Managing client devices

This section describes how to manage devices in the administration groups.

Settings of a managed device

Expand all | Collapse all

To view the settings of a managed device:

1. Select DEVICES → MANAGED DEVICES.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the required device.

The properties window of the selected device is displayed.

The following tabs are displayed in the upper part of the properties window representing the main groups of the settings:

• General

  This tab comprises the following sections:

  • The General section displays general information about the client device. Information is provided on the basis of data received during the last synchronization of the client device with the Administration Server:
    • Name

      In this field, you can view and modify the client device name in the administration group.

    • Description

      In this field, you can enter an additional description for the client device.

    • Device status

      Status of the client device assigned on the basis of the criteria defined by the administrator for the status of anti-virus protection on the device and the activity of the device on the network.

    • Protection last updated

      Date the anti-virus databases or applications were last updated on the device.

    • Connected to Administration Server

      Date and time Network Agent installed on the client device last connected to the Administration Server.

    • Last visible

      Date and time the device was last visible on the network.

    • Network Agent version
    • Created
    • Device owner
    • Do not disconnect from the Administration Server

      If this option is enabled, continuous connectivity between the managed device and the Administration Server is maintained. You may want to use this option if you are not using push servers, which provide such connectivity.

      If this option is disabled and push servers are not in use, the managed device only connects to the Administration Server to synchronize data or to transmit information.

      The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

      This option is disabled by default on managed devices. This option is enabled by default on the device where the Administration Server is installed and stays enabled even if you try to disable it.

  • The Network section displays the following information about the network properties of the client device:
    • IP address

      Device IP address.

    • Windows domain

      Windows domain or workgroup, which contains the device.

    • DNS name

      Name of the DNS domain of the client device.

    • NetBIOS name

      Windows network name of the client device.

    • IPv6 address
  • The System section provides information about the operating system installed on the client device:
    • Operating system
    • CPU architecture
    • Device name
    • Virtual machine types
    • Dynamic virtual machine as part of VDI
  • The Protection section provides information about the current status of anti-virus protection on the client device:
    • Visible
    • Device status

      Status of the client device assigned on the basis of the criteria defined by the administrator for the status of anti-virus protection on the device and the activity of the device on the network.

    • Status description
    • Protection status

      This field shows the current status of real-time protection on the client device.

      When the status changes on the device, the new status is displayed in the device properties window only after the client device is synchronized with the Administration Server.

    • Last full scan

      Date and time the last virus scan was performed on the client device.

    • Virus detected

      Total number of threats detected on the client device since installation of the anti-virus application (first scan), or since the last reset of the threat counter.

    • Objects that have failed disinfection

      Number of unprocessed files on the client device.

      This field ignores the number of unprocessed files on mobile devices.

    • Disk encryption status

      The current status of file encryption on the local drives of the device.

  • The Device status defined by application section provides information about the device status that is defined by the managed application installed on the device. This device status can differ from the one defined by Kaspersky Security Center.
• Applications

  This tab lists all Kaspersky applications installed on the client device. You can click the application name to view general information about the application, a list of events that have occurred on the device, and the application settings.

• Active policies and policy profiles

  This tab lists the policies and policy profiles which are currently active on the managed device.

• Tasks

  In the Tasks tab, you can manage client device tasks: view the list of existing tasks, create new ones, remove, start, and stop tasks, modify their settings, and view execution results. The list of tasks is provided based on data received during the last session of client synchronization with the Administration Server. The Administration Server requests the task status details from the client device. If connection is not established, the status is not displayed.

• Events

  The Events tab displays events logged on the Administration Server for the selected client device.

• Incidents

  In the Incidents tab, you can view, edit, and create incidents for the client device. Incidents can be created either automatically, through managed Kaspersky applications installed on the client device, or manually by the administrator. For example, if some users regularly move malware from their removable drives to devices, the administrator can create an incident. The administrator can provide a brief description of the case and recommended actions (such as disciplinary actions to be taken against a user) in the text of the incident, and can add a link to the user or users.

  An incident for which all of the required actions have been taken is called processed. The presence of unprocessed incidents can be chosen as the condition for a change of the device status to Critical or Warning.

  This section contains a list of incidents that have been created for the device. Incidents are classified by severity level and type. The type of an incident is defined by the Kaspersky application, which creates the incident. You can highlight processed incidents in the list by selecting the check box in the Processed column.

• Tags

  In the Tags tab, you can manage the list of keywords that are used for finding client devices: view the list of existing tags, assign tags from the list, configure auto-tagging rules, add new tags and rename old tags, and remove tags.

• Advanced

  This tab comprises the following sections:

  • Applications registry. In this section, you can view the registry of applications installed on the client device and their updates; you can also set up the display of the applications registry.

    Information about installed applications is provided if Network Agent installed on the client device sends required information to the Administration Server. You can configure sending of information to the Administration Server in the properties window of Network Agent or its policy, in the Repositories section. Information about installed applications is provided only for devices running Windows.

    Network Agent provides information about the applications based on data received from the system registry.

    Clicking an application name opens a window that contains the application details and a list of the update packages installed for the application.

  • Executable files. This section displays executable files found on the client device.
  • Distribution points. This section provides a list of distribution points with which the device interacts.
    • Export to file

      Click the Export to file button to save to a file a list of distribution points with which the device interacts. By default, the application exports the list of devices to a CSV file.

    • Properties

      Click the Properties button to view and configure the distribution point with which the device interacts.

  • Hardware registry. In this section, you can view information about hardware installed on the client device.
  • Available updates. This section displays a list of software updates found on this device but not installed yet.
  • Software vulnerabilities. This section provides information about vulnerabilities in third-party applications installed on client devices.

    To save the vulnerabilities to a file, select the check boxes next to the vulnerabilities that you want to save, and then click the Export rows to CSV file button or Export rows to TXT file button.

    The section contains the following settings:

    • Show only vulnerabilities that can be fixed

      If this option is enabled, the section displays vulnerabilities that can be fixed by using a patch.

      If this option is disabled, the section displays both vulnerabilities that can be fixed by using a patch, and vulnerabilities for which no patch has been released.

      By default, this option is enabled.

    • Vulnerability properties

      Click a software vulnerability name in the list to view the properties of the selected software vulnerability in a separate window. In the window, you can do the following:

      • Ignore software vulnerability on this managed device (in Administration Console or in Kaspersky Security Center 13.1 Web Console).
      • View the list of recommended fixes for the vulnerability.
      • Manually specify the software updates to fix the vulnerability (in Administration Console or in Kaspersky Security Center 13.1 Web Console).
      • View vulnerability instances.
      • View the list of existing tasks to fix vulnerability and create new tasks to fix vulnerability.

  • Remote diagnostics. In this section, you can perform remote diagnostics of client devices.

Creating administration groups

Immediately after Kaspersky Security Center installation, the hierarchy of administration groups contains only one administration group, called Managed devices. When creating a hierarchy of administration groups, you can add devices, including virtual machines, to the Managed devices group, and add nested groups (see the figure below).

Viewing administration groups hierarchy

To create an administration group:

1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. In the administration group structure, select the administration group that is to include the new administration group.
3. Click the Add button.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click the Add button.

A new administration group with the specified name appears in the hierarchy of administration groups.

The application allows creating a hierarchy of administration groups based on the structure of Active Directory or the domain network's structure. Also, you can create a structure of groups from a text file.

To create a structure of administration groups:

1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. Click the Import button.

The New Administration Group Structure Wizard starts. Follow the instructions of the Wizard.

Adding devices to an administration group manually

You can move devices to administration groups automatically by creating device moving rules or manually by moving devices from one administration group to another or by adding devices to a selected administration group. This section describes how to manually add devices to an administration group.

To add manually one or more devices to a selected administration group:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the Current path: <current path> link above the list.
3. In the window that opens, select the administration group to which you want to add the devices.
4. Click the Add devices button.

   The Move Devices Wizard starts.

5. Make a list of the devices that you want to add to the administration group.

   You can add only devices for which information has already been added to the Administration Server database either upon connection of the device or after device discovery.

   Select how you want to add devices to the list:

   • Click the Add devices button, and then specify the devices in one of the following ways:
     • Select devices from the list of devices detected by the Administration Server.
     • Specify a device IP address or an IP range.
     • Specify the NetBIOS name or DNS name of a device.

       The device name field must not contain space characters or the following prohibited characters: \ / * ; : ` ~ ! @ # $ ^ & ( ) = + [ ] { } | , < > %

   • Click the Import devices from file button to import a list of devices from a .txt file. Each device address or name must be specified on a separate line.

     The file must not contain space characters or the following prohibited characters: \ / * ; : ` ~ ! @ # $ ^ & ( ) = + [ ] { } | , < > %

6. View the list of devices to be added to the administration group. You can edit the list by adding or removing devices.
7. After making sure that the list is correct, click the Next button.

The Wizard processes the device list and displays the result. The successfully processed devices are added to the administration group and are displayed in the list of devices under names generated by Administration Server.

Moving devices to an administration group manually

You can move devices from one administration group to another, or from the group of unassigned devices to an administration group.

To move one or several devices to a selected administration group:

1. Open the administration group from which you want to move the devices. To do this, perform one of the following:
   • To open an administration group, go to DEVICES → MANAGED DEVICES, click the path link in the Current path field, and select an administration group in the left-side pane that opens.
   • To open the UNASSIGNED DEVICES group, go to DISCOVERY & DEPLOYMENT → UNASSIGNED DEVICES.
2. Select the check boxes next to the devices that you want to move to a different group.
3. Click the Move to group button.
4. In the hierarchy of administration groups, select the check box next to the administration group to which you want to move the selected devices.
5. Click the Move button.

The selected devices are moved to the selected administration group.

Creating device moving rules

Expand all | Collapse all

You can set up device moving rules, that is, rules that automatically allocate devices to administration groups.

To create a moving rule:

1. In the main menu, go to the DEVICES → MOVING RULES tab.
2. Click Add.
3. In the window that opens, specify the following information on the General tab:
   • Rule name

     Enter a name for the new rule.

     If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is added to the name, for example: (1).

   • Administration group

     Select the administration group into which the devices are to be moved automatically.

   • Apply rule

     You can select one of the following options:

     • Run once for each device.

       The rule is applied once for each device that matches your criteria.

     • Run once for each device, then at every Network Agent reinstallation.

       The rule is applied once for each device that matches your criteria, then only when Network Agent is reinstalled on these devices.

     • Rule applied continuously.

       The rule is applied according to the schedule which the Administration Server sets up automatically (usually every several hours).

   • Move only devices that do not belong to an administration group

     If this option is enabled, only unassigned devices will be moved to the selected group.

     If this option is disabled, devices that already belong to other administration groups, as well as unassigned devices, will be moved to the selected group.

   • Enable rule

     If this option is enabled, the rule is enabled and starts working after it is saved.

     If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.

4. On the Rule conditions tab, specify at least one criterion by which the devices are moved to an administration group.
5. Click Save.

The moving rule is created. It is displayed in the list of moving rules.

The higher the position is on the list, the higher the priority of the rule. To increase or decrease the priority of a moving rule, move the rule up or down in the list, respectively, using the mouse.

If the device attributes meet the conditions of multiple rules, the device is moved to the target group of the rule with the highest priority (that is, has the highest rank in the list of rules).

Copying device moving rules

Expand all | Collapse all

You can copy moving rules, for example, if you want to have several identical rules for different target administration groups.

To copy an existing a moving rule:

1. In the main menu, go to the DEVICES → MOVING RULES tab.

   You can also select DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT, and then select MOVING RULES on the menu.

   The list of moving rules is displayed.

2. Select the check box next to the rule you want to copy.
3. Click Copy.
4. In the window that opens, change the following information on the General tab—or make no changes if you only want to copy the rule without changing its settings:
   • Rule name

     Enter a name for the new rule.

     If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is added to the name, for example: (1).

   • Administration group

     Select the administration group into which the devices are to be moved automatically.

   • Apply rule

     You can select one of the following options:

     • Run once for each device.

       The rule is applied once for each device that matches your criteria.

     • Run once for each device, then at every Network Agent reinstallation.

       The rule is applied once for each device that matches your criteria, then only when Network Agent is reinstalled on these devices.

     • Rule applied continuously.

       The rule is applied according to the schedule which the Administration Server sets up automatically (usually every several hours).

   • Move only devices that do not belong to an administration group

     If this option is enabled, only unassigned devices will be moved to the selected group.

     If this option is disabled, devices that already belong to other administration groups, as well as unassigned devices, will be moved to the selected group.

   • Enable rule

     If this option is enabled, the rule is enabled and starts working after it is saved.

     If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.

5. On the Rule conditions tab, specify at least one criterion for the devices that you want to be moved automatically.
6. Click Save.

The new moving rule is created. It is displayed in the list of moving rules.

Viewing and configuring the actions when devices show inactivity

Expand all | Collapse all

If client devices within a group are inactive, you can get notifications about it. You can also automatically delete such devices.

To view or configure the actions when the devices in the group show inactivity:

1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. Click the name of the required administration group.

   The administration group properties window opens.

3. In the properties window, go to the Settings tab.
4. In the Inheritance section, enable or disable the following options:
   • Inherit from parent group

     The settings in this section will be inherited from the parent group in which the client device is included. If this option is enabled, the settings under Device activity on the network are locked from any changes.

     This option is available only if the administration group has a parent group.

     By default, this option is enabled.

   • Force inheritance of settings in child groups

     The setting values will be distributed to child groups but in the properties of the child groups these settings are locked.

     By default, this option is disabled.

5. In the Device activity section, enable or disable the following options:
   • Notify the administrator if the device has been inactive for longer than (days)

     If this option is enabled, the administrator receives notifications about inactive devices. You can specify the time interval after which the Device has remained inactive on the network in a long time event is created. The default time interval is 7 days.

     By default, this option is enabled.

   • Remove the device from the group if it has been inactive for longer than (days)

     If this option is enabled, you can specify the time interval after which the device is automatically removed from the group. The default time interval is 60 days.

     By default, this option is enabled.

6. Click Save.

Your changes are saved and applied.

About device statuses

Kaspersky Security Center assigns a status to each managed device. The particular status depends on whether the conditions defined by the user are met. In some cases, when assigning a status to a device, Kaspersky Security Center takes into consideration the device's visibility flag on the network (see the table below). If Kaspersky Security Center does not find a device on the network within two hours, the visibility flag of the device is set to Not Visible.

The statuses are the following:

• Critical or Critical / Visible
• Warning or Warning / Visible
• OK or OK / Visible

The table below lists the default conditions that must be met to assign the Critical or Warning status to a device, with all possible values.

Conditions for assigning a status to a device

Kaspersky Security Center allows you to set up automatic switching of the status of a device in an administration group when specified conditions are met. When specified conditions are met, the client device is assigned one of the following statuses: Critical or Warning. When specified conditions are not met, the client device is assigned the OK status.

Different statuses may correspond to different values of one condition. For example, by default, if the Databases are outdated condition has the More than 3 days value, the client device is assigned the Warning status; if the value is More than 7 days, the Critical status is assigned.

If you upgrade the Kaspersky Security Center from the previous version, the values of the Databases are outdated condition for assigning the status to Critical or Warning do not change.

When Kaspersky Security Center assigns a status to a device, for some conditions (see the Condition description column) the visibility flag is taken into consideration. For example, if a managed device was assigned the Critical status because the Databases are outdated condition was met, and later the visibility flag was set for the device, then the device is assigned the OK status.

Configuring the switching of device statuses

You can change conditions to assign the Critical or Warning status to a device.

To enable changing the device status to Critical:

1. Open the properties window in one of the following ways:
   • In the Policies folder, in the context menu of an Administration Server policy, select Properties.
   • Select Properties in the context menu of an administration group.
2. In the Properties window that opens, in the Sections pane, select Device status.
3. In the right pane, in the Set to Critical if these are specified section, select the check box next to a condition in the list.

   You can change only settings that are not locked in the parent policy.

4. Set the required value for the selected condition.

   You can set values for some, but not all, conditions.

5. Click OK.

When specified conditions are met, the managed device is assigned the Critical status.

To enable changing the device status to Warning:

1. Open the properties window in one of the following ways:
   • In the Policies folder, in the context menu of the Administration Server policy, select Properties.
   • Select Properties in the context menu of the administration group.
2. In the Properties window that opens, in the Sections pane select Device status.
3. In the right pane, in the Set to Warning if these are specified section, select the check box next to a condition in the list.

   You can change only settings that are not locked in the parent policy.

4. Set the required value for the selected condition.

   You can set values for some, but not all, conditions.

5. Click OK.

When specified conditions are met, the managed device is assigned the Warning status.

Remotely connecting to the desktop of a client device

The administrator can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.

Upon establishing the connection with the device, the administrator gains full access to information stored on this device and can manage applications installed on it.

Remote connection must be allowed in the operating system settings of the target managed device. For example, in Windows 10, this option is called Allow Remote Assistance connections to this computer (you can find this option at Control Panel → System and Security → System → Remote settings). If you have a license for the Vulnerability and Patch Management feature, you can enable this option forcibly when you establish connection to a managed device. If you do not have the license, enable this option locally on the target managed device. If this option is disabled, remote connection is not possible.

To establish remote connection to a device, you must have two utilities:

• Kaspersky utility named klsctunnel. This utility must be stored on the administrator's workstation. You use this utility for tunneling the connection between a client device and the Administration Server.

  Kaspersky Security Center allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.

  Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:

  • The remote device is connected to a local network that uses the NAT mechanism.
  • The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
• Standard Microsoft Windows component named Remote Desktop Connection. Connection to a remote desktop is established through the standard Windows utility mstsc.exe in accordance with the utility's settings.

  Connection to the current remote desktop session of the user is established without the user's knowledge. Once the administrator connects to the session, the device user is disconnected from the session without an advance notification.

To connect to the desktop of a client device:

1. In MMC-based Administration Console, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window that opens, go to Administration Server connection settings → Connection ports.
3. Make sure that the Open RDP port for Kaspersky Security Center 13.1 Web Console option is enabled.
4. In Kaspersky Security Center 13.1 Web Console, go to DEVICES → MANAGED DEVICES.
5. In the Current path field above the list of managed devices, click the path link.
6. In the left-side pane that opens, select the administration group that contains the device to which you want to obtain access.
7. Select the check box next to the name of the device to which you want to obtain access.
8. Click the Connect to Remote Desktop button.

   The Remote Desktop (Windows only) window opens.

9. Enable the Allow remote desktop connection on managed device option. In this case, the connection will be established even if remote connections are currently prohibited in the operating system settings on the managed device.

   This option is only available if you have a license for the Vulnerability and Patch Management feature.

10. Click the Download button to download the klsctunnel utility.
11. Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large Object (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.

    A BLOB is valid for 3 minutes. If it has expired, reopen the Remote Desktop (Windows only) window to generate a new BLOB.

12. Run the klsctunnel utility.

    The utility window opens.

13. Paste the copied text into the text field.
14. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
15. Click the Open port button.

    The Remote Desktop Connection login window opens.

16. Specify the credentials of the account under which you are currently logged in to Kaspersky Security Center 13.1 Web Console.
17. Click the Connect button.

When connection to the device is established, the desktop is available in the Remote Desktop Connection window of Microsoft Windows.

Connecting to devices through Windows Desktop Sharing

The administrator can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.

The administrator can connect to an existing session on a client device without disconnecting the user in this session. In this case, the administrator and the session user on the device share access to the desktop.

To establish remote connection to a device, you must have two utilities:

• Kaspersky utility named klsctunnel. This utility must be stored on the administrator's workstation. You use this utility for tunneling the connection between a client device and the Administration Server.

  Kaspersky Security Center allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.

  Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:

  • The remote device is connected to a local network that uses the NAT mechanism.
  • The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
• Windows Desktop Sharing. When connecting to an existing session of the remote desktop, the session user on the device receives a connection request from the administrator. No information about remote activity on the device and its results will be saved in reports created by Kaspersky Security Center.

  The administrator can configure an audit of user activity on a remote client device. During the audit, the application saves information about files on the client device that have been opened and/or modified by the administrator.

To connect to the desktop of a client device through Windows Desktop Sharing, the following conditions must be met:

• Microsoft Windows Vista or a later Windows operating system is installed on the client device.
• Microsoft Windows Vista or later is installed on the administrator's workstation. The type of operating system of the device hosting Administration Server imposes no restrictions on connection through Windows Desktop Sharing.

  To check whether the Windows Desktop Sharing feature is included in your Windows edition, make sure that there is CLSID\{32BE5ED2-5C86-480F-A914-0FF8885A1B3F} key in the Windows Registry.

• Microsoft Windows Vista or later is installed on the client device.
• Kaspersky Security Center uses a license for Vulnerability and patch management.

To connect to the desktop of a client device through Windows Desktop Sharing:

1. In MMC-based Administration Console, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window that opens, go to Administration Server connection settings → Connection ports.
3. Make sure that the Open RDP port for Kaspersky Security Center 13.1 Web Console option is enabled.
4. In Kaspersky Security Center 13.1 Web Console, go to DEVICES → MANAGED DEVICES.
5. In the Current path field above the list of managed devices, click the path link.
6. In the left-side pane that opens, select the administration group that contains the device to which you want to obtain access.
7. Select the check box next to the name of the device to which you want to obtain access.
8. Click the Windows Desktop Sharing button.

   The Windows Desktop Sharing Wizard opens.

9. Click the Download button to download the klsctunnel utility, and wait for the download process to complete.

   If you already have the klsctunnel utility, skip this step.

10. Click the Next button.
11. Select the session on the device to which you want to connect, and then click the Next button.
12. On the target device, in the dialog box that opens, the user must allow a desktop sharing session. Otherwise, the session is not possible.

    After the device user confirms the desktop sharing session, the next page of the Wizard opens.
    

13. Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large OBject (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.

    A BLOB is valid for 3 minutes. If it has expired, generate a new BLOB.

14. Run the klsctunnel utility.

    The utility window opens.

15. Paste the copied text into the text field.
16. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
17. Click the Open port button.

Desktop sharing starts in a new window. If you want to interact with the device, click the menu icon () in the upper-left corner of the window, and then select Interactive mode.

Device selections

Device selections are a tool for filtering devices according to specific conditions. You can use device selections to manage several devices: for example, to view a report about only these devices or to move all of these devices to another group.

Kaspersky Security Center provides a broad range of predefined selections (for example, Devices with Critical status, Protection is disabled, Active threats are detected). Predefined selections cannot be deleted. You can also create and configure additional user-defined selections.

In user-defined selections, you can set the search scope and select all devices, managed devices, or unassigned devices. Search parameters are specified in the conditions. In the device selection you can create several conditions with different search parameters. For example, you can create two conditions and specify different IP ranges in each of them. If several conditions are specified, a selection displays the devices that meet any of the conditions. By contrast, search parameters within a condition are superimposed. If both an IP range and the name of an installed application are specified in a condition, only those devices will be displayed where both the application is installed and the IP address belongs to the specified range.

To view the device selection:

1. In the main menu, go to DEVICES → DEVICE SELECTIONS or DISCOVERY & DEPLOYMENT → DEVICE SELECTIONS section.
2. In the selection list, click the name of the relevant selection.

The device selection result is displayed.

Creating a device selection

To create a device selection:

1. In the main menu, go to DEVICES → DEVICE SELECTIONS.

   A page with a list of device selections is displayed.

2. Click the Add button.

   The Device selection settings window opens.

3. Enter the name of the new selection.
4. Specify the type of the devices that you want to include in the device selection.
5. Click the Add button.
6. In the window that opens, specify conditions that must be met for including devices in this selection, and then click the OK button.
7. Click the Save button.

The device selection is created and added to the list of device selections.

Configuring a device selection

Expand all | Collapse all

To configure a device selection:

1. In the main menu, go to DEVICES → DEVICE SELECTIONS.

   A page with a list of device selections is displayed.

2. Click the relevant user-defined device selection.

   The Device selection settings window opens.

3. On the General tab, specify conditions that must be met for including devices in this selection.
4. Click the Save button.

The settings are applied and saved.

Below are descriptions of the conditions for assigning devices to a selection. Conditions are combined by using the OR logical operator: the selection will contain devices that comply with at least one of the listed conditions.

General

In the General section, you can change the name of the selection condition and specify whether that condition must be inverted:

Invert selection condition

Network

In the Network section, you can specify the criteria that will be used to include devices in the selection according to their network data:

• Device name or IP address

  Windows network name (NetBIOS name) of the device or IPv4 address.

• Windows domain

  Displays all devices included in the specified Windows domain.

• Administration group

  Displays devices included in the specified administration group.

• Description

  Text in the device properties window: In the Description field of the General section.

  To describe text in the Description field, you can use the following characters:

  • Within a word:
    • *. Replaces any string with any number of characters.

    Example:

    To describe words such as Server or Server's, you can enter Server*.

    • ?. Replaces any single character.

    Example:

    To describe words such as Window or Windows, you can enter Windo?.

    Asterisk (*) or question mark (?) cannot be used as the first character in the query.

  • To find several words:
    • Space. Displays all the devices whose descriptions contain any of the listed words.

    Example:

    To find a phrase that contains Secondary or Virtual words, you can include Secondary Virtual line in your query.

    • +. When a plus sign precedes a word, all search results will contain this word.

    Example:

    To find a phrase that contains both Secondary and Virtual, enter the +Secondary+Virtual query.

    • -. When a minus sign precedes a word, no search results will contain this word.

    Example:

    To find a phrase that contains Secondary and does not contain Virtual, enter the +Secondary-Virtual query.

    • "<some text>". Text enclosed in quotation marks must be present in the text.

    Example:

    To find a phrase that contains Secondary Server word combination, you can enter "Secondary Server" in the query.

• IP range

  If this option is enabled, you can enter the initial and final IP addresses of the IP range in which the relevant devices must be included.

  By default, this option is disabled.

Tags

In the Tags section, you can configure criteria for including devices into a selection based on key words (tags) that were previously added to the descriptions of managed devices:

• Apply if at least one specified tag matches

  If this option is enabled, the search results will show devices with descriptions that contain at least one of the selected tags.

  If this option is disabled, the search results will only show devices with descriptions that contain all the selected tags.

  By default, this option is disabled.

• Tag must be included

  If this option is selected, the search results will display the devices whose descriptions contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

  By default, this option is selected.

• Tag must be excluded

  If this option is selected, the search results will display the devices whose descriptions do not contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

Active Directory

In the Active Directory section, you can configure criteria for including devices into a selection based on their Active Directory data:

• Device is in an Active Directory organizational unit

  If this option is enabled, the selection includes devices from the Active Directory unit specified in the entry field.

  By default, this option is disabled.

• Include child organizational units

  If this option is enabled, the selection includes devices from all child organizational units of the specified Active Directory organizational unit.

  By default, this option is disabled.

• This device is a member of an Active Directory group

  If this option is enabled, the selection includes devices from the Active Directory group specified in the entry field.

  By default, this option is disabled.

Network activity

In the Network activity section, you can specify the criteria that will be used to include devices in the selection according to their network activity:

• This device is a distribution point

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection includes devices that act as distribution points.
  • No. Devices that act as distribution points are not included in the selection.
  • No value is selected. The criterion will not be applied.
• Do not disconnect from the Administration Server

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Enabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is selected.
  • Disabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is cleared.
  • No value is selected. The criterion will not be applied.
• Connection profile switched

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection will include devices that connected to the Administration Server after the connection profile was switched.
  • No. The selection will not include devices that connected to the Administration Server after the connection profile was switched.
  • No value is selected. The criterion will not be applied.
• Last connected to Administration Server

  You can use this check box to set a search criterion for devices according to the time they last connected to the Administration Server.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last connection was established between Network Agent installed on the client device and the Administration Server. The selection will include devices that fall within the specified interval.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• New devices detected by network poll

  Searches for new devices that have been detected by network polling over the last few days.

  If this option is enabled, the selection only includes new devices that have been detected by device discovery over the number of days specified in the Detection period (days) field.

  If this option is disabled, the selection includes all devices that have been detected by device discovery.

  By default, this option is disabled.

• Device is visible

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The application includes in the selection devices that are currently visible in the network.
  • No. The application includes in the selection devices that are currently invisible in the network.
  • No value is selected. The criterion will not be applied.

Application

In the Application section, you can configure criteria for including devices in a selection based on the selected managed application:

• Application name

  In the drop-down list, you can set a criterion for including devices in a selection when search is performed by the name of a Kaspersky application.

  The list provides only the names of applications with management plug-ins installed on the administrator's workstation.

  If no application is selected, the criterion will not be applied.

• Application version

  In the entry field, you can set a criterion for including devices in a selection when search is performed by the version number of a Kaspersky application.

  If no version number is specified, the criterion will not be applied.

• Critical update name

  In the entry field, you can set a criterion for including devices in a selection when search is performed by application name or by update package number.

  If the field is left blank, the criterion will not be applied.

• Modules last updated

  You can use this option to set a criterion for searching devices by time of the last update of modules of applications installed on those devices.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last update of modules of applications installed on those devices was performed.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• Device is managed through Kaspersky Security Center 13.1

  In the drop-down list, you can include in the selection the devices managed through Kaspersky Security Center:

  • Yes. The application includes in the selection devices managed through Kaspersky Security Center.
  • No. The application includes devices in the selection if they are not managed through Kaspersky Security Center.
  • No value is selected. The criterion will not be applied.
• Security application is installed

  In the drop-down list, you can include in the selection all devices with the security application installed:

  • Yes. The application includes in the selection all devices with the security application installed.
  • No. The application includes in the selection all devices with no security application installed.
  • No value is selected. The criterion will not be applied.

Operating system

In the Operating system section, you can specify the criteria that will be used to include devices in the selection according to their operating system type.

• Operating system version

  If the check box is selected, you can select an operating system from the list. Devices with the specified operating systems installed are included in the search results.

• Operating system bit size

  In the drop-down list, you can select the architecture for the operating system, which will determine how the moving rule is applied to the device (Unknown, x86, AMD64, or IA64). By default, no option is selected in the list so that the operating system's architecture is not defined.

• Operating system service pack version

  In this field, you can specify the package version of the operating system (in the X.Y format), which will determine how the moving rule is applied to the device. By default, no version value is specified.

• Operating system build

  This setting is applicable to Windows operating systems only.

  The build number of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later build number. You can also configure searching for all build numbers except the specified one.

• Operating system release ID

  This setting is applicable to Windows operating systems only.

  The release identifier (ID) of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later release ID. You can also configure searching for all release ID numbers except the specified one.

Device status

In the Device status section, you can configure criteria for including devices into a selection based on the description of the devices status from a managed application:

• Device status

  Drop-down list in which you can select one of the device statuses: OK, Critical, or Warning.

• Device status description

  In this field, you can select the check boxes next to conditions that, if met, assign one of the following statuses to the device: OK, Critical, or Warning.

• Device status defined by application

  Drop-down list, in which you can select the real-time protection status. Devices with the specified real-time protection status are included in the selection.

Protection components

In the Protection components section, you can set up the criteria for including devices in a selection based on their protection status:

• Databases released

  If this option is selected, you can search for client devices by anti-virus database release date. In the entry fields you can set the time interval, on the basis of which the search is performed.

  By default, this option is disabled.

• Database records count

  If this option is enabled, you can search for client devices by number of database records. In the entry fields you can set the lower and upper threshold values for anti-virus database records.

  By default, this option is disabled.

• Last scanned

  If this check option is enabled, you can search for client devices by time of the last virus scan. In the entry fields you can specify the time period within which the last virus scan was performed.

  By default, this option is disabled.

• Total number of threats detected

  If this option is enabled, you can search for client devices by number of viruses detected. In the entry fields you can set the lower and upper threshold values for the number of viruses found.

  By default, this option is disabled.

Applications registry

In the Applications registry section, you can set up the criteria to search for devices according to applications installed on them:

• Application name

  Drop-down list in which you can select an application. Devices on which the specified application is installed, are included in the selection.

• Application version

  Entry field in which you can specify the version of selected application.

• Vendor

  Drop-down list in which you can select the manufacturer of an application installed on the device.

• Application status

  A drop-down list in which you can select the status of an application (Installed, Not installed). Devices on which the specified application is installed or not installed, depending on the selected status, will be included in the selection.

• Find by update

  If this option is enabled, search will be performed using the details of updates for applications installed on the relevant devices. After you select the check box, the Application name, Application version, and Application status fields change to Update name, Update version, and Status respectively.

  By default, this option is disabled.

• Incompatible security application name

  Drop-down list in which you can select third-party security applications. During the search, devices on which the specified application is installed, are included in the selection.

• Application tag

  In the drop-down list, you can select the application tag. All devices that have installed applications with the selected tag in the description are included in the device selection.

• Apply to devices without the specified tags

  If this option is enabled, the selection includes devices with descriptions that contain none of the selected tags.

  If this option is disabled, the criterion is not applied.

  By default, this option is disabled.

Hardware registry

In the Hardware registry section, you can configure criteria for including devices into a selection based on their installed hardware:

• Device

  In the drop-down list, you can select a unit type. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Vendor

  In the drop-down list, you can select the name of a unit manufacturer. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Device name

  Name of the device in the Windows network. The device with the specified name is included in the selection.

• Description

  Description of the device or hardware unit. Devices with the description specified in this field are included in the selection.

  A device's description in any format can be entered in the properties window of that device. The field supports the full-text search.

• Device vendor

  Name of the device manufacturer. Devices produced by the manufacturer specified in this field are included in the selection.

  You can enter the manufacturer's name in the properties window of a device.

• Serial number

  All hardware units with the serial number specified in this field will be included in the selection.

• Inventory number

  Equipment with the inventory number specified in this field will be included in the selection.

• User

  All hardware units of the user specified in this field will be included in the selection.

• Location

  Location of the device or hardware unit (for example, at the HQ or a branch office). Computers or other devices that are deployed at the location specified in this field will be included in the selection.

  You can describe the location of a device in any format in the properties window of that device.

• CPU frequency, in MHz

  The frequency range of a CPU. Devices with CPUs that match the frequency range in these fields (inclusive) will be included in the selection.

• Virtual CPU cores

  Range of the number of virtual cores in a CPU. Devices with CPUs that match the range in these fields (inclusive) will be included in the selection.

• Hard drive volume, in GB

  Range of values for the size of the hard drive on the device. Devices with hard drives that match the range in these entry fields (inclusive) will be included in the selection.

• RAM size, in MB

  Range of values for the size of the device RAM. Devices with RAMs that match the range in these entry fields (inclusive) will be included in the selection.

Virtual machines

In the Virtual machines section, you can set up the criteria to include devices in the selection according to whether these are virtual machines or part of virtual desktop infrastructure (VDI):

• This is a virtual machine

  In the drop-down list, you can select the following options:

  • Not important.
  • No. Find devices that are not virtual machines.
  • Yes. Find devices that are virtual machines.
• Virtual machine type

  In the drop-down list, you can select the virtual machine manufacturer.

  This drop-down list is available if the Yes or Not important value is selected in the This is a virtual machine drop-down list.

• Part of Virtual Desktop Infrastructure

  In the drop-down list, you can select the following options:

  • Not important.
  • No. Find devices that are not part of Virtual Desktop Infrastructure.
  • Yes. Find devices that are part of the Virtual Desktop Infrastructure (VDI).

Vulnerabilities and updates

In the Vulnerabilities and updates section, you can specify the criteria that will be used to include devices in the selection according to their Windows Update source:

WUA is switched to Administration Server

Users

In the Users section, you can set up the criteria to include devices in the selection according to the accounts of users who have logged in to the operating system.

• Last user who logged in to the system

  If this option is enabled, click the Browse button to specify a user account. The search results include devices on which the specified user performed the last login to the system.

• User who logged in to the system at least once

  If this option is enabled, click the Browse button to specify a user account. The search results include devices on which the specified user logged in to the system at least once.

Status-affecting problems in managed applications

In the Status-affecting problems in managed applications section, you can specify the criteria that will be used to include devices in the selection according to the list of possible problems detected by a managed application. If at least one problem that you select exists on a device, the device will be included in the selection. When you select a problem listed for several applications, you have the option to select this problem in all of the lists automatically.

Device status description

Statuses of components in managed applications

In the Statuses of components in managed applications section, you can configure criteria for including devices in a selection according to the statuses of components in managed applications:

• Data Leakage Prevention status

  Search for devices by the status of Data Leakage Prevention (No data from device, Stopped, Starting, Paused, Running, Failed).

• Collaboration servers protection status

  Search for devices by the status of server collaboration protection (No data from device, Stopped, Starting, Paused, Running, Failed).

• Anti-virus protection status of mail servers

  Search for devices by the status of Mail Server protection (No data from device, Stopped, Starting, Paused, Running, Failed).

• Endpoint Sensor status

  Search for devices by the status of the Endpoint Sensor component (No data from device, Stopped, Starting, Paused, Running, Failed).

Encryption

Encryption algorithm

Cloud segments

In the Cloud segments section, you can configure criteria for including devices in a selection according to their respective cloud segments:

• Device is in a cloud segment

  If this option is enabled, you can click the Browse button to specify the segment to search.

  If the Include child objects option is also enabled, the search is run on all child objects of the specified segment.

  Search results include only devices from the selected segment.

• Device discovered by using the API

  In the drop-down list, you can select whether a device is detected by API tools:

  • AWS. The device is discovered by using the AWS API, that is, the device is definitely in the AWS cloud environment.
  • Azure. The device is discovered by using the Azure API, that is, the device is definitely in the Azure cloud environment.
  • Google Cloud. The device is discovered by using the Google API, that is, the device is definitely in the Google Cloud environment.
  • No. The device cannot be detected by using the AWS, Azure, or Google API, that is, it is either outside the cloud environment or it is in the cloud environment but it cannot be detected by using an API.
  • No value. This condition does not apply.

Application components

This section contains the list of components of those applications that have corresponding management plug-ins installed in Administration Console.

In the Application components section, you can specify criteria for including devices in a selection according to the statuses and version numbers of the components that refer to the application that you select:

• Status

  Search for devices according to the component status sent by an application to the Administration Server. You can select one of the following statuses: No data from device, Stopped, Starting, Paused, Running, Malfunction, or Not installed. If the selected component of the application installed on a managed device has the specified status, the device is included in the device selection.

  Statuses sent by applications:

  • Starting—The component is currently in the process of initialization.
  • Running—The component is enabled and working properly.
  • Paused—The component is suspended, for example, after the user has paused protection in the managed application.
  • Malfunction—An error has occurred during the component operation.
  • Stopped—The component is disabled and not working at the moment.
  • Not installed—The user did not select the component for installation when configuring custom installation of the application.

  Unlike other statuses, the No data from device status is not sent by applications. This option shows that the applications have no information about the selected component status. For example, this can happen when the selected component does not belong to any of the applications installed on the device, or when the device is turned off.

• Version

  Search for devices according to the version number of the component that you select in the list. You can type a version number, for example 3.4.1.0, and then specify whether the selected component must have an equal, earlier, or later version. You can also configure searching for all versions except the specified one.

Device tags

This section describes device tags, and provides instructions for creating and modifying them as well as for tagging devices manually or automatically.

About device tags

Kaspersky Security Center allows you to tag devices. A tag is the label of a device and it can be used for grouping, describing, or finding devices. Tags assigned to devices can be used for creating selections, for finding devices, and for distributing devices among administration groups.

You can tag devices manually or automatically. You may use manual tagging when you want to tag an individual device. Auto-tagging is performed by Kaspersky Security Center in accordance with the specified tagging rules.

Devices are tagged automatically when specified rules are met. An individual rule corresponds to each tag. Rules are applied to the network properties of the device, operating system, applications installed on the device, and other device properties. For example, if you have a hybrid infrastructure of physical machines, Amazon EC2 instances, and Microsoft Azure virtual machines, you can set up a rule that will assign the [Azure] tag to all Microsoft Azure virtual machines. Then, you can use this tag when creating a device selection; and this will help you sort all Microsoft Azure virtual machines and assign them a task.

A tag is automatically removed from a device in the following cases:

• When the device stops meeting conditions of the rule that assigns the tag.
• When the rule that assigns the tag is disabled or deleted.

The list of tags and the list of rules on each Administration Server are independent of all other Administration Servers, including a primary Administration Server or subordinate virtual Administration Servers. A rule is applied only to devices from the same Administration Server on which the rule is created.

Creating a device tag

To create a device tag:

1. In the main menu, go to DEVICES → TAGS → DEVICE TAGS.
2. Click Add.

   A new tag window opens.

3. In the Tag field, enter the tag name.
4. Click Save to save the changes.

The new tag appears in the list of device tags.

Renaming a device tag

To rename a device tag:

1. In the main menu, go to DEVICES → TAGS → DEVICE TAGS.
2. Click the name of the tag that you want to rename.

   A tag properties window opens.

3. In the Tag field, change the tag name.
4. Click Save to save the changes.

The updated tag appears in the list of device tags.

Deleting a device tag

To delete a device tag:

1. In the main menu, go to DEVICES → TAGS → DEVICE TAGS.
2. In the list, select the device tag that you want to delete.
3. Click the Delete button.
4. In the window that opens, click Yes.

The device tag is deleted. The deleted tag is automatically removed from all of the devices to which it was assigned.

The tag that you have deleted is not removed automatically from auto-tagging rules. After the tag is deleted, it will be assigned to a new device only when the device first meets the conditions of a rule that assigns the tag.

The deleted tag is not removed automatically from the device if this tag is assigned to the device by an application or Network Agent. To remove the tag from your device, use the klscflag utility.

Viewing devices to which a tag is assigned

To view devices to which a tag is assigned:

1. In the main menu, go to DEVICES → TAGS → DEVICE TAGS.
2. Click the View devices link next to the tag for which you want to view assigned devices.

   If you do not see the View devices link next to a tag, the tag is not assigned to any devices.

The list of devices that appears shows only those devices to which the tag is assigned.

To return to the list of device tags, click the Back button of your browser.

Viewing tags assigned to a device

To view tags assigned to a device:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.

The list of tags assigned to the selected device is displayed.

You can assign another tag to the device or remove an already assigned tag. You can also see all device tags that exist on the Administration Server.

Tagging a device manually

To assign a tag to a device manually:

1. View tags assigned to the device to which you want to assign another tag.
2. Click Add.
3. In the window that opens, do one of the following:
   • To create and assign a new tag, select Create new tag, and then specify the name of the new tag.
   • To select an existing tag, select Assign existing tag, and then select the necessary tag in the drop-down list.
4. Click OK to apply the changes.
5. Click Save to save the changes.

The selected tag is assigned to the device.

Removing an assigned tag from a device

To remove a tag from a device:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.
4. Select the check box next to the tag that you want to remove.
5. At the top of the list, click the Unassign tag button.
6. In the window that opens, click Yes.

The tag is removed from the device.

The unassigned device tag is not deleted. If you want, you can delete it manually.

You cannot manually remove tags assigned to the device by applications or Network Agent. To remove these tags, use the klscflag utility.

Viewing rules for tagging devices automatically

To view rules for tagging devices automatically,

Do any of the following:

• In the main menu, go to DEVICES → TAGS → AUTO-TAGGING RULES.
• In the main menu, go to DEVICES → TAGS, and then click the Set up auto-tagging rules link.
• View tags assigned to a device and then click the Settings button.

The list of rules for auto-tagging devices appears.

Editing a rule for tagging devices automatically

To edit a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Click the name of the rule that you want to edit.

   A rule settings window opens.

3. Edit the general properties of the rule:
   1. In the Rule name field, change the rule name.

      The name cannot be more than 256 characters long.

   2. Do any of the following:
      • Enable the rule by switching the toggle button to Rule enabled.
      • Disable the rule by switching the toggle button to Rule disabled.
4. Do any of the following:
   • If you want to add a new condition, click the Add button, and specify the settings of the new condition in the window that opens.
   • If you want to edit an existing condition, click the name of the condition that you want to edit, and then edit the condition settings.
   • If you want to delete a condition, select the check box next to the name of the condition that you want to delete, and then click Delete.
5. Click OK in the conditions settings window.
6. Click Save to save the changes.

The edited rule is shown in the list.

Creating a rule for tagging devices automatically

To create a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Click Add.

   A new rule settings window opens.

3. Configure the general properties of the rule:
   1. In the Rule name field, enter the rule name.

      The name cannot be more than 256 characters long.

   2. Do one of the following:
      • Enable the rule by switching the toggle button to Rule enabled.
      • Disable the rule by switching the toggle button to Rule disabled.
   3. In the Tag field, enter the new device tag name or select one of the existing device tags from the list.

      The name cannot be more than 256 characters long.

4. In the conditions section, click the Add button to add a new condition.

   A new condition settings window open.

5. Enter the condition name.

   The name cannot be more than 256 characters long. The name must be unique within a rule.

6. Set up the triggering of the rule according to the following conditions. You can select multiple conditions.
   • Network—Network properties of the device, such as the device name on the Windows network, or device inclusion in a domain or an IP subnet.

     If case sensitive collation is set for the database that you use for Kaspersky Security Center, keep case when you specify a device DNS name. Otherwise, the auto-tagging rule will not work.

   • Applications—Presence of Network Agent on the device, operating system type, version, and architecture.
   • Virtual machines—Device belongs to a specific type of virtual machine.
   • Active Directory—Presence of the device in an Active Directory organizational unit and membership of the device in an Active Directory group.
   • Applications registry—Presence of applications of different vendors on the device.
7. Click OK to save the changes.

   If necessary, you can set multiple conditions for a single rule. In this case, the tag will be assigned to a device if it meets at least one condition.

8. Click Save to save the changes.

The newly created rule is enforced on devices managed by the selected Administration Server. If the settings of a device meet the rule conditions, the device is assigned the tag.

Later, the rule is applied in the following cases:

• Automatically and periodically, depending on the server workload
• After you edit the rule
• When you run the rule manually
• After the Administration Server detects a change in the settings of a device that meets the rule conditions or the settings of a group that contains such device

You can create multiple tagging rules. A single device can be assigned multiple tags if you have created multiple tagging rules and if the respective conditions of these rules are met simultaneously. You can view the list of all assigned tags in the device properties.

Running rules for auto-tagging devices

When a rule is run, the tag specified in properties of this rule is assigned to devices that meet conditions specified in properties of the same rule. You can run only active rules.

To run rules for auto-tagging devices:

1. View rules for tagging devices automatically.
2. Select check boxes next to active rules that you want to run.
3. Click the Run rule button.

The selected rules are run.

Deleting a rule for tagging devices automatically

To delete a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Select the check box next to the rule that you want to delete.
3. Click Delete.
4. In the window that opens, click Delete again.

The selected rule is deleted. The tag that was specified in properties of this rule is unassigned from all of the devices that it was assigned to.

The unassigned device tag is not deleted. If you want, you can delete it manually.

Managing device tags by using the klscflag utility

This section provides information on how to assign or remove device tags by using the klscflag utility.

Assigning a device tag

Note that you must run the klscflag utility on the client device to which you want to assign a tag.

To assign a tag to your device by using the klscflag utility:

1. Enter the following command, using administrator rights:

   klscflag -ssvset -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -sv "[\"TAG NAME\"]" -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"

   where TAG NAME is the name of the tag you want to assign to your device, for example:

   klscflag -ssvset -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -sv "[\"ENTERPRISE\"]" -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"

2. Restart the Network Agent service.

The specified tag is assigned to your device. To make sure that the tag is assigned successfully, view tags assigned to the device.

Alternatively, you can assign device tags manually.

Removing a device tag

If a tag has been assigned to your device by an application or Network Agent, you cannot remove this tag manually. In this case, use the klscflag utility to remove the assigned tag from the device.

Note that you must run the klscflag utility on the client device from which you want to remove a tag.

To remove a tag from the device by using the klscflag utility:

1. Enter the following command, using administrator rights:

   klscflag -ssvset -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -sv "[]" -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"

2. Restart the Network Agent service.

The tag is removed from the device.

Page top