that are deployed at the location specified in this field will be included in the selection.

  You can describe the location of a device in any format in the properties window of that device.

• CPU frequency, in MHz

  The frequency range of a CPU. Devices with CPUs that match the frequency range in these fields (inclusive) will be included in the selection.

• Virtual CPU cores

  Range of the number of virtual cores in a CPU. Devices with CPUs that match the range in these fields (inclusive) will be included in the selection.

• Hard drive volume, in GB

  Range of values for the size of the hard drive on the device. Devices with hard drives that match the range in these entry fields (inclusive) will be included in the selection.

• RAM size, in MB

  Range of values for the size of the device RAM. Devices with RAMs that match the range in these entry fields (inclusive) will be included in the selection.

Virtual machines

In the Virtual machines section, you can set up the criteria to include devices in the selection according to whether these are virtual machines or part of virtual desktop infrastructure (VDI):

• This is a virtual machine

  In the drop-down list, you can select the following options:

  • Not important.
  • No. Find devices that are not virtual machines.
  • Yes. Find devices that are virtual machines.
• Virtual machine type

  In the drop-down list, you can select the virtual machine manufacturer.

  This drop-down list is available if the Yes or Not important value is selected in the This is a virtual machine drop-down list.

• Part of Virtual Desktop Infrastructure

  In the drop-down list, you can select the following options:

  • Not important.
  • No. Find devices that are not part of Virtual Desktop Infrastructure.
  • Yes. Find devices that are part of the Virtual Desktop Infrastructure (VDI).

Vulnerabilities and updates

In the Vulnerabilities and updates section, you can specify the criteria that will be used to include devices in the selection according to their Windows Update source:

WUA is switched to Administration Server

Users

In the Users section, you can set up the criteria to include devices in the selection according to the accounts of users who have logged in to the operating system.

• Last user who logged in to the system

  If this option is enabled, click the Browse button to specify a user account. The search results include devices on which the specified user performed the last login to the system.

• User who logged in to the system at least once

  If this option is enabled, click the Browse button to specify a user account. The search results include devices on which the specified user logged in to the system at least once.

Status-affecting problems in managed applications

In the Status-affecting problems in managed applications section, you can specify the criteria that will be used to include devices in the selection according to the list of possible problems detected by a managed application. If at least one problem that you select exists on a device, the device will be included in the selection. When you select a problem listed for several applications, you have the option to select this problem in all of the lists automatically.

Device status description

Statuses of components in managed applications

In the Statuses of components in managed applications section, you can configure criteria for including devices in a selection according to the statuses of components in managed applications:

• Data Leakage Prevention status

  Search for devices by the status of Data Leakage Prevention (No data from device, Stopped, Starting, Paused, Running, Failed).

• Collaboration servers protection status

  Search for devices by the status of server collaboration protection (No data from device, Stopped, Starting, Paused, Running, Failed).

• Anti-virus protection status of mail servers

  Search for devices by the status of Mail Server protection (No data from device, Stopped, Starting, Paused, Running, Failed).

• Endpoint Sensor status

  Search for devices by the status of the Endpoint Sensor component (No data from device, Stopped, Starting, Paused, Running, Failed).

Encryption

Encryption algorithm

Cloud segments

In the Cloud segments section, you can configure criteria for including devices in a selection according to their respective cloud segments:

• Device is in a cloud segment

  If this option is enabled, you can click the Browse button to specify the segment to search.

  If the Include child objects option is also enabled, the search is run on all child objects of the specified segment.

  Search results include only devices from the selected segment.

• Device discovered by using the API

  In the drop-down list, you can select whether a device is detected by API tools:

  • AWS. The device is discovered by using the AWS API, that is, the device is definitely in the AWS cloud environment.
  • Azure. The device is discovered by using the Azure API, that is, the device is definitely in the Azure cloud environment.
  • Google Cloud. The device is discovered by using the Google API, that is, the device is definitely in the Google Cloud environment.
  • No. The device cannot be detected by using the AWS, Azure, or Google API, that is, it is either outside the cloud environment or it is in the cloud environment but it cannot be detected by using an API.
  • No value. This condition does not apply.

Application components

This section contains the list of components of those applications that have corresponding management plug-ins installed in Administration Console.

In the Application components section, you can specify criteria for including devices in a selection according to the statuses and version numbers of the components that refer to the application that you select:

• Status

  Search for devices according to the component status sent by an application to the Administration Server. You can select one of the following statuses: No data from device, Stopped, Starting, Paused, Running, Malfunction, or Not installed. If the selected component of the application installed on a managed device has the specified status, the device is included in the device selection.

  Statuses sent by applications:

  • Starting—The component is currently in the process of initialization.
  • Running—The component is enabled and working properly.
  • Paused—The component is suspended, for example, after the user has paused protection in the managed application.
  • Malfunction—An error has occurred during the component operation.
  • Stopped—The component is disabled and not working at the moment.
  • Not installed—The user did not select the component for installation when configuring custom installation of the application.

  Unlike other statuses, the No data from device status is not sent by applications. This option shows that the applications have no information about the selected component status. For example, this can happen when the selected component does not belong to any of the applications installed on the device, or when the device is turned off.

• Version

  Search for devices according to the version number of the component that you select in the list. You can type a version number, for example 3.4.1.0, and then specify whether the selected component must have an equal, earlier, or later version. You can also configure searching for all versions except the specified one.

Device tags

This section describes device tags, and provides instructions for creating and modifying them as well as for tagging devices manually or automatically.

About device tags

Kaspersky Security Center allows you to tag devices. A tag is the label of a device and it can be used for grouping, describing, or finding devices. Tags assigned to devices can be used for creating selections, for finding devices, and for distributing devices among administration groups.

You can tag devices manually or automatically. You may use manual tagging when you want to tag an individual device. Auto-tagging is performed by Kaspersky Security Center in accordance with the specified tagging rules.

Devices are tagged automatically when specified rules are met. An individual rule corresponds to each tag. Rules are applied to the network properties of the device, operating system, applications installed on the device, and other device properties. For example, if you have a hybrid infrastructure of physical machines, Amazon EC2 instances, and Microsoft Azure virtual machines, you can set up a rule that will assign the [Azure] tag to all Microsoft Azure virtual machines. Then, you can use this tag when creating a device selection; and this will help you sort all Microsoft Azure virtual machines and assign them a task.

A tag is automatically removed from a device in the following cases:

• When the device stops meeting conditions of the rule that assigns the tag.
• When the rule that assigns the tag is disabled or deleted.

The list of tags and the list of rules on each Administration Server are independent of all other Administration Servers, including a primary Administration Server or subordinate virtual Administration Servers. A rule is applied only to devices from the same Administration Server on which the rule is created.

Creating a device tag

To create a device tag:

1. In the main menu, go to DEVICES → TAGS → DEVICE TAGS.
2. Click Add.

   A new tag window opens.

3. In the Tag field, enter the tag name.
4. Click Save to save the changes.

The new tag appears in the list of device tags.

Renaming a device tag

To rename a device tag:

1. In the main menu, go to DEVICES → TAGS → DEVICE TAGS.
2. Click the name of the tag that you want to rename.

   A tag properties window opens.

3. In the Tag field, change the tag name.
4. Click Save to save the changes.

The updated tag appears in the list of device tags.

Deleting a device tag

To delete a device tag:

1. In the main menu, go to DEVICES → TAGS → DEVICE TAGS.
2. In the list, select the device tag that you want to delete.
3. Click the Delete button.
4. In the window that opens, click Yes.

The device tag is deleted. The deleted tag is automatically removed from all of the devices to which it was assigned.

The tag that you have deleted is not removed automatically from auto-tagging rules. After the tag is deleted, it will be assigned to a new device only when the device first meets the conditions of a rule that assigns the tag.

The deleted tag is not removed automatically from the device if this tag is assigned to the device by an application or Network Agent. To remove the tag from your device, use the klscflag utility.

Viewing devices to which a tag is assigned

To view devices to which a tag is assigned:

1. In the main menu, go to DEVICES → TAGS → DEVICE TAGS.
2. Click the View devices link next to the tag for which you want to view assigned devices.

   If you do not see the View devices link next to a tag, the tag is not assigned to any devices.

The list of devices that appears shows only those devices to which the tag is assigned.

To return to the list of device tags, click the Back button of your browser.

Viewing tags assigned to a device

To view tags assigned to a device:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.

The list of tags assigned to the selected device is displayed.

You can assign another tag to the device or remove an already assigned tag. You can also see all device tags that exist on the Administration Server.

Tagging a device manually

To assign a tag to a device manually:

1. View tags assigned to the device to which you want to assign another tag.
2. Click Add.
3. In the window that opens, do one of the following:
   • To create and assign a new tag, select Create new tag, and then specify the name of the new tag.
   • To select an existing tag, select Assign existing tag, and then select the necessary tag in the drop-down list.
4. Click OK to apply the changes.
5. Click Save to save the changes.

The selected tag is assigned to the device.

Removing an assigned tag from a device

To remove a tag from a device:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.
4. Select the check box next to the tag that you want to remove.
5. At the top of the list, click the Unassign tag button.
6. In the window that opens, click Yes.

The tag is removed from the device.

The unassigned device tag is not deleted. If you want, you can delete it manually.

You cannot manually remove tags assigned to the device by applications or Network Agent. To remove these tags, use the klscflag utility.

Viewing rules for tagging devices automatically

To view rules for tagging devices automatically,

Do any of the following:

• In the main menu, go to DEVICES → TAGS → AUTO-TAGGING RULES.
• In the main menu, go to DEVICES → TAGS, and then click the Set up auto-tagging rules link.
• View tags assigned to a device and then click the Settings button.

The list of rules for auto-tagging devices appears.

Editing a rule for tagging devices automatically

To edit a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Click the name of the rule that you want to edit.

   A rule settings window opens.

3. Edit the general properties of the rule:
   1. In the Rule name field, change the rule name.

      The name cannot be more than 256 characters long.

   2. Do any of the following:
      • Enable the rule by switching the toggle button to Rule enabled.
      • Disable the rule by switching the toggle button to Rule disabled.
4. Do any of the following:
   • If you want to add a new condition, click the Add button, and specify the settings of the new condition in the window that opens.
   • If you want to edit an existing condition, click the name of the condition that you want to edit, and then edit the condition settings.
   • If you want to delete a condition, select the check box next to the name of the condition that you want to delete, and then click Delete.
5. Click OK in the conditions settings window.
6. Click Save to save the changes.

The edited rule is shown in the list.

Creating a rule for tagging devices automatically

To create a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Click Add.

   A new rule settings window opens.

3. Configure the general properties of the rule:
   1. In the Rule name field, enter the rule name.

      The name cannot be more than 256 characters long.

   2. Do one of the following:
      • Enable the rule by switching the toggle button to Rule enabled.
      • Disable the rule by switching the toggle button to Rule disabled.
   3. In the Tag field, enter the new device tag name or select one of the existing device tags from the list.

      The name cannot be more than 256 characters long.

4. In the conditions section, click the Add button to add a new condition.

   A new condition settings window open.

5. Enter the condition name.

   The name cannot be more than 256 characters long. The name must be unique within a rule.

6. Set up the triggering of the rule according to the following conditions. You can select multiple conditions.
   • Network—Network properties of the device, such as the device name on the Windows network, or device inclusion in a domain or an IP subnet.

     If case sensitive collation is set for the database that you use for Kaspersky Security Center, keep case when you specify a device DNS name. Otherwise, the auto-tagging rule will not work.

   • Applications—Presence of Network Agent on the device, operating system type, version, and architecture.
   • Virtual machines—Device belongs to a specific type of virtual machine.
   • Active Directory—Presence of the device in an Active Directory organizational unit and membership of the device in an Active Directory group.
   • Applications registry—Presence of applications of different vendors on the device.
7. Click OK to save the changes.

   If necessary, you can set multiple conditions for a single rule. In this case, the tag will be assigned to a device if it meets at least one condition.

8. Click Save to save the changes.

The newly created rule is enforced on devices managed by the selected Administration Server. If the settings of a device meet the rule conditions, the device is assigned the tag.

Later, the rule is applied in the following cases:

• Automatically and periodically, depending on the server workload
• After you edit the rule
• When you run the rule manually
• After the Administration Server detects a change in the settings of a device that meets the rule conditions or the settings of a group that contains such device

You can create multiple tagging rules. A single device can be assigned multiple tags if you have created multiple tagging rules and if the respective conditions of these rules are met simultaneously. You can view the list of all assigned tags in the device properties.

Running rules for auto-tagging devices

When a rule is run, the tag specified in properties of this rule is assigned to devices that meet conditions specified in properties of the same rule. You can run only active rules.

To run rules for auto-tagging devices:

1. View rules for tagging devices automatically.
2. Select check boxes next to active rules that you want to run.
3. Click the Run rule button.

The selected rules are run.

Deleting a rule for tagging devices automatically

To delete a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Select the check box next to the rule that you want to delete.
3. Click Delete.
4. In the window that opens, click Delete again.

The selected rule is deleted. The tag that was specified in properties of this rule is unassigned from all of the devices that it was assigned to.

The unassigned device tag is not deleted. If you want, you can delete it manually.

Managing device tags by using the klscflag utility

This section provides information on how to assign or remove device tags by using the klscflag utility.

Assigning a device tag

Note that you must run the klscflag utility on the client device to which you want to assign a tag.

To assign a tag to your device by using the klscflag utility:

1. Enter the following command, using administrator rights:

   klscflag -ssvset -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -sv "[\"TAG NAME\"]" -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"

   where TAG NAME is the name of the tag you want to assign to your device, for example:

   klscflag -ssvset -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -sv "[\"ENTERPRISE\"]" -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"

2. Restart the Network Agent service.

The specified tag is assigned to your device. To make sure that the tag is assigned successfully, view tags assigned to the device.

Alternatively, you can assign device tags manually.

Removing a device tag

If a tag has been assigned to your device by an application or Network Agent, you cannot remove this tag manually. In this case, use the klscflag utility to remove the assigned tag from the device.

Note that you must run the klscflag utility on the client device from which you want to remove a tag.

To remove a tag from the device by using the klscflag utility:

1. Enter the following command, using administrator rights:

   klscflag -ssvset -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -sv "[]" -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"

2. Restart the Network Agent service.

The tag is removed from the device.

Page top

Policies and policy profiles

In Kaspersky Security Center 13.1 Web Console, you can create policies for Kaspersky applications. This section describes policies and policy profiles, and provides instructions for creating and modifying them.

About policies and policy profiles

A policy is a set of Kaspersky application settings that are applied to an administration group and its subgroups. You can install several Kaspersky applications on the devices of an administration group. Kaspersky Security Center provides a single policy for each Kaspersky application in an administration group. A policy has one of the following statuses (see the table below):

The status of the policy

Policies function according to the following rules:

• Multiple policies with different values can be configured for a single application.
• Only one policy can be active for the current application.
• You can activate an inactive policy when a specific event occurs. For example, you can enforce stricter anti-virus protection settings during virus outbreaks.
• A policy can have child policies.

Generally, you can use policies as preparations for emergency situations, such as a virus attack. For example, if there is an attack via flash drives, you can activate a policy that blocks access to flash drives. In this case, the current active policy automatically becomes inactive.

In order to prevent maintaining multiple policies, for example, when different occasions assume changing of several settings only, you may use policy profiles.

A policy profile is a named subset of policy settings values that replaces the settings values of a policy. A policy profile affects the effective settings formation on a managed device. Effective settings are a set of policy settings, policy profile settings, and local application settings that are currently applied for the device.

Policy profiles function according to the following rules:

• A policy profile takes an effect when a specific activation condition occurs.
• Policy profiles contain values of settings that differ from the policy settings.
• Activation of a policy profile changes the effective settings of the managed device.
• A policy can include a maximum of 100 policy profiles.

About lock and locked settings

Each policy setting has a lock button icon (). The table below shows lock button statuses:

Lock button statuses

We highly recommend that you close locks for the policy settings that you want to apply on the managed devices. The unlocked policy settings can be reassigned by Kaspersky application settings on a managed device.

You can use a lock button for performing the following actions:

• Locking settings for an administration subgroup policy
• Locking settings of a Kaspersky application on a managed device

Thus, a locked setting is used for implementing effective settings on a managed device.

A process of effective settings implementation includes the following actions:

• Managed device applies settings values of Kaspersky application.
• Managed device applies locked settings values of a policy.

A policy and managed Kaspersky application contain the same set of settings. When you configure policy settings, the Kaspersky application settings change values on a managed device. You cannot adjust locked settings on a managed device (see the figure below):

Locks and Kaspersky application settings

Inheritance of policies and policy profiles

This section provides information about the hierarchy and inheritance of policies and policy profiles.

Hierarchy of policies

If different devices need different settings, you can organize devices into administration groups.

You can specify a policy for a single administration group. Policy settings can be inherited. Inheritance means receiving policy settings values in subgroups (child groups) from a policy of a higher-level (parent) administration group.

Hereinafter, a policy for a parent group is also referred to as a parent policy. A policy for a subgroup (child group) is also referred to as a child policy.

By default, at least one managed devices group exists on Administration Server. If you want to create custom groups, they are created as subgroups (child groups) within the managed devices group.

Policies of the same application act on each other, according to a hierarchy of administration groups. Locked settings from a policy of a higher-level (parent) administration group will reassign policy settings values of a subgroup (see the figure below).

Hierarchy of policies

Policy profiles in a hierarchy of policies

Policy profiles have the following priority assignment conditions:

• A profile's position in a policy profile list indicates its priority. You can change a policy profile priority. The highest position in a list indicates the highest priority (see the figure below).

  

  Priority definition of a policy profile

• Activation conditions of policy profiles do not depend on each other. Several policy profiles can be activated simultaneously. If several policy profiles affect the same setting, the device takes the setting value from the policy profile with the highest priority (see the figure below).

  

  Managed device configuration fulfills activation conditions of several policy profiles

Policy profiles in a hierarchy of inheritance

Policy profiles from different hierarchy level policies comply with the following conditions:

• A lower-level policy inherits policy profiles from a higher-level policy. A policy profile inherited from a higher-level policy obtains higher priority than the original policy profile's level.
• You cannot change a priority of an inherited policy profile (see the figure below).

  

  Inheritance of policy profiles

Policy profiles with the same name

If there are two policies with the same names in different hierarchy levels, these policies function according to the following rules:

• Locked settings and the profile activation condition of a higher-level policy profile changes the settings and profile activation condition of a lower-level policy profile (see the figure below).

  

  Child profile inherits settings values from a parent policy profile

• Unlocked settings and the profile activation condition of a higher-level policy profile do not change the settings and profile activation condition of a lower-level policy profile.

How settings are implemented on a managed device

Implementation of effective settings on a managed device can be described as follows:

• The values of all settings that have not been locked are taken from the policy.
• Then they are overwritten with the values of managed application settings.
• And then the locked settings values from the effective policy are applied. Locked settings values change the values of unlocked effective settings.

Managing policies

This section describes managing policies and provides information about viewing the list of policies, creating a policy, modifying a policy, copying a policy, moving a policy, forced synchronization, viewing the policy distribution status chart, and deleting a policy.

Viewing the list of policies

You can view lists of policies created for the Administration Server or for any administration group.

To view a list of policies:

1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. In the administration group structure, select the administration group for which you want to view the list of policies.

The list of policies appears in tabular format. If there are no policies, the table is empty. You can show or hide the columns of the table, change their order, view only lines that contain a value that you specify, or use search.

Creating a policy

You can create policies; you can also modify and delete existing policies.

To create a policy:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Click Add.

   The Select application window opens.

3. Select the application for which you want to create a policy.
4. Click Next.

   The new policy settings window opens with the General tab selected.

5. If you want, change the default name, default status, and default inheritance settings of the policy.
6. Select the Application settings tab.

   Or, you can click Save and exit. The policy will appear in the list of policies, and you can edit its settings later.

7. On the Application settings tab, in the left pane select the category that you want and in the results pane on the right, edit the settings of the policy. You can edit policy settings in each category (section).

   The set of settings depends on the application for which you create a policy. For details, refer to the following:

   • Administration Server configuration
   • Network Agent policy settings
   • Kaspersky Endpoint Security for Windows documentation

   For details about settings of other security applications, refer to the documentation for the corresponding application.

   When editing the settings, you can click Cancel to cancel the last operation.

8. Click Save to save the policy.

The policy will appear in the list of policies.

Modifying a policy

To modify a policy:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Click the policy that you want to modify.

   The policy settings window opens.

3. Specify the general settings and settings of the application for which you create a policy. For details, refer to the following:
   • Administration Server configuration
   • Network Agent policy settings
   • Kaspersky Endpoint Security for Windows documentation

   For details about settings of other security applications, refer to the documentation for that application.

4. Click Save.

The changes made to the policy will be saved in the policy properties, and will appear in the Revision history section.

General policy settings

Expand all | Collapse all

General

In the General tab, you can modify the policy status and specify the inheritance of policy settings:

• In the Policy status block, you can select one of the policy modes:
  • Active

    If this option is selected, the policy becomes active.

    By default, this option is selected.

  • Out-of-office

    If this option is selected, the policy becomes active when the device leaves the corporate network.

  • Inactive

    If this option is selected, the policy becomes inactive, but it is still stored in the Policies folder. If required, the policy can be activated.

• In the Settings inheritance settings group, you can configure the policy inheritance:
  • Inherit settings from parent policy

    If this option is enabled, the policy setting values are inherited from the upper-level group policy and, therefore, are locked.

    By default, this option is enabled.

  • Force inheritance of settings in child policies

    If this option is enabled, after policy changes are applied, the following actions will be performed:

    • The values of the policy settings will be propagated to the policies of administration subgroups, that is, to the child policies.
    • In the Settings inheritance block of the General section in the properties window of each child policy, the Inherit settings from parent policy option will be automatically enabled.

    If this option is enabled, the child policies settings are locked.

    By default, this option is disabled.

Event configuration

The Event configuration tab allows you to configure event logging and event notification. Events are distributed by importance level on the following tabs:

• Critical

  The Critical section is not displayed in the Network Agent policy properties.

• Functional failure
• Warning
• Info

In each section, the list shows the types of events and the default event storage term on the Administration Server (in days). Clicking an event type lets you specify the following settings:

• Event registration

  You can specify how many days to store the event and select where to store the event:

  • Export to SIEM system using Syslog
  • Store in the OS event log on device
  • Store in the OS event log on Administration Server
• Event notifications

  You can select if you want to be notified about the event in one of the following ways:

  • Notify by email
  • Notify by SMS
  • Notify by running an executable file or script
  • Notify by SNMP

  By default, the notification settings specified on the Administration Server properties tab (such as recipient address) are used. If you want, you can change these settings in the Email, SMS, and Executable file to be run tabs.

Revision history

The Revision history tab allows you to view the list of the policy revisions and roll back changes made to the policy, if necessary.

Enabling and disabling a policy inheritance option

To enable or disable the inheritance option in a policy:

1. Open the required policy.
2. Open the General tab.
3. Enable or disable policy inheritance:
   • If you enable Inherit settings from parent policy in a child policy and an administrator locks some settings in the parent policy, then you cannot change these settings in the child policy.
   • If you disable Inherit settings from parent policy in a child policy, then you can change all of the settings in the child policy, even if some settings are locked in the parent policy.
   • If you enable Force inheritance of settings in child policies in the parent group, this enables the Inherit settings from parent policy option for each child policy. In this case, you cannot disable this option for any child policy. All of the settings that are locked in the parent policy are forcibly inherited in the child groups, and you cannot change these settings in the child groups.
4. Click the Save button to save changes or click the Cancel button to reject changes.

By default, the Inherit settings from parent policy option is enabled for a new policy.

If a policy has profiles, all of the child policies inherit these profiles.

Copying a policy

You can copy policies from one administration group to another.

To copy a policy to another administration group:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Select the check box next to the policy (or policies) that you want to copy.
3. Click the Copy button.

   On the right side of the screen, the tree of the administration groups appears.

4. In the tree, select the target group, that is, the group to which you want to copy the policy (or policies).
5. Click the Copy button at the bottom of the screen.
6. Click OK to confirm the operation.

The policy (policies) will be copied to the target group with all its profiles. The status of each copied policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with the name identical to that of the newly moved policy already exists in the target group, the name of the newly moved policy is expanded with the (<next sequence number>) index, for example: (1).

Moving a policy

You can move policies from one administration group to another. For example, you want to delete a group, but you want to use its policies for another group. In this case, you may want move the policy from the old group to the new one before deleting the old group.

To move a policy to another administration group:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Select the check box next to the policy (or policies) that you want to move.
3. Click the Move button.

   On the right side of the screen, the tree of the administration groups appears.

4. In the tree, select the target group, that is, the group to which you want to move the policy (or policies).
5. Click the Move button at the bottom of the screen.
6. Click OK to confirm the operation.

If a policy is not inherited from the source group, it is moved to the target group with all its profiles. The status of the policy in the target group is Inactive. You can change the status to Active at any time.

If a policy is inherited from the source group, it remains in the source group. It is copied to the target group with all its profiles. The status of the policy in the target group is Inactive. You can change the status to Active at any time.

If a policy with the name identical to that of the newly moved policy already exists in the target group, the name of the newly moved policy is expanded with the (<next sequence number>) index, for example: (1).

Viewing the policy distribution status chart

In Kaspersky Security Center, you can view the status of policy application on each device in a policy distribution status chart.

To view the policy distribution status on each device:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Select check box next to the name of the policy for which you want to view the distribution status on devices.
3. In the menu that appears, select the Distribution link.

   The <Policy name> distribution results window opens.

4. In the <Policy name> distribution results window that opens, the Status description of the policy is displayed.

You can change number of results displayed in the list with policy distribution. The maximum number of devices is 100000.

To change the number of devices displayed in the list with policy distribution results:

1. In the main menu, go to the Interface options section in the toolbar.
2. In the Limit of devices displayed in policy distribution results, enter the number of devices (up to 100000).

   By default, the number is 5000.

3. Click Save.

   The settings are saved and applied.

Activating a policy automatically at the Virus outbreak event

To make a policy perform automatic activation at a Virus outbreak event:

1. At the top of the screen, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens, with the General tab selected.

2. Select the Virus outbreak section.
3. In the right pane, click the Configure policies to activate when a Virus outbreak event occurs link.

   The Policy activation window opens.

4. In the section relating to the component that detects a virus outbreak—Anti-Virus for workstations and file servers, Anti-Virus for mail servers, or Anti-Virus for perimeter defense—select the option button next to the entry you want, and then click Add.

   A window opens with the Managed devices administration group.

5. Click the chevron icon () next to Managed devices.

   A hierarchy of administration groups and their policies is displayed.

6. In the hierarchy of administration groups and their policies, click the name of a policy or policies that are activated when a virus outbreak is detected.

   To select all policies in the list or in a group, select the check box next to the required name.

7. Click the Save button.

   The window with the hierarchy of administration groups and their policies is closed.

The selected policies are added to the list of policies that are activated when a virus outbreak is detected. The selected policies are activated at the virus outbreak, independent whether they are active or inactive.

If a policy has been activated on the Virus outbreak event, you can return to the previous policy only by using the manual mode.

Deleting a policy

You can delete a policy if you do not need it anymore. You can delete only a policy that is not inherited in the specified administration group. If a policy is inherited, you can only delete it in the upper-level group for which it was created.

To delete a policy:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Select the check box next to the policy that you want to delete, and click Delete.

   The Delete button becomes unavailable (dimmed) if you select an inherited policy.

3. Click OK to confirm the operation.

The policy is deleted together with all its profiles.

Managing policy profiles

This section describes managing policy profiles and provides information about viewing the profiles of a policy, changing a policy profile priority, creating a policy profile, modifying a policy profile, copying a policy profile, creating a policy profile activation rule, and deleting a policy profile.

Viewing the profiles of a policy

To view profiles of a policy:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Click the name of the policy whose profiles you want to view.

   The policy properties window opens with the General tab selected.

3. Open the Policy profiles tab.

The list of policy profiles appears in tabular format. If the policy does not have profiles, the empty table appears.

Changing a policy profile priority

To change a policy profile priority:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, select the check box next to the policy profile for which you want to change priority.
3. Set a new position of the policy profile in the list by clicking Prioritize or Deprioritize.

   The higher a policy profile is located in the list, the higher its priority.

4. Click the Save button.

Priority of the selected policy profile is changed and applied.

Creating a policy profile

To create a policy profile:

1. Proceed to the list of profiles for the policy that you want.

   The list of policy profiles appears. If the policy does not have profiles, an empty table appears.

2. Click Add.
3. If you want, change the default name and default inheritance settings of the profile.
4. Select the Application settings tab.

   Alternatively, you can click Save and exit. The profile that you have created appears in the list of policy profiles, and you can edit its settings later.

5. On the Application settings tab, in the left pane select the category that you want and in the results pane on the right, edit the settings for the profile. You can edit policy profile settings in each category (section).

   When editing the settings, you can click Cancel to cancel the last operation.

6. Click Save to save the profile.

The profile will appear in the list of policy profiles.

Modifying a policy profile

The capability to edit a policy profile is only available for policies of Kaspersky Endpoint Security for Windows.

To modify a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, click the policy profile that you want to modify.

   The policy profile properties window opens.

3. Configure the profile in the properties window:
   • If necessary, on the General tab, change the profile name and enable or disable the profile.
   • Edit the profile activation rules.
   • Edit the application settings.

   For details about settings of security applications, please see the documentation of the corresponding application.

4. Click Save.

The modified settings will take effect either after the device is synchronized with the Administration Server (if the policy profile is active), or after an activation rule is triggered (if the policy profile is inactive).

Copying a policy profile

You can copy a policy profile to the current policy or to another, for example, if you want to have identical profiles for different policies. You can also use copying if you want to have two or more profiles that differ in only a small number of settings.

To copy a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears. If the policy does not have profiles, an empty table appears.

2. On the Policy profiles tab, select the policy profile that you want to copy.
3. Click Copy.
4. In the window that opens, select the policy to which you want to copy the profile.

   You can copy a policy profile to the same policy or to a policy that you specify.

5. Click Copy.

The policy profile is copied to the policy that you selected. The newly copied profile gets the lowest priority. If you copy the profile to the same policy, the name of the newly copied profile will be expanded with the () index, for example: (1), (2).

Later, you can change the settings of the profile, including its name and its priority; the original policy profile will not be changed in this case.

Creating a policy profile activation rule

Expand all | Collapse all

To create a policy profile activation rule:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, click the policy profile for which you need to create an activation rule.

   If the list of policy profiles is empty, you can create a policy profile.

3. On the Activation rules tab, click the Add button.

   The window with policy profile activation rules opens.

4. Specify a name for the rule.
5. Select the check boxes next to the conditions that must affect activation of the policy profile that you are creating:
   • General rules for policy profile activation

     Select this check box to set up policy profile activation rules on the device depending on the status of the device offline mode, rule for connection to Administration Server, and tags assigned to the device.

     For this option, specify at the next step:

     • Device status

       Defines the condition for device presence on the network:

       • Online—The device is on the network, and so the Administration Server is available.
       • Offline—The device is on an external network, which means that the Administration Server is not available.
       • N/A—The criterion will not be applied.
     • Rule for Administration Server connection is active on this device

       Choose the condition of policy profile activation (whether the rule is executed or not) and select the rule name.

       The rule defines the network location of the device for connection to the Administration Server, whose conditions must be met (or must not be met) for activation of the policy profile.

       A network location description of devices for connection to an Administration Server can be created or configured in a Network Agent switching rule.

   • Rules for specific device owner

     For this option, specify at the next step:

     • Device owner

       Enable this option to configure and enable the rule for profile activation on the device according to its owner. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device belongs to the specified owner ("=" sign).
       • The device does not belong to the specified owner ("#" sign).

         If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the device owner when the option is enabled. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device owner is included in an internal security group

       Enable this option to configure and enable the rule of profile activation on the device by the owner's membership in an internal security group of Kaspersky Security Center. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device owner is a member of the specified security group ("=" sign).
       • The device owner is not a member of the specified security group ("#" sign).

         If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify a security group of Kaspersky Security Center. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

   • Rules for hardware specifications

     Select this check box to set up rules for policy profile activation on the device depending on the memory volume and the number of logical processors.

     For this option, specify at the next step:

     • RAM size, in MB

       Enable this option to configure and enable the rule of profile activation on the device by the RAM volume available on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device RAM size is less than the specified value ("<" sign).
       • The device RAM size is greater than the specified value (">" sign).

       If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the RAM volume on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Number of logical processors

       Enable this option to configure and enable the rule of profile activation on the device by the number of logical processors on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The number of logical processors on the device is less than or equal to the specified value ("<" sign).
       • The number of logical processors on the device is greater than or equal to the specified value (">" sign).

       If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the number of logical processors on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

   • Rules for role assignment

     For this option, specify at the next step:

     Activate policy profile by specific role of device owner

     Select this option to configure and enable the rule of profile activation on the device depending on the owner's role. Add the role manually from the list of existing roles.

     If this option is enabled, the profile is activated on the device in accordance with the criterion configured.

   • Rules for tag usage

     Select this check box to set up rules for policy profile activation on the device depending on the tags assigned to the device. You can activate the policy profile to the devices that either have the selected tags or do not have them.

     For this option, specify at the next step:

     • Tag

       In the list of tags, specify the rule for device inclusion in the policy profile by selecting the check boxes next to the relevant tags.

       You can add new tags to the list by entering them in the field over the list and clicking the Add button.

       The policy profile includes devices with descriptions containing all the selected tags. If check boxes are cleared, the criterion is not applied. By default, these check boxes are cleared.

     • Apply to devices without the specified tags

       Enable this option if you have to invert your selection of tags.

       If this option is enabled, the policy profile includes devices with descriptions that contain none of the selected tags. If this option is disabled, the criterion is not applied.

       By default, this option is disabled.

   • Rules for Active Directory usage

     Select this check box to set up rules for policy profile activation on the device depending on the presence of the device in an Active Directory organizational unit (OU), or on membership of the device (or its owner) in an Active Directory security group.

     For this option, specify at the next step:

     • Device owner's membership in Active Directory security group

       If this option is enabled, the policy profile is activated on the device whose owner is a member of the specified security group. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device membership in Active Directory security group

       If this option is enabled, the policy profile is activated on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device allocation in Active Directory organizational unit

       If this option is enabled, the policy profile is activated on the device which is included in the specified Active Directory organizational unit (OU). If this option is disabled, the profile activation criterion is not applied.

       By default, this option is disabled.

   The number of additional pages of the Wizard depends on the settings that you select at the first step. You can modify policy profile activation rules later.

6. Check the list of the configured parameters. If the list is correct, click Create.

The profile will be saved. The profile will be activated on the device when activation rules are triggered.

Policy profile activation rules created for the profile are displayed in the policy profile properties on the Activation rules tab. You can modify or remove any policy profile activation rule.

Multiple activation rules can be triggered simultaneously.

Deleting a policy profile

To delete a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, select the check box next to the policy profile that you want to delete, and click Delete.
3. In the window that opens, click Delete again.

The policy profile is deleted. If the policy is inherited by a lower-level group, the profile remains in that group, but becomes the policy profile of that group. This is done to eliminate significant change in settings of the managed applications installed on the devices of lower-level groups.

Data encryption and protection

Data encryption reduces the risk of unintentional leakage in case your laptop or hard drive is stolen or lost, or upon access by unauthorized users and applications.

The following Kaspersky applications support encryption:

• Kaspersky Endpoint Security for Windows
• Kaspersky Endpoint Security for Mac

You can show or hide some of the interface elements related to the encryption management feature by using the user interface settings.

Encryption of data in Kaspersky Endpoint Security for Windows

You can manage the following types of encryption:

• BitLocker Drive Encryption on devices running a Windows operating system for servers
• Kaspersky Disk Encryption on devices running a Windows operating system for workstation

By using these components of Kaspersky Endpoint Security for Windows, you can, for example, enable or disable encryption, view the list of encrypted drives, or generate and view reports about encryption.

You configure encryption by defining policies of Kaspersky Endpoint Security for Windows in Kaspersky Security Center. Kaspersky Endpoint Security for Windows performs encryption and decryption according to the active policy. For detailed instructions on how to configure rules and a description of encryption features, see the Kaspersky Endpoint Security for Windows Help.

Encryption of data in Kaspersky Endpoint Security for Mac

You can use FileVault encryption on devices running macOS. While working with Kaspersky Endpoint Security for Mac, you can enable or disable this encryption.

You configure encryption by defining policies of Kaspersky Endpoint Security for Mac in Kaspersky Security Center. Kaspersky Endpoint Security for Mac performs encryption and decryption according to the active policy. For a detailed description of encryption features, see the Kaspersky Endpoint Security for Mac Help.

Viewing the list of encrypted drives

In Kaspersky Security Center, you can view details about encrypted drives and devices that are encrypted at the drive level. After the information on a drive is decrypted, the drive is automatically removed from the list.

To view the list of encrypted drives,

In the main menu, go to the OPERATIONS → DATA ENCRYPTION AND PROTECTION → ENCRYPTED DRIVES section.

If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data encryption and protection option to display the section.

You can export the list of encrypted drives to a CSV or TXT file. To do this, click the Export rows to CSV file or Export rows to TXT file button.

Viewing the list of encryption events

When running data encryption or decryption tasks on devices, Kaspersky Endpoint Security for Windows sends Kaspersky Security Center information about events of the following types:

• Cannot encrypt or decrypt a file, or create an encrypted archive, due to a lack of free disk space.
• Cannot encrypt or decrypt a file, or create an encrypted archive, due to license issues.
• Cannot encrypt or decrypt a file, or create an encrypted archive, due to missing access rights.
• The application has been prohibited from accessing an encrypted file.
• Unknown errors.

To view a list of events that occurred during data encryption on devices,

In the main menu, go to the OPERATIONS → DATA ENCRYPTION AND PROTECTION → ENCRYPTION EVENTS section.

If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data encryption and protection option to display the section.

You can export the list of encrypted drives to a CSV or TXT file. To do this, click the Export rows to CSV file or Export rows to TXT file button.

Alternatively, you can examine the list of encryption events for every managed device.

To view the encryption events for a managed device:

1. In the main menu, go to the DEVICES → MANAGED DEVICES section.
2. Click on the name of a managed device.
3. On the General tab, go to the Protection section.
4. Click the View data encryption errors link.

Creating and viewing encryption reports

You can generate the following reports:

• Report on encryption status of mass storage devices. This report contains information about the device encryption status for all groups of devices.
• Report on rights of access to encrypted drives. This report contains information about the status of user accounts that have been granted access to encrypted drives.
• Report on file encryption errors. This report contains information about errors that occurred when data encryption or decryption tasks were run on devices.
• Report on blockage of access to encrypted files. This report contains information about blocking application access to encrypted files.

You can generate any report in the MONITORING & REPORTING → REPORTS section. Alternatively, you can generate some of the encryption reports in the ENCRYPTED DRIVES section and the ENCRYPTION EVENTS section.

To generate encryption reports in the ENCRYPTED DRIVES section:

1. Make sure that you enabled the Show data encryption and protection option in the Interface options.
2. Select OPERATIONS → DATA ENCRYPTION AND PROTECTION, and in the drop-down list select ENCRYPTED DRIVES.
3. To generate an encryption report, click the name of the report that you want to generate:
   • Report on encryption status of mass storage devices
   • Report on rights to access encrypted drives

The report generation starts.

To generate Report on file encryption errors in the ENCRYPTION EVENTS section:

1. Make sure that you enabled the Show data encryption and protection option in the Interface options.
2. Select OPERATIONS → DATA ENCRYPTION AND PROTECTION, and in the drop-down list select ENCRYPTION EVENTS.
3. To generate the encryption report, click the Report on file encryption errors link.

The report generation starts.

Granting access to an encrypted drive in offline mode

A user can request access to an encrypted device, for example, when Kaspersky Endpoint Security for Windows is not installed on the managed device. After you receive the request, you can create an access key file and send it to the user. All of the use cases and detailed instructions are provided in the Kaspersky Endpoint Security for Windows Help.

To grant access to an encrypted drive in offline mode:

1. Get a request access file from a user (a file with the FDERTC extension). Follow the instructions in the Kaspersky Endpoint Security for Windows Help to generate the file in Kaspersky Endpoint Security for Windows.
2. In the main menu, go to the OPERATIONS → DATA ENCRYPTION AND PROTECTION → ENCRYPTED DRIVES section.

   A list of encrypted drives appears.

3. Select the drive to which the user requested access.
4. Click the Grant access to the device in offline mode button.
5. In the window that opens, select the plug-in corresponding to the Kaspersky application that was used to encrypt the selected drive.

   If a drive is encrypted with a Kaspersky application that is not supported by Kaspersky Security Center 13.1 Web Console, use Microsoft Management Console-based Administration Console to grant the offline access.

6. Follow the instructions provided in the Kaspersky Endpoint Security for Windows Help (see expanding blocks at the end of the section).

After that, the user applies the received file to access the encrypted drive and read data stored on the drive.

Users and user roles

This section describes users and user roles, and provides instructions for creating and modifying them, for assigning roles and groups to users, and for associating policy profiles with roles.

About user roles

A user role (also referred to as a role) is an object containing a set of rights and privileges. A role can be associated with settings of Kaspersky applications installed on a user device. You can assign a role to a set of users or to a set of security groups at any level in the hierarchy of administration groups.

You can associate user roles with policy profiles. If a user is assigned a role, this user gets security settings necessary to perform job functions.

A user role can be associated with users of devices in a specific administration group.

User role scope

A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

Advantage of using roles

An advantage of using roles is that you do not have to specify security settings for each of the managed devices or for each of the users separately. The number of users and devices in a company may be quite large, but the number of different job functions that require different security settings is considerably smaller.

Differences from using policy profiles

Policy profiles are properties of a policy that is created for each Kaspersky application separately. A role is associated with many policy profiles created for different applications. Therefore, a role is a method of uniting settings for a certain user type in one place.

Configuring access rights to application features. Role-based access control

Kaspersky Security Center provides facilities for role-based access to the features of Kaspersky Security Center and managed Kaspersky applications.

You can configure access rights to application features for Kaspersky Security Center users in one of the following ways:

• By configuring the rights for each user or group of users individually.
• By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

Access rights to application features

The table below shows the Kaspersky Security Center features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Modify, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Predefined user roles

User roles assigned to Kaspersky Security Center users provide them with sets of access rights to application features.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Kaspersky Security Center can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor (these roles are present in Kaspersky Security Center starting from the version 11). Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.

Examples of roles for specific job positions

The table below shows the access rights assigned to each predefined user role.

Access rights of predefined user roles

Adding an account of an internal user

To add a new internal user account to Kaspersky Security Center:

1. In the main menu, go to USERS & ROLES → USERS.
2. Click Add.
3. In the New entity window that opens, specify the settings of the new user account:
   • Keep the default option User.
   • Name.
   • Password for the user connection to Kaspersky Security Center.

     The password must comply with the following rules:

     • The password must be 8 to 16 characters long.
     • The password must contain characters from at least three of the groups listed below:
       • Uppercase letters (A-Z)
       • Lowercase letters (a-z)
       • Numbers (0-9)
       • Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
     • The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".

     To see the characters that you entered, click and hold the Show button.

     The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts to enter a password, as described in "Changing the number of allowed password entry attempts".

     If the user enters an invalid password the specified number of times, the user account is blocked for one hour. You can unblock the user account only by changing the password.

   • Full name
   • Description
   • Email address
   • Phone
4. Click OK to save the changes.

The new user account appears in the list of users and user groups.

Creating a user group

To create a user group:

1. In the main menu, go to USERS & ROLES → USERS.
2. Click Add.
3. In the New entity window opens, select Group.
4. Specify the following settings for the new user group:
   • Group name
   • Description
5. Click OK to save the changes.

The new user group appears in the list of users and user groups.

Editing an account of an internal user

To edit an internal user account in Kaspersky Security Center:

1. In the main menu, go to USERS & ROLES → USERS.
2. Click the name of the user account that you want to edit.
3. In the user settings window that opens, on the General tab, change the settings of the user account:
   • Description
   • Full name
   • Email address
   • Main phone
   • Password for the user connection to Kaspersky Security Center.

     The password must comply with the following rules:

     • The password must be 8 to 16 characters long.
     • The password must contain characters from at least three of the groups listed below:
       • Uppercase letters (A-Z)
       • Lowercase letters (a-z)
       • Numbers (0-9)
       • Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
     • The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".

     To see the entered password, click and hold the Show button.

     The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts; however, for security reasons, we do not recommend that you decrease this number. If the user enters an invalid password the specified number of times, the user account is blocked for one hour. You can unblock the user account only by changing the password.

   • If necessary, switch the toggle button to Disabled to prohibit the user from connecting to the application. You can disable an account, for example, after an employee leaves the company.
4. On the Authentication security tab, you can specify the security settings for this account.
5. On the Groups tab, you can add the user to security groups.
6. On the Devices tab, you can assign devices to the user.
7. On the Roles tab, you can assign roles to the user.
8. Click Save to save the changes.

The updated user account appears in the list of users and security groups.

Editing a user group

You can edit only internal groups.

To edit a user group:

1. In the main menu, go to USERS & ROLES → USERS.
2. Click the name of the user group that you want to edit.
3. In the group settings window that opens, change the settings of the user group:
   • Name
   • Description
4. Click Save to save the changes.

The updated user group appears in the list of users and user groups.

Adding user accounts to an internal group

You can add only accounts of internal users to an internal group.

To add user accounts to an internal group:

1. In the main menu, go to USERS & ROLES → USERS.
2. Select check boxes next to user accounts that you want to add to a group.
3. Click the Assign group button.
4. In the Assign group window that opens, select the group to which you want to add user accounts.
5. Click the Assign button.

The user accounts are added to the group.

Assigning a user as a device owner

To assign a user as a device owner:

1. Go to USERS & ROLES → USERS.
2. Click the name of the user account that you want to assign as a device owner.
3. In the user settings window that opens, click the Devices tab.
4. Click Add.
5. From the device list, select the device that you want to assign to the user.
6. Click OK.

The selected device is added to the list of devices assigned to the user.

You can perform the same operation at DEVICES → MANAGED DEVICES, by clicking the name of the device that you want to assign, and then clicking the Manage device owner link.

Deleting a user or a security group

You can delete only internal users or internal security groups.

To delete a user or a security group:

1. In the main menu, go to USERS & ROLES → USERS.
2. Select the check box next to the user or the security group that you want to delete.
3. Click Delete.
4. In the window that opens, click OK.

The user or the security group is deleted.

Creating a user role

To create a user role:

1. In the main menu, go to USERS & ROLES → Roles.
2. Click Add.
3. In the New role name window that opens, enter the name of the new role.
4. Click OK to apply the changes.
5. In the role properties window that opens, change the settings of the role:
   • On the General tab, edit the role name.

     You cannot edit the name of a predefined role.

   • On the Settings tab, edit the role scope and policies and profiles associated with the role.
   • On the Access rights tab, edit the rights for access to Kaspersky applications.
6. Click Save to save the changes.

The new role appears in the list of user roles.

Editing a user role

To edit a user role:

1. In the main menu, go to USERS & ROLES → Roles.
2. Click the name of the role that you want to edit.
3. In the role properties window that opens, change the settings of the role:
   • On the General tab, edit the role name.

     You cannot edit the name of a predefined role.

   • On the Settings tab, edit the role scope and policies and profiles associated with the role.
   • On the Access rights tab, edit the rights for access to Kaspersky applications.
4. Click Save to save the changes.

The updated role appears in the list of user roles.

Editing the scope of a user role

A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

To add users, security groups, and administration groups to the scope of a user role, you can use either of the following methods:

Method 1:

1. In the main menu, go to USERS & ROLES → USERS.
2. Select check boxes next to the users and security groups that you want to add to the user role scope.
3. Click the Assign role button.

   The Role Assignment Wizard starts. Proceed through the Wizard by using the Next button.

4. On the Select role page of the Wizard, select the user role that you want to assign.
5. On the Define scope page of the Wizard, select the administration group that you want to add to the user role scope.
6. Click the Assign role button to close the Wizard.

The selected users or security groups and the selected administration group are added to the scope of the user role.

Method 2:

1. In the main menu, go to USERS & ROLES → Roles.
2. Click the name of the role for which you want to define the scope.
3. In the role properties window that opens, select the Settings tab.
4. In the Role scope section, click Add.

   The Role Assignment Wizard starts. Proceed through the Wizard by using the Next button.

5. On the Define scope page of the Wizard, select the administration group that you want to add to the user role scope.
6. On the Select users page of the Wizard, select users and security groups that you want to add to the user role scope.
7. Click the Assign role button to close the Wizard.
8. Close the role properties window.

The selected users or security groups and the selected administration group are added to the scope of the user role.

Deleting a user role

To delete a user role:

1. In the main menu, go to USERS & ROLES → Roles.
2. Select the check box next to the name of the role that you want to delete.
3. Click Delete.
4. In the window that opens, click OK.

The user role is deleted.

Associating policy profiles with roles

You can associate user roles with policy profiles. In this case, the activation rule for this policy profile is based on the role: the policy profile becomes active for a user that has the specified role.

For example, the policy bars any GPS navigation software on all devices in an administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by a courier. In this case, you can assign a "Courier" role to its owner, and then create a policy profile allowing GPS navigation software to run only on the devices whose owners are assigned the "Courier" role. All the other policy settings are preserved. Only the user with the role "Courier" will be allowed to run GPS navigation software. Later, if another worker is assigned the "Courier" role, the new worker also can run navigation software on your organization's device. Running GPS navigation software will still be prohibited on other devices in the same administration group.

To associate a role with a policy profile:

1. In the main menu, go to USERS & ROLES → Roles.
2. Click the name of the role that you want to associate with a policy profile.

   The role properties window opens with the General tab selected.

3. Select the Settings tab, and scroll down to the Policies & Profiles section.
4. Click Edit.
5. To associate the role with:
   • An existing policy profile—Click the chevron icon () next to the required policy name, and then select the check box next to the profile with which you want to associate the role.
   • A new policy profile:
     1. Select the check box next to the policy for which you want to create a profile.
     2. Click New policy profile.
     3. Specify a name for the new profile and configure the profile settings.
     4. Click the Save button.
     5. Select the check box next to the new profile.
6. Click Assign to role.