Deploying mobile device management systems

This section describes the deployment of mobile device management systems using Exchange ActiveSync, iOS MDM, and Kaspersky Endpoint Security protocols.

Deploying a system for management via Exchange ActiveSync protocol

Kaspersky Security Center allows you to manage mobile devices that are connected to the Administration Server using the Exchange ActiveSync protocol. Exchange ActiveSync (EAS) mobile devices are those connected to an Exchange Mobile Device Server and managed by Administration Server.

The following operating systems support Exchange ActiveSync protocol:

• Windows Phone 8
• Windows Phone 8.1
• Windows 10 Mobile
• Android 
• iOS

The set of management settings for an Exchange ActiveSync device is dependent on the operating system under which the mobile device is running. For details on the support features of Exchange ActiveSync protocol for a specific operating system, please refer to the documentation enclosed with the operating system.

Deployment of a mobile device management system using Exchange ActiveSync protocol includes the following steps:

1. The administrator installs Exchange Mobile Device Server on the selected client device.
2. The administrator creates a management profile(s) in Administration Console for managing EAS devices and adds the profile(s) to the mailboxes of Exchange ActiveSync users.

   Management profile of Exchange ActiveSync mobile devices is an ActiveSync policy used on a Microsoft Exchange server for managing Exchange ActiveSync mobile devices. Only one EAS device management profile can be assigned to a Microsoft Exchange mailbox.

   Users of mobile EAS devices connect to their Exchange mailboxes. Any management profile imposes some restrictions on mobile devices.

Installing Mobile Device Server for Exchange ActiveSync

An Exchange Mobile Device Server is installed on a client device with a Microsoft Exchange server installed. We recommend that you install the Exchange Mobile Device Server on a Microsoft Exchange server with the Client Access role assigned. If several Microsoft Exchange servers with the Client Access role in the same domain are combined into a Client Access Array, it is recommended to install the Exchange Mobile Device Server on each Microsoft Exchange server in that array in cluster mode.

To install an Exchange Mobile Device Server on a local device:

1. Run the setup.exe executable file.

   A window opens prompting you to select Kaspersky applications to install.

2. In the applications selection window, click the Install Exchange Mobile Device Server link to run the Setup Wizard of Exchange Mobile Device Server.
3. In the Installation settings window, select the type of Exchange Mobile Device Server installation:
   • To install Exchange Mobile Device Server with the default settings, select Standard installation and click the Next button.
   • To define the settings for installation of the Exchange Mobile Device Server manually, select Custom installation and click Next. Then do the following:
     1. Select destination folder in Destination Folder window. The default folder is <Disk>:\Program Files\Kaspersky Lab\Mobile Device Management for Exchange. If such a folder does not exist, it is created automatically during the installation. You can change the destination folder by using the Browse button.
     2. Choose the type of Exchange Mobile Device Server installation in the Installation mode window: normal mode or cluster mode.
     3. In Select Account window, choose an account that will be used to manage mobile devices:
        • Create account and role group automatically. Account will be created automatically.
        • Specify an account. The account should be selected manually. Click the Browse button to select the user whose account will be used and specify the password. The selected user must belong to a group that has rights to manage mobile devices using ActiveSync.
     4. In the IIS settings window, allow or prohibit automatic configuration of the  Internet Information Services (IIS) web server properties.

        If you have prohibited automatic configuration of the Internet Information Services (IIS) properties, enable the "Windows authentication" mechanism manually in the IIS settings for Microsoft PowerShell Virtual Directory. If "Windows authentication" mechanism is disabled, Exchange Mobile Device Server will not operate correctly. Please refer to IIS documentation for more information about configuring IIS.

     5. Click Next.
4. In the window that opens, verify the Exchange Mobile Device Server installation properties, and then click Install.

When the Wizard finishes, the Exchange Mobile Device Server is installed on the local device. The Exchange Mobile Device Server will be displayed in the Mobile Device Management folder in the console tree.

Connecting mobile devices to an Exchange Mobile Device Server

Before connecting any mobile devices, you must configure Microsoft Exchange Server in order to allow the devices to be connected using ActiveSync protocol.

To connect a mobile device to an Exchange Mobile Device Server, the user connects to his or her Microsoft Exchange mailbox from the mobile device through ActiveSync. When connecting, the user must specify the connection settings in the ActiveSync client, such as email address and email password.

The user's mobile device, connected to the Microsoft Exchange server, is displayed in the Mobile devices subfolder contained in the Mobile Device Management folder in the console tree.

After the Exchange ActiveSync mobile device is connected to an Exchange Mobile Device Server, the administrator can manage the connected Exchange ActiveSync mobile device.

Configuring the Internet Information Services web server

When using Microsoft Exchange Server (versions 2010 and 2013), you have to activate the Windows authentication mechanism for a Windows PowerShell virtual directory in the settings of the Internet Information Services (IIS) web server. This authentication mechanism is activated automatically if the Configure Microsoft Internet Information Services (IIS) automatically option is selected in the Exchange Mobile Device Server Installation Wizard (default option).

Otherwise, you will have to activate the authentication mechanism on your own.

To activate the Windows authentication mechanism for a PowerShell virtual directory manually:

1. In Internet Information Services (IIS) Manager console, open the properties of the PowerShell virtual directory.
2. Go to the Authentication section.
3. Select Microsoft Windows Authentication, and then click the Enable button.
4. Open Advanced Settings.
5. Select the Enable Kernel-mode authentication option.
6. In the Extended protection drop-down list, select Required.

When using Microsoft Exchange Server 2007, the IIS web server requires no configuration.

Local installation of an Exchange Mobile Device Server

For a local installation of an Exchange Mobile Device Server, the administrator must perform the following operations:

1. Copy the contents of the \Server\Packages\MDM4Exchange\ folder from the Kaspersky Security Center distribution package to a client device.
2. Run the setup.exe executable file.

Local installation includes two types of installation:

• Standard installation is a simplified installation that does not require the administrator to define any settings; it is recommended in most cases.
• Extended installation is an installation that requires from the administrator to define the following settings:
  • Path for Exchange Mobile Device Server installation.
  • Exchange Mobile Device Server operation mode: standard mode or cluster mode.
  • Possibility of specifying the account under which the Exchange Mobile Device Server service will run.
  • Enabling / disabling automatic configuration of the IIS web server.

The Exchange Mobile Device Server Installation Wizard must be run under an account that has all of the required rights.

Remote installation of an Exchange Mobile Device Server

To configure the remote installation of Exchange Mobile Device Server, the administrator must perform the following actions:

1. In the tree of Kaspersky Security Center Administration Console, select the Remote installation folder, then the Installation packages subfolder.
2. In the Installation packages subfolder, open the properties of the Exchange Mobile Device Server package.
3. Go to the Settings section.

   This section contains the same settings as those used for the local installation of the application.

After the remote installation is configured, you can start installing Exchange Mobile Device Server.

To install Exchange Mobile Device Server:

1. In the tree of Kaspersky Security Center Administration Console, select the Remote installation folder, then the Installation packages subfolder.
2. In the Installation packages subfolder, select the Exchange Mobile Device Server package.
3. Open the context menu of the package and select Install application.
4. In the Remote Installation Wizard that opens, select a device (or multiple devices for installation in cluster mode).
5. In the Run application Setup Wizard under specified account field, specify the account under which the installation process will be run on the remote device.

   The account must have the required rights.

Deploying a system for management using iOS MDM protocol

Kaspersky Security Center allows you to manage mobile devices running iOS. iOS MDM mobile devices refer to iOS mobile devices that are connected to an iOS MDM Server and managed by an Administration Server.

Connection of mobile devices to an iOS MDM Server is performed in the following sequence:

1. The administrator installs iOS MDM Server on the selected client device. Installation of iOS MDM Server is performed using the standard tools of the operating system.
2. The administrator retrieves an Apple Push Notification Service (APNs) certificate.

   The APNs certificate allows Administration Server to connect to the APNs server to send push notifications to iOS MDM mobile devices.

3. The administrator installs the APNs certificate on the iOS MDM Server.
4. The administrator creates an iOS MDM profile for the user of the iOS mobile device.

   The iOS MDM profile contains a collection of settings for connecting iOS mobile devices to Administration Server.

5. The administrator issues a shared certificate to the user.

   The shared certificate is required to confirm that the mobile device is owned by the user.

6. The user clicks the link sent by the administrator and downloads an installation package to the mobile device.

   The installation package contains a certificate and an iOS MDM profile.

   After the iOS MDM profile is downloaded and the iOS MDM mobile device is synchronized with the Administration Server, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree.

7. The administrator adds a configuration profile on the iOS MDM Server and installs the configuration profile on the mobile device after it is connected.

   The configuration profile contains a collection of settings and restrictions for the iOS MDM mobile device, for example, settings for installation of applications, settings for the use of various features of the device, email and scheduling settings. A configuration profile allows you to configure iOS MDM mobile devices in accordance with the organization's security policies.

8. If necessary, the administrator adds provisioning profiles on the iOS MDM Server and then installs these provisioning profiles on mobile devices.

   Provisioning profile is a profile that is used for managing applications distributed in ways other than through App Store. A provisioning profile contains information about the license; it is linked to a specific application.

Installing iOS MDM Server

To install iOS MDM Server on a local device:

1. Run the setup.exe executable file.

   A window opens prompting you to select Kaspersky applications to install.

   In the applications selection window, click the Install iOS MDM Server link to run the iOS MDM Server Setup Wizard.

2. Select a destination folder.

   The default destination folder is <Disk>:\Program Files\Kaspersky Lab\Mobile Device Management for iOS. If such a folder does not exist, it is created automatically during the installation. You can change the destination folder by using the Browse button.

3. In the Specify the settings for connection to iOS MDM Server window of the Wizard, in the External port for connection to iOS MDM service field, specify an external port for connecting mobile devices to the iOS MDM service.

   External port 5223 is used by mobile devices for communication with the APNs server. Make sure that port 5223 is open in the firewall for connection with the address range 17.0.0.0/8.

   Port 443 is used for connection to iOS MDM Server by default. If port 443 is already in use by another service or application, it can be replaced with, for example, port 9443.

   The iOS MDM Server uses external port 2197 to send notifications to the APNs server.

   APNs servers run in load-balancing mode. Mobile devices do not always connect to the same IP addresses to receive notifications. The 17.0.0.0/8 address range is reserved for Apple, and it is therefore recommended to specify this entire range as an allowed range in Firewall settings.

4. If you want to configure interaction ports for application components manually, select the Set up local ports manually option, and then specify values for the following settings:
   • Port for connection to Network Agent. In this field, specify a port for connecting the iOS MDM service to Network Agent. The default port number is 9799.
   • Local port to connect to iOS MDM service. In this field, specify a local port for connecting Network Agent to the iOS MDM service. The default port number is 9899.

   It is recommended to use default values.

5. In the External address of Mobile Device Server window of the Wizard, in the Web address for remote connection to Mobile Device Server field, specify the address of the client device on which iOS MDM Server is to be installed.

   This address will be used for connecting managed mobile devices to the iOS MDM service. The client device must be available for connection of iOS MDM devices.

   You can specify the address of a client device in any of the following formats:

   • Device FQDN (such as mdm.example.com)
   • Device NetBIOS name
   • Device IP address

   Please avoid adding the URL scheme and the port number in the address string: these values will be added automatically.

When the Wizard finishes, iOS MDM Server is installed on the local device. The iOS MDM Server is displayed in the Mobile Device Management folder in the console tree.

Installing iOS MDM Server in non-interactive mode

Kaspersky Security Center allows you to install iOS MDM Server on a local device in non-interactive mode, that is, without the interactive input of installation settings.

To install iOS MDM Server on a local device in non-interactive mode:

1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
2. Run the following command:

   .\exec\setup.exe /s /v"DONT_USE_ANSWER_FILE=1 EULA=1 <setup_parameters>"

   where setup_parameters is a list of settings and their respective values, separated with spaces (PRO1=PROP1VAL PROP2=PROP2VAL). The setup.exe file is located in the Server folder, which is part of the Kaspersky Security Center distribution kit.

The names and possible values for parameters that can be used when installing iOS MDM Server in non-interactive mode are listed in the table below. Parameters can be specified in any convenient order.

Parameters of iOS MDM Server installation in non-interactive mode

The iOS MDM Server installation parameters are given in detail in section "Installing iOS MDM Server".

iOS MDM Server deployment scenarios

The number of copies of iOS MDM Server to be installed can be selected either based on available hardware or on the total number of mobile devices covered.

Please keep in mind that the recommended maximum number of mobile devices for a single installation of Kaspersky Device Management for iOS is 50,000 at most. In order to reduce the load, the entire pool of devices can be distributed among several servers that have iOS MDM Server installed.

Authentication of iOS MDM devices is performed through user certificates (any profile installed on a device contains the certificate of the device owner). Thus, two deployment schemes are possible for an iOS MDM Server:

• Simplified scheme
• Deployment scheme involving Kerberos constrained delegation (KCD)

Simplified deployment scheme

When deploying an iOS MDM Server under the simplified scheme, mobile devices connect to the iOS MDM web service directly. In this case, user certificates issued by Administration Server can only be applied for devices authentication. Integration with Public Key Infrastructure (PKI) is impossible for user certificates.

Deployment scheme involving Kerberos constrained delegation (KCD)

The deployment scheme with Kerberos constrained delegation (KCD) requires the Administration Server and the iOS MDM Server to be located on the internal network of the organization.

This deployment scheme provides for the following:

• Integration with Microsoft Forefront TMG
• Use of KCD for authentication of mobile devices
• Integration with the PKI for applying user certificates

When using this deployment scheme, you must do the following:

• In Administration Console, in the settings of the iOS MDM web service, select the Ensure compatibility with Kerberos constrained delegation check box.
• As the certificate for the iOS MDM web service, specify the customized certificate that was defined when the iOS MDM web service was published on TMG.
• User certificates for iOS devices must be issued by the Certificate Authority (CA) of the domain. If the domain contains multiple root CAs, user certificates must be issued by the CA that was specified when the iOS MDM web service was published on TMG.

  You can ensure that the user certificate is in compliance with the this CA-issuance requirement by using one of the following methods:

  • Specify the user certificate in the New iOS MDM Profile Wizard and in the Certificate Installation Wizard.
  • Integrate the Administration Server with the domain's PKI and define the corresponding setting in the rules for issuance of certificates:
    1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
    2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
    3. In the Integration with PKI section, configure integration with the Public Key Infrastructure.
    4. In the Issuance of mobile certificates section, specify the source of certificates.

Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:

• The iOS MDM web service is running on port 443.
• The name of the device with TMG is tmg.mydom.local.
• The name of device with the iOS MDM web service is iosmdm.mydom.local.
• The name of external publishing of the iOS MDM web service is iosmdm.mydom.global.

Service Principal Name for http/iosmdm.mydom.local

In the domain, you have to register the service principal name (SPN) for the device with the iOS MDM web service (iosmdm.mydom.local):

setspn -a http/iosmdm.mydom.local iosmdm

Configuring the domain properties of the device with TMG (tmg.mydom.local)

To delegate traffic, trust the device with TMG (tmg.mydom.local) to the service that is defined by the SPN (http/iosmdm.mydom.local).

To trust the device with TMG to the service defined by the SPN (http/iosmdm.mydom.local), the administrator must perform the following actions:

1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with TMG installed (tmg.mydom.local).
2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
3. Add the SPN (http/iosmdm.mydom.local) to the Services to which this account can present delegated credentials list.

Special (customized) certificate for the published web service (iosmdm.mydom.global)

You have to issue a special (customized) certificate for the iOS MDM web service on the FQDN iosmdm.mydom.global and specify that it replaces the default certificate in the settings of iOS MDM web service in Administration Console.

Please note that the certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).

Publishing the iOS MDM web service on TMG

On TMG, for traffic that goes from a mobile device to port 443 of iosmdm.mydom.global, you have to configure KCD on the SPN (http/iosmdm.mydom.local), using the certificate issued for the FQDN (iosmdm.mydom.global). Please note that publishing, and the published web service must share the same server certificate.

Use of iOS MDM Server by multiple virtual Servers

To enable the use of iOS MDM Server by multiple virtual Administration Servers:

1. Open the system registry of the client device with iOS MDM Server installed (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0

3. For the ConnectorFlags (DWORD) key, set the 02102482 value.
4. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0

5. For the ConnInstalled (DWORD) key, set the 00000001 value.
6. Restart the iOS MDM Server service.

Key values must be entered in the specified sequence.

Receiving an APNs certificate

If you already have an APNs certificate, please consider renewing it instead of creating a new one. When you replace the existing APNs certificate with a newly created one, the Administration Server loses the ability to manage the currently connected iOS mobile devices.

When the Certificate Signing Request (CSR) is created at the first step of the APNs Certificate Wizard, its private key is stored in the RAM of your device. Therefore, all the steps of the Wizard must be completed within a single session of the application.

To receive an APNs certificate:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings, click the Request new button.

   The Receive APNs Certificate Wizard starts and the Request new window opens.

6. Create a Certificate Signing Request (hereinafter referred to as CSR). To do this, perform the following actions:
   1. Click the Create CSR button.
   2. In the Create CSR window that opens, specify a name for your request, the names of your company and department, your city, region, and country.
   3. Click the Save button and specify a name for the file to which your CSR will be saved.

   The private key of the certificate is saved in the device memory.

7. Use your CompanyAccount to send the file with the CSR you have created to Kaspersky to be signed.

   Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows using Mobile Device Management.

   After your online request is processed, you will receive a CSR file signed by Kaspersky.

8. Send the signed CSR file to Apple Inc. website, using a random Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

   After your CSR is processed in Apple Inc., you will receive the public key of the APNs certificate. Save the file on disk.

9. Export the APNs certificate together with the private key created when generating the CSR, in PFX file format. To do this:
   1. In the Request new APNs certificate window, click the Complete CSR button.
   2. In the Open window, choose a file with the public key of the certificate received from Apple Inc. as the result of CSR processing, and then click the Open button.

      The certificate export process starts.

   3. In the next window, enter the private key password and click OK.

      This password will be used for the APNs certificate installation on the iOS MDM Server.

   4. In the Save APNs certificate window, specify a file name for APNs certificate, choose a folder, and click Save.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PFX format. After this, you can install the APNs certificate on the iOS MDM Server.

Renewing an APNs certificate

To renew an APNs certificate:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings click the Renew button.

   The APNs Certificate Renewal Wizard starts, the Renew APNs certificate window opens.

6. Create a Certificate Signing Request (hereinafter referred to as CSR). To do this, perform the following actions:
   1. Click the Create CSR button.
   2. In the Create CSR window that opens, specify a name for your request, the names of your company and department, your city, region, and country.
   3. Click the Save button and specify a name for the file to which your CSR will be saved.

   The private key of the certificate is saved in the device memory.

7. Use your CompanyAccount to send the file with the CSR you have created to Kaspersky to be signed.

   Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows using Mobile Device Management.

   After your online request is processed, you will receive a CSR file signed by Kaspersky.

8. Send the signed CSR file to Apple Inc. website, using a random Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

   After your CSR is processed in Apple Inc., you will receive the public key of the APNs certificate. Save the file on disk.

9. Request the public key of the certificate. To do this, perform the following actions:
   1. Proceed to Apple Push Certificates portal. To log in to the portal, use the Apple Id received at the initial request of the certificate.
   2. In the list of certificates, select the certificate whose APSP name (in "APSP: <number>" format) matches the APSP name of the certificate used by iOS MDM Server and click the Renew button.

      The APNs certificate is renewed.

   3. Save the certificate created on the portal.
10. Export the APNs certificate together with the private key created when generating the CSR, in PFX file format. To do this, perform the following actions:
    1. In the Renew APNs certificate window, click the Complete CSR button.
    2. In the Open window, choose a file with the public key of the certificate, received from Apple Inc. as the result of CSR processing, and click the Open button.

       The certificate export process will start.

    3. In the next window, enter the private key password and click OK.

       This password will be used for the APNs certificate installation on the iOS MDM Server.

    4. In the Renew APNs certificate window that opens, specify a file name for APNs certificate, choose a folder, and click Save.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PFX format.

Configuring a reserve iOS MDM Server certificate

The iOS MDM Server functionality enables you to issue a reserve certificate. This certificate is intended for use in iOS MDM profiles, to ensure seamless switching of managed iOS devices after the iOS MDM Server certificate expires.

If your iOS MDM Server uses a default certificate issued by Kaspersky, you can issue a reserve certificate (or specify your own custom certificate as reserve) before the iOS MDM Server certificate expires. By default, the reserve certificate is automatically issued 60 days before the iOS MDM Server certificate expiration. The reserve iOS MDM Server certificate becomes the main certificate immediately after the iOS MDM Server certificate expiration. The public key is distributed to all managed devices through configuration profiles, so you do not have to transmit it manually.

To issue an iOS MDM Server reserve certificate or specify a custom reserve certificate:

1. In the console tree, in the Mobile Device Management folder, select the Mobile Device Servers subfolder.
2. In the list of Mobile Device Servers, select the relevant iOS MDM Server, and on the right pane, click the Configure iOS MDM Server button.
3. In the iOS MDM Server settings window that opens, select the Certificates section.
4. In the Reserve certificate block of settings, do one of the following:
   • If you plan to continue using a self-signed certificate (that is, the one issued by Kaspersky):
     1. Click the Issue button.
     2. In the Activation date window that opens, select one of the two options for the date when the reserve certificate must be applied:
        • If you want to apply the reserve certificate at the time of expiration of the current certificate, select the When current certificate expires option.
        • If you want to apply the reserve certificate before the current certificate expires, select the After specified period (days) option. In the entry field next to this option, specify the duration of the period after which the reserve certificate must replace the current certificate.

        The validity period of the reserve certificate that you specify cannot exceed the validity term of the current iOS MDM Server certificate.

     3. Click the OK button.

     The reserve iOS MDM Server certificate is issued.

   • If you plan to use a custom certificate issued by your certification authority:
     1. Click the Add button.
     2. In the File Explorer window that opens, specify a certificate file in the PEM, PFX, or P12 format, which is stored on your device, and then click the Open button.

     Your custom certificate is specified as the reserve iOS MDM Server certificate.

You have a reserve iOS MDM Server certificate specified. The details of the reserve certificate are displayed in the Reserve certificate block of settings (certificate name, issuer name, expiration date, and the date the reserve certificate must be applied, if any).

Installing an APNs certificate on an iOS MDM Server

After you receive the APNs certificate, you must install it on the iOS MDM Server.

To install the APNs certificate on the iOS MDM Server:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.

In the Certificates section, in the Apple Push Notification certificate group of settings click the Install button.

1. Select the PFX file that contains the APNs certificate.
2. Enter the password of the private key specified when exporting the APNs certificate.

The APNs certificate will be installed on the iOS MDM Server. The certificate details will be displayed in the properties window of the iOS MDM Server, in the Certificates section.

Configuring access to Apple Push Notification service

To ensure a proper functioning of the iOS MDM web service and timely responses of mobile devices to the administrator's commands, you need to specify an Apple Push Notification Service certificate (hereinafter referred to as APNs certificate) in the iOS MDM Server settings.

Interacting with Apple Push Notification (hereinafter referred to as APNs), the iOS MDM web service connects to the external address api.push.apple.com through port 2197 (outbound). Therefore, the iOS MDM web service requires access to port TCP 2197 for the range of addresses 17.0.0.0/8. From the iOS device side is access to port TCP 5223 for the range of addresses 17.0.0.0/8.

If you intend to access APNs from the iOS MDM web service side through a proxy server, you must perform the following actions on the device with the iOS MDM web service installed:

1. Add the following strings to the registry:
   • For 32-bit operating systems:

   HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset "ApnProxyHost"="<Proxy Host Name>" "ApnProxyPort"="<Proxy Port>" "ApnProxyLogin"="<Proxy Login>" "ApnProxyPwd"="<Proxy Password>"

   • For 64-bit operating systems:

   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset "ApnProxyHost"="<Proxy Host Name>" "ApnProxyPort"="<Proxy Port>" "ApnProxyLogin"="<Proxy Login>" "ApnProxyPwd"="<Proxy Password>"

2. Restart the iOS MDM web service.

Issuing and installing a shared certificate on a mobile device

To issue a shared certificate to a user:

1. In the console tree, in the User accounts folder, select a user account.
2. In the context menu of the user account, select Install certificate.

The Certificate Installation Wizard starts. Follow the instructions of the Wizard.

When the Wizard finishes, a certificate will be created and added to the list of the user's certificates.

The issued certificate will be downloaded by the user, along with the installation package that contains the iOS MDM profile.

After the mobile device is connected to the iOS MDM Server, the iOS MDM profile settings will be applied on the user's device. The administrator will be able to manage the device after connection.

The user's mobile device connected to the iOS MDM Server is displayed in the Mobile Devices subfolder within the Mobile Device Management folder in the console tree.

Adding a KES device to the list of managed devices

To add the KES device of a user to the list of managed devices using a link to Google Play:

1. In the console tree, select the User accounts folder.

   By default, the User accounts folder is a subfolder of the Advanced folder.

2. Select the account of the user whose mobile device you want add to the list of managed devices.
3. In the context menu of the user account, select Add mobile device.

   The New Mobile Device Connection Wizard starts. In the Certificate source window of the Wizard, you have to specify the method for creating the shared certificate that Administration Server will use to identify the mobile device. You can specify a shared certificate in one of the following ways:

   • Create a shared certificate automatically, by means of Administration Server tools, and then deliver the certificate to the device.
   • Specify a shared certificate file.
4. In the Device type window of the Wizard, select Link to Google Play.
5. In the User notification method window of the Wizard, define the settings for notification of the mobile device user of certificate creation (with an SMS message, by email, or by displaying the information when the Wizard has finished).
6. In the certificate info window of the Wizard, click the Finish button to close the Wizard.

After the Wizard finishes its activities, a link and a QR code will be sent to the mobile device of the user, allowing the user to download Kaspersky Endpoint Security from Google Play. The user proceeds to Google Play by using the link or by scanning the QR code. After this, the operating system of the device prompts the user to accept Kaspersky Endpoint Security for Android installation. After Kaspersky Endpoint Security for Android is downloaded and installed, the mobile device connects to the Administration Server and downloads a shared certificate. After the certificate is installed on the mobile device, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree.

If Kaspersky Endpoint Security for Android has already been installed on the device, the user has to receive the Administration Server connection settings from the administrator and then enter them independently. After the connection settings are defined, the mobile device connects to the Administration Server. The administrator issues a shared certificate for the device and sends the user an email message or an SMS message with a login and password for the certificate download. The user downloads and installs the shared certificate. After the certificate is installed on the mobile device, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree. In this case, Kaspersky Endpoint Security for Android will not be downloaded and installed again.

Connecting KES devices to the Administration Server

Depending on the method used for connection of devices to the Administration Server, two deployment schemes are possible for Kaspersky Device Management for iOS for KES devices:

• Scheme of deployment with direct connection of devices to the Administration Server
• Scheme of deployment involving Forefront Threat Management Gateway (TMG)

Direct connection of devices to the Administration Server

KES devices can connect directly to port 13292 of the Administration Server.

Depending on the method used for authentication, two options are possible for connection of KES devices to the Administration Server:

• Connecting devices with a user certificate
• Connecting devices without a user certificate

Connecting a device with a user certificate

When connecting a device with a user certificate, that device is associated with the user account to which the corresponding certificate has been assigned through Administration Server tools.

In this case, two-way SSL authentication (mutual authentication) will be used. Both the Administration Server and the device will be authenticated with certificates.

Connecting a device without a user certificate

When connecting a device without a user certificate, that device is associated with none of the user's accounts on the Administration Server. However, when the device receives any certificate, the device will be associated with the user to which the corresponding certificate has been assigned through Administration Server tools.

When connecting that device to the Administration Server, one-way SSL authentication will be applied, which means that only the Administration Server is authenticated with the certificate. After the device retrieves the user certificate, the type of authentication will change to two-way SSL authentication (2-way SSL authentication, mutual authentication).

Scheme for connecting KES devices to the Server involving Kerberos constrained delegation (KCD)

The scheme for connecting KES devices to the Administration Server involving Kerberos constrained delegation (KCD) provides for the following:

• Integration with Microsoft Forefront TMG.
• Use of Kerberos Constrained Delegation (hereinafter referred to as KCD) for authentication of mobile devices.
• Integration with Public Key Infrastructure (hereinafter referred to as PKI) for applying user certificates.

When using this connection scheme, please note the following:

• The type of connection of KES devices to TMG must be "two-way SSL authentication", that is, a device must connect to TMG through its proprietary user certificate. To do this, you need to integrate the user certificate into the installation package of Kaspersky Endpoint Security for Android, which has been installed on the device. This KES package must be created by the Administration Server specifically for this device (user).
• You must specify the special (customized) certificate instead of the default server certificate for the mobile protocol:
  1. In the Administration Server properties window, in the Settings section, select the Open port for mobile devices check box and select Add certificate in the drop-down list.
  2. In the window that opens, specify the same certificate that was set on TMG when the point of access to the mobile protocol was published on the Administration Server.
• User certificates for KES devices must be issued by the Certificate Authority (CA) of the domain. Keep in mind that if the domain includes multiple root CAs, user certificates must be issued by the CA, which has been set in the publication on TMG.

  You can make sure the user certificate is in compliance with the above-described requirement, using one of the following methods:

  • Specify the special user certificate in the New Installation Package Wizard and in the Certificate Installation Wizard.
  • Integrate the Administration Server with the domain's PKI and define the corresponding setting in the rules for issuance of certificates:
    1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
    2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
    3. In the Integration with PKI section, configure integration with the Public Key Infrastructure.
    4. In the Issuance of mobile certificates section, specify the source of certificates.

Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:

• Point of access to the mobile protocol on the Administration Server is set up on port 13292.
• The name of the device with TMG is tmg.mydom.local.
• The name of the device with Administration Server is ksc.mydom.local.
• Name of the external publishing of the point of access to the mobile protocol is kes4mob.mydom.global.

Domain account for Administration Server

You must create a domain account (for example, KSCMobileSrvcUsr) under which the Administration Server service will run. You can specify an account for the Administration Server service when installing the Administration Server or through the klsrvswch utility. The klsrvswch utility is located in the installation folder of Administration Server.

A domain account must be specified by the following reasons:

• The feature for management of KES devices is an integral part of Administration Server.
• To ensure a proper functioning of Kerberos Constrained Delegation (KCD), the receive side (i.e., the Administration Server) must run under a domain account.

Service Principal Name for http/kes4mob.mydom.local

In the domain, under the KSCMobileSrvcUsr account, add an SPN for publishing the mobile protocol service on port 13292 of the device with Administration Server. For the kes4mob.mydom.local device with Administration Server, this will appear as follows:

setspn -a http/kes4mob.mydom.local:13292 mydom\KSCMobileSrvcUsr

Configuring the domain properties of the device with TMG (tmg.mydom.local)

To delegate traffic, you must trust the device with TMG (tmg.mydom.local) to the service defined by the SPN (http/kes4mob.mydom.local:13292).

To trust the device with TMG to the service defined by the SPN (http/kes4mob.mydom.local:13292), the administrator must perform the following actions:

1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with TMG installed (tmg.mydom.local).
2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
3. In the Services to which this account can present delegated credentials list, add the SPN http/kes4mob.mydom.local:13292.

Special (customized) certificate for the publishing (kes4mob.mydom.global)

To publish the mobile protocol of Administration Server, you must issue a special (customized) certificate for the FQDN kes4mob.mydom.global and specify it instead of the default server certificate in the settings of the mobile protocol of Administration Server in Administration Console. To do this, in the properties window of the Administration Server, in the Settings section select the Open port for mobile devices check box and then select Add certificate in the drop-down list.

Please note that the server certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).

Configuring publication on TMG

On TMG, for traffic that goes from the mobile device side to port 13292 of kes4mob.mydom.global, you have to configure KCD on the SPN (http/kes4mob.mydom.local:13292), using the server certificate issued for the FQND kes4mob.mydom.global. Please note that publishing and the published access point (port 13292 of the Administration Server) must share the same server certificate.

Using Google Firebase Cloud Messaging

To ensure timely responses of KES devices on Android to the administrator's commands, you must enable the use of Google Firebase Cloud Messaging (hereinafter referred to as FCM) in the Administration Server properties.

To enable the use of FCM:

1. In Administration Console, select the Mobile Device Management node, and the Mobile devices folder.
2. In the context menu of the Mobile devices folder, select Properties.
3. In the folder properties, select the Google Firebase Cloud Messaging settings section.
4. In the Sender ID and Server key fields, specify the FCM settings: SENDER_ID and API Key.

FCM service runs in the following address ranges:

• From the KES device's side, access is required to ports 443 (HTTPS), 5228 (HTTPS), 5229 (HTTPS), and 5230 (HTTPS) of the following addresses:
  • google.com
  • fcm.googleapis.com
  • android.apis.google.com
  • All of the IP addresses listed in Google's ASN of 15169
• From the Administration Server side, access is required to port 443 (HTTPS) of the following addresses:
  • fcm.googleapis.com
  • All of the IP addresses listed in Google's ASN of 15169

If the proxy server settings (Advanced / Configuring Internet access) have been specified in the Administration Server properties in Administration Console, they will be used for interaction with FCM.

Configuring FCM: retrieving SENDER_ID and API Key

To configure FCM, the administrator must perform the following actions:

1. Register on Google portal.
2. Go to Developers portal.
3. Create a new project by clicking the Create Project button, specify the project's name, and specify the ID.
4. Wait for the project to be created.

   On the first page of the project, in the upper part of the page, the Project Number field shows the relevant SENDER_ID.

5. Go to the APIs & auth / APIs section and enable Google Firebase Cloud Messaging for Android.
6. Go to the APIs & auth / Credentials section and click the Create New Key button.
7. Click the Server key button.
8. Impose restrictions (if any), click the Create button.
9. Retrieve the API Key from the properties of the newly created key (Server key field).

Integration with Public Key Infrastructure

Integration with Public Key Infrastructure (hereinafter referred to as PKI) is primarily intended for simplifying the issuance of domain user certificates by Administration Server.

The administrator can assign a domain certificate for a user in Administration Console. This can be done using one of the following methods:

• Assign the user a special (customized) certificate from a file in the New Device Connection Wizard or in the Certificate Installation Wizard.
• Perform integration with PKI and assign PKI to act as the source of certificates for a specific type of certificates or for all types of certificates.

The settings of integration with PKI are available in the workspace of the Mobile Device Management / Certificates folder by clicking the Integrate with public key infrastructure link.

General principle of integration with PKI for issuance of domain user certificates

In Administration Console, click the Integrate with public key infrastructure link in the workspace of the Mobile Device Management / Certificates folder to specify a domain account that will be used by Administration Server to issue domain user certificates through the domain's CA (hereinafter referred to as the account under which integration with PKI is performed).

Please note the following:

• The settings of integration with PKI provide you the possibility to specify the default template for all types of certificates. Note that the rules for issuance of certificates (available in the workspace of the Mobile Device Management / Certificates folder by clicking the Configure certificate issuance rules button) allow you to specify an individual template for every type of certificates.
• A special Enrollment Agent (EA) certificate must be installed on the device with Administration Server, in the certificates repository of the account under which integration with PKI is performed. The Enrollment Agent (EA) certificate is issued by the administrator of the domain's CA (Certificate Authority).

The account under which integration with PKI is performed must meet the following criteria:

• It is a domain user.
• It is a local administrator of the device with Administration Server from which integration with PKI is initiated.
• It has the right to Log On As Service.
• The device with Administration Server installed must be run at least once under this account to create a permanent user profile.

Kaspersky Security Center Web Server

Kaspersky Security Center Web Server (hereinafter referred to as Web Server) is a component of Kaspersky Security Center. Web Server is designed for publishing stand-alone installation packages, stand-alone installation packages for mobile devices, iOS MDM profiles, and files from the shared folder.

The iOS MDM profiles and installation packages that have been created are published on Web Server automatically and then removed after the first download. The administrator can send the new link to the user in any convenient way, such as by email.

By clicking the link, the user can download the required information to a mobile device.

Web Server settings

If a fine-tuning of Web Server is required, the properties of Administration Console Web Server provide the possibility to change ports for HTTP (8060) and HTTPS (8061). In addition to changing ports, you can replace the server certificate for HTTPS and change the FQDN of Web Server for HTTP.