Kaspersky Security Center 13.1
13.1
English

Contents

Mobile Device Management

Management of mobile device protection through Kaspersky Security Center is carried out by using the Mobile Device Management feature, which requires a dedicated license. If you are intending to manage mobile devices owned by employees in your organization, you must enable Mobile Device Management.

This section provides instructions for enabling, configuring and disabling Mobile Device Management. This section also describes how to manage mobile devices connected to Administration Server.

For details about Kaspersky Security for Mobile, see Kaspersky Security for Mobile Help.

In this section

Scenario: Mobile Device Management deployment

About group policy for managing EAS and iOS MDM devices

Enabling Mobile Device Management

Modifying the Mobile Device Management settings

Disabling Mobile Device Management

Working with commands for mobile devices

Working with certificates of mobile devices

Adding iOS mobile devices to the list of managed devices

Adding Android mobile devices to the list of managed devices

Managing Exchange ActiveSync mobile devices

Managing iOS MDM devices

Managing KES devices

See also:

Scenario: Installation and initial setup of Kaspersky Security Center 13.1 Web Console
Page top
[Topic 64778]

Scenario: Mobile Device Management deployment

This section provides a scenario for configuring the Mobile Device Management feature in Kaspersky Security Center.

Prerequisites

Make sure that you have a license that grants access to the Mobile Device Management feature.

Stages

Deployment of the Mobile Device Management feature proceeds in stages:

  1. Preparing the ports

    Make sure that port 13292 is available on the Administration Server. This port is required for connecting mobile devices. Also, you may want to make port 17100 available. This port is only required for the activation proxy server for managed mobile devices; if managed mobile devices have internet access, you do not have to make this port available.

  2. Enabling Mobile Device Management

    You can enable Mobile Device Management when you are running the Administration Server Quick Start Wizard or later.

  3. Specifying the external address of the Administration Server

    You can specify the external address when you run the Administration Server Quick Start Wizard or later. If you did not select Mobile Device Management for installation and did not specify the address in the installation wizard, specify the external address in the installation package properties.

  4. Adding mobile devices to the Managed devices group

    Add the mobile devices to the Managed devices group so that you can manage these devices through policies. You can create a moving rule in one of the steps of the Administration Server Quick Start Wizard. You can also create the moving rule later. If you do not create such a rule, you can add mobile devices to the Managed devices group manually.

    You can add mobile devices to the Managed devices group directly, or you can create a subgroup (or multiple subgroups) for them.

    At any time afterward, you can connect any new mobile device to the Administration Server using the New Mobile Device Connection Wizard.

  5. Creating a policy for mobile devices

    To manage mobile devices, create a policy (or multiple polices) for them in the group where these devices belong. You can change the settings of this policy at any time afterward.

Results

Upon completion of the scenario, you can manage Android and iOS devices using Kaspersky Security Center. You can work with certificates of mobile devices and send commands to mobile devices.

Page top
[Topic 179492]

About group policy for managing EAS and iOS MDM devices

To manage iOS MDM and EAS devices, you can use the Kaspersky Device Management for iOS management plug-in, which is included in the Kaspersky Security Center distribution kit. Kaspersky Device Management for iOS allows you to create group policies for specifying the configuration settings of iOS MDM and EAS devices without using iPhone Configuration Utility and the management profile of Exchange ActiveSync.

A group policy for managing EAS and iOS MDM devices provides the administrator with the following options:

  • For managing EAS devices:
    • Configuring the device-unlocking password.
    • Configuring data storage on the device in encrypted form.
    • Configuring synchronization of corporate mail.
    • Configuring the hardware features of mobile devices, such as the use of removable drives, the camera, or Bluetooth.
    • Configuring restrictions on use of mobile applications on the device.
  • For managing iOS MDM devices:
    • Configuring device password security settings.
    • Configuring restrictions on usage of hardware features of the device and restrictions on installation and removal of mobile apps.
    • Configuring restrictions on the use of pre-installed mobile apps, such as YouTube, iTunes Store, or Safari.
    • Configuring restrictions on media content (such as movies and TV shows) viewed, by the region where the device is located.
    • Configuring device connection to the internet through the proxy server (Global HTTP proxy).
    • Configuring the account with which the user can access corporate applications and services (Single Sign-On (SSO) technology).
    • Monitoring internet usage (visits to websites) on mobile devices.
    • Configuring wireless networks (Wi-Fi), access points (APNs), and virtual private networks (VPNs) that use different authentication mechanisms and network protocols.
    • Configuring settings of the connection to AirPlay devices for streaming photos, music, and videos.
    • Configuring settings of the connection to AirPrint printers for wireless printing of documents from the device.
    • Configuring synchronization with the Microsoft Exchange server and user accounts for using corporate email on devices.
    • Configuring user credentials for synchronization with the LDAP directory service.
    • Configuring user credentials for connecting to CalDAV and CardDAV services that give users access to corporate calendars and contact lists.
    • Configuring settings of the iOS interface, such as fonts or icons for favorite websites, on the user's device.
    • Adding new security certificates on devices.
    • Configuring the Simple Certificate Enrollment Protocol (SCEP) server for automatic retrieval of certificates by the device from the Certification Authority.
    • Adding custom settings for working with mobile apps.

A policy for managing EAS and iOS MDM devices is special in that it is assigned to an administration group that includes iOS MDM Server and Exchange ActiveSync Mobile Devices Server (referred to collectively as "Mobile Device Servers"). All settings specified in this policy are first applied to Mobile Device Servers and then to mobile devices managed by such servers. In the case of a hierarchical structure of administration groups, secondary Mobile Device Servers receive the policy settings from primary Mobile Device Servers and distribute them to mobile devices.

For more details on how to use the group policy for managing EAS and iOS MDM devices in Kaspersky Security Center Administration Console, please refer to the Kaspersky Security for Mobile documentation.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89392]

Enabling Mobile Device Management

Expand all | Collapse all

To manage mobile devices, you must enable Mobile Device Management. If you did not enable this feature in the Quick Start Wizard, you can enable it later. Mobile Device Management requires a license.

Enabling Mobile Device Management is only available on the primary Administration Server.

To enable Mobile Device Management:

  1. In the console tree, select the Mobile Device Management folder.
  2. In the workspace of the folder, click the Enable Mobile Device Management button. This button is only available if you have not enabled Mobile Device Management before.

    The Additional components page of the Administration Server Quick Start Wizard is displayed.

  3. Select Enable Mobile Device Management in order to manage mobile devices.
  4. On the Select application activation method page, activate the application by using a key file or activation code.

    Management of mobile devices will not be possible until you activate the Mobile Device Management feature.

  5. On the Proxy server settings to gain access to the Internet page, select the Use proxy server check box if you want to use a proxy server when connecting to the internet. When this check box is selected, the fields become available for entering settings. Specify the settings for proxy server connection.
  6. On the Check for updates for plug-ins and installation packages page, select one of the following options:
    • Check whether plug-ins and installation packages are up to date

      Starting the check of up-to-date status. If the check detects outdated versions of some plug-ins or installation packages, the Wizard prompts you to download up-to-date versions to replace the outdated ones.

    • Skip check

      Continuing work without checking whether plug-ins and installation packages are up-to-date. You can select this option if, for example, you have no internet access or if you want to proceed with the outdated version of the application for some reason.

      Skipping the check of updates for plug-ins may result in improper functioning of the application.

  7. On the Latest plug-in versions available page, download and install the latest versions of plug-ins in the language that your application version requires. Updating the plug-ins does not require a license.

    After you install the plug-ins and packages, the application checks whether all plug-ins required for proper functioning of mobile devices have been installed. If outdated versions of some plug-ins are detected, the Wizard prompts you to download up-to-date versions to replace the outdated ones.

  8. On the Mobile device connection settings page, set up the Administration Server ports.

When the Wizard completes, the following changes will be made:

  • The Kaspersky Endpoint Security for Android policy will be created.
  • The Kaspersky Device Management for iOS policy will be created.
  • Ports will be opened on the Administration Server for mobile devices.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 148239]

Modifying the Mobile Device Management settings

Expand all | Collapse all

To enable support of mobile devices:

  1. In the console tree, select the Mobile Device Management folder.
  2. In the workspace of the folder, click the Connection ports for mobile devices link.

    The Additional ports section of the Administration Server properties window is displayed.

  3. In the Additional ports section, modify the relevant settings:
    • SSL port for the activation proxy server

      The number of an SSL port for connection of Kaspersky Endpoint Security for Windows to activation servers of Kaspersky.

      The default port number is 17000.

    • Open port for mobile devices

      A port opens for mobile devices to connect to the Licensing Server. You can define the port number and other settings in the fields below.

      By default, this option is enabled.

    • Port for mobile device synchronization

      Number of the port through which mobile devices connect to the Administration Server and exchange data with it. The default port number is 13292.

      You can assign a different port if port 13292 is being used for other purposes.

    • Port for mobile device activation

      The port for connection of Kaspersky Endpoint Security for Android to activation servers of Kaspersky.

      The default port number is 17100.

  4. Click OK.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 148253]

Disabling Mobile Device Management

Disabling Mobile Device Management is only available on the primary Administration Server.

To disable Mobile Device Management:

  1. In the console tree, select the Mobile Device Management folder.
  2. In the workspace of this folder, click the Configure additional components link.

    The Additional components page of the Administration Server Quick Start Wizard is displayed.

  3. Select Do not enable Mobile Device Management if you do not want to manage mobile devices any longer.
  4. Click OK.

Previously connected mobile devices will not be able to connect to Administration Server. The port for mobile device connection and the port for mobile device activation will be closed automatically.

Policies that were created for Kaspersky Endpoint Security for Android and Kaspersky Device Management for iOS will not be deleted. The certificate issuance rules will not be modified. The plug-ins that have been installed will not be removed. The moving rule for mobile devices will not be deleted.

After you re-enable Mobile Device Management on managed mobile devices, you may have to reinstall mobile apps that are required for mobile device management.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 148249]

Working with commands for mobile devices

This section contains information about commands for managing mobile devices supported by the application. The section provides instructions on how to send commands to mobile devices, as well as how to view the execution statuses of commands in the command log.

In this section

Commands for mobile device management

Using Google Firebase Cloud Messaging

Sending commands

Viewing the statuses of commands in the command log

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89281]

Commands for mobile device management

Kaspersky Security Center supports commands for mobile device management.

Such commands are used for remote mobile device management. For example, if your mobile device is lost, you can delete corporate data from the device by using a command.

You can use commands for the following types of managed mobile devices:

  • iOS MDM devices
  • Kaspersky Endpoint Security (KES) devices
  • EAS devices

Each device type supports a dedicated set of commands.

Special considerations for certain commands

  • For all types of devices, if the Reset to factory settings command is successfully executed, all data is deleted from the device, and the device settings are rolled back to their factory values.
  • After successful execution of the Wipe corporate data command on an iOS MDM device, all installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device.
  • If the Wipe corporate data command is successfully executed on a KES device, all corporate data, entries in Contacts, the SMS history, the call log, the calendar, the internet connection settings, and the user accounts, except for the Google account, will be deleted from the device. For a KES device, all data from the memory card will also be deleted.
  • Before sending the Locate command to a KES device, you will have to confirm that you are using this command for an authorized search for a lost device that belongs to your organization or to one of your employees. When using Kaspersky Security Center Service Pack 2 Maintenance Release 1 or earlier versions, a mobile device that receives the Locate command is locked. Starting from Kaspersky Security Center 10 Service Pack 3, the device is not locked.

List of commands for mobile devices

The following table shows sets of commands for iOS MDM devices.

Supported commands for mobile device management: iOS MDM devices

Commands

Command execution result

Lock

The mobile device is locked.

Unlock

Mobile device locking with a PIN is disabled. The previously specified PIN has been reset.

Reset to factory settings

All data is deleted from the mobile device and the settings are rolled back to their default values.

Wipe corporate data

All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device.

Synchronize device

The mobile device data is synchronized with the Administration Server.

Install profile

The configuration profile is installed on the mobile device.

Remove profile

The configuration profile is deleted from the mobile device.

Install provisioning profile

The provisioning profile is installed on the mobile device.

Remove provisioning profile

The provisioning profile is deleted from the mobile device.

Install app

The app is installed on the mobile device.

Remove app

The app is removed from the mobile device.

Enter redemption code

Redemption code entered for a paid app.

Configure roaming

Data roaming and voice roaming enabled or disabled.

The following table shows sets of commands for KES devices.

Supported commands for mobile device management: KES devices

Command

Command execution result

Lock

The mobile device is locked.

Unlock

Mobile device locking with a PIN is disabled. The previously specified PIN has been reset.

Reset to factory settings

All data is deleted from the mobile device and the settings are rolled back to their default values.

Wipe corporate data

Corporate data, entries in Contacts, the SMS history, the call log, the calendar, the internet connection settings, and the user accounts (except for the Google account) have been deleted. Memory card data has been wiped.

Synchronize device

The mobile device data is synchronized with the Administration Server.

Locate device

The mobile device is located and shown on Google Maps. The mobile carrier charges a fee for sending SMS messages and for providing internet connectivity.

Mugshot

The mobile device is locked. The photo has been taken by the front camera of the device and saved on Administration Server. Photos can be viewed in the command log. The mobile carrier charges a fee for sending SMS messages and for providing internet connectivity.

Alarm

The mobile device sounds an alarm.

The following table shows the commands for EAS devices.

Supported commands for mobile device management: EAS devices

Commands

Command execution result

Reset to factory settings

All data is deleted from the mobile device and the settings are rolled back to their default values.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 90314]

Using Google Firebase Cloud Messaging

To ensure timely delivery of commands to KES devices managed by the Android operating system, Kaspersky Security Center uses the mechanism of push notifications. Push notifications are exchanged between KES devices and Administration Server through Google Firebase Cloud Messaging. In Kaspersky Security Center Administration Console, you can specify the Google Firebase Cloud Messaging settings to connect KES devices to the service.

To retrieve the settings of Google Firebase Cloud Messaging, you must have a Google account.

To configure Google Firebase Cloud Messaging:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
  2. In the context menu of the Mobile devices folder, select Properties.

    This opens the properties window of the Mobile devices folder.

  3. Select the Google Firebase Cloud Messaging settings section.
  4. In the Sender ID field, specify the number of a Google API project that you have received when creating one in the Google Developer Console.
  5. In the Server key field, enter a common server key that you have created in the Google Developer Console.

At the next synchronization with Administration Server, KES devices managed by Android operating systems will be connected to Google Firebase Cloud Messaging.

You can edit the Google Firebase Cloud Messaging settings by clicking the Reset settings button.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 92205]

Sending commands

To send a command to the user's mobile device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. Select the user's mobile device to which you need to send a command.
  3. In the context menu of the mobile device, select Show command log.
  4. In the Mobile device management commands window, proceed to the section with the name of the command that you need to send to the mobile device, then click the Send command button.

    Depending on the command that you have selected, clicking the Send command button may open the window of advanced settings of the application. For example, when you send the command for deleting a provisioning profile from a mobile device, the application prompts you to select the provisioning profile that must be deleted from the mobile device. Define the advanced settings of the command in that window and confirm your selection. After that, the command will be sent to the mobile device.

    You can click the Resend button to send the command to the user's mobile device again.

    You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

    The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

  5. Click OK to close the Mobile device management commands window.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89282]

Viewing the statuses of commands in the command log

The application saves to the command log information about all commands that have been sent to mobile devices. The command log contains information about the time and date that each command was sent to the mobile device, their respective statuses, and detailed descriptions of command execution results. For example, in case execution of a command is unsuccessful, the log displays the cause of the error. Records are stored in the command log for 30 days maximum.

Commands sent to mobile devices can have the following statuses:

  • Running—The command has been sent to the mobile device.
  • Completed—The command execution has successfully completed.
  • Completed with error—The command execution has failed.
  • Deleting—The command is being removed from the queue of commands sent to the mobile device.
  • Deleted—The command has been successfully removed from the queue of commands sent to the mobile device.
  • Error deleting—The command could not be removed from the queue of commands sent to the mobile device.

The application maintains a command log for each mobile device.

To view the log of commands sent to a mobile device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the list of mobile devices, select the one for which you want to view the command log.
  3. In the context menu of the mobile device, select Show command log.

    The Mobile device management commands window opens. The sections of the Mobile device management commands window correspond to the commands that can be sent to the mobile device.

  4. Select sections containing the necessary commands and view information about how the commands are sent and executed in the Command log section.

In the Command log section, you can view the list of commands that have been sent to the mobile device and details about those commands. The Show commands filter allows you to display in the list only commands with the selected status.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89283]

Working with certificates of mobile devices

This section contains information about how to work with certificates of mobile devices. The section contains instructions on how to install certificates on users' mobile devices and how to configure certificate issuance rules. The section also contains instructions on how to integrate the application with the public keys infrastructure and how to configure the support of Kerberos.

In this section

Starting the Certificate Installation Wizard

Step 1. Selecting certificate type

Step 2. Selecting device type

Step 3. Selecting a user

Step 4. Selecting certificate source

Step 5. Assigning a tag to the certificate

Step 6. Specifying certificate publishing settings

Step 7. Selecting user notification method

Step 8. Generating the certificate

Configuring certificate issuance rules

Integration with public key infrastructure

Enabling support of Kerberos Constrained Delegation

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89284]

Starting the Certificate Installation Wizard

You can install the following types of certificates on a user's mobile device:

  • Shared certificates for identifying the mobile device
  • Mail certificates for configuring the corporate mail on the mobile device
  • VPN certificate for configuring access to a virtual private network on the mobile device

To install a certificate on a user's mobile device:

  1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
  2. In the workspace of the Certificates folder, click the Add certificate link to run the Certificate Installation Wizard.

Follow the instructions of the Wizard.

After the Wizard finishes, a certificate will be created and added to the list of the user's certificates; in addition, a notification will be sent to the user, providing the user with a link for downloading and installing the certificate on the mobile device. You can view the list of all certificates and export it to a file. You can delete and reissue certificates, as well as view their properties.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89285]

Step 1. Selecting certificate type

Specify the type of certificate that must be installed on the user's mobile device:

  • Mobile certificate—for identifying the mobile device
  • Mail certificate—for configuring the corporate mail on the mobile device
  • VPN certificate—for configuring access to a virtual private network on the mobile device

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 159864]

Step 2. Selecting device type

This window is displayed only if you selected Mail certificate or VPN certificate as the certificate type.

Specify the type of the operating system on the device:

  • iOS MDM device. Select this option if you have to install a certificate on a mobile device that is connected to the iOS MDM Server by using iOS MDM protocol.
  • KES device managed by Kaspersky Security for Mobile. Select this option if you have to install a certificate on a KES device. In this case, the certificate will be used for user identification upon every connection to the Administration Server.
  • KES device connected to Administration Server without user certificate authentication. Select this option if you have to install a certificate on a KES device using no certificate authentication. In this case, at the final step of the Wizard, in the User notification method window the administrator must select the user authentication type used at every connection to the Administration Server.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 159865]

Step 3. Selecting a user

In the list, select users, user groups, or Active Directory user groups for which you have to install the certificate.

In the User selection window, you can search for

Kaspersky Security Center internal users
. You can click Add to add an internal user.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 159866]

Step 4. Selecting certificate source

In this window, you can select the certificate source that Administration Server will use to identify the mobile device. You can specify a certificate using one of the following methods:

  • Create a certificate automatically, by means of Administration Server tools, then deliver the certificate to the device.
  • Specify a certificate file that was created earlier. This method is not available if multiple users were selected at the previous step.

Select the Publish certificate check box if you have to send to a user a notification about creation of a certificate for his or her mobile device.

If the user's mobile device has already been previously authenticated using a certificate so there is no need to specify an account name and password to receive a new certificate, clear the Publish certificate check box. In this case, the User notification method window will not be displayed.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 159868]

Step 5. Assigning a tag to the certificate

The Certificate tag window is displayed if iOS MDM device has been selected in the Device type.

In the drop-down list, you can assign a tag to the certificate of the user's iOS MDM device. The certificate with the assigned tag may have specific parameters set for this tag in the Kaspersky Device Management for iOS policy properties.

The drop-down list prompts you to select the Certificate template 1, Certificate template 2, or Certificate template 3 tag. You can configure the tags in the following sections:

  • If Mail certificate has been selected in the Certificate type window, the tags for it can be configured in the properties of the Exchange ActiveSync account for mobile devices (Managed devicesPolicies → Kaspersky Device Management for iOS policy properties > Exchange ActiveSync section → AddAdvanced).
  • If VPN certificate has been selected in the Certificate type window, the tags for it can be configured in the properties of the VPN for mobile devices (Managed devicesPolicies → Kaspersky Device Management for iOS policy properties → VPN section → AddAdvanced). You cannot configure the tags used for VPN certificates if the L2TP, PPTP, or IPSec (Cisco) connection type is selected for your VPN.

See also:

Installing a certificate for a user

Scenario: Mobile Device Management deployment
Page top
[Topic 159870]

Step 6. Specifying certificate publishing settings

Expand all | Collapse all

In this window, you can specify the following certificate publishing settings:

  • Do not notify the user about a new certificate

    Enable this option if you do not want to send a user a notification about creation of a certificate for the user's mobile device. In this case, the User notification method window will not be displayed.

    This option is only applicable to devices with Kaspersky Endpoint Security for Android installed.

    You might want to enable this option, for example, if the user's mobile device has already been previously authenticated by means of a certificate so there is no need to specify an account name and password to receive a new certificate.

  • Allow the device to have multiple receipts of a single certificate (only for devices with Kaspersky Endpoint Security for Android installed)

    Enable this option if you want Kaspersky Security Center to automatically resend the certificate every time it is soon to expire or when it is not found on the target device.

    The certificate is automatically resent several days before the certificate expiration date. You can set the number of days in the Certificate issuance rules window.

    In some cases, the certificate cannot be found on the device. For example, this can happen when the user reinstalls the Kaspersky security application on the device or resets the device settings and data to factory defaults. In this case Kaspersky Security Center checks the device ID at the next attempt of the device to connect to the Administration Server. If the device has the same ID as it had when the certificate was issued, the application resends the certificate to the device.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 173671]

Step 7. Selecting user notification method

Expand all | Collapse all

This window is not displayed if you selected iOS MDM device as the device type or if you selected the Do not notify the user about a new certificate option.

In the User notification method window, you can configure the user notification about certificate installation on the mobile device.

In the Authentication method field, specify the user authentication type:

  • Credentials (domain or alias)

    In this case, the user employs the domain password or the password of a Kaspersky Security Center internal user to receive a new certificate.

  • One-time password

    In this case, the user receives a one-time password that will be sent by email or by SMS. This password must be entered to receive a new certificate.

    This option changes to Password if you enabled (selected) the Allow the device multiple receipts of a single certificate (only for devices with Kaspersky security applications for mobile devices installed) option in the Certificate publishing settings window.

  • Password

    In this case, the password is used every time the certificate is sent to the user.

    This option changes to One-time password, if you disabled (cleared) the Allow the device multiple receipts of a single certificate (only for devices with Kaspersky security applications for mobile devices installed) option in the Certificate publishing settings window.

This field is displayed if you selected Mobile certificate in the Certificate type window or if you selected KES device connected to Administration Server without user certificate authentication as the device type.

Select the user notification option:

  • Show authentication password after the Wizard finishes

    If you select this option, the user name, user name in Security Account Manager (SAM), and password for certificate retrieval for each of the selected users will be displayed at the final step of the Certificate Installation Wizard. Configuration of user notification about an installed certificate will be unavailable.

    When you add certificates for multiple users, you can save the provided credentials to a file by clicking the Export button at the last step of the Certificate Installation Wizard.

    This option is unavailable if you selected Credentials (domain or alias) at the User notification method step of the Certificate Installation Wizard.

  • Notify user of new certificate

    If you select this option, you can configure user notification about a new certificate.

    • By email

      In this group of settings, you can configure user notification about installation of a new certificate on his or her mobile device using email messages. This notification method is only available if the SMTP Server is enabled.

      Click the Edit message link to view and edit the notification message, if necessary.

    • By SMS

      In this group of settings, you can configure the user notification about using SMS to install a certificate on mobile devices. This notification method is only available if SMS notification is enabled.

      Click the Edit message link to view and edit the notification message, if necessary.

See also:

Installing a certificate for a user

Scenario: Mobile Device Management deployment
Page top
[Topic 159869]

Step 8. Generating the certificate

At this step, the certificate is created.

You can click Finish to exit the Wizard.

The certificate is generated and displayed in the list of certificates in the workspace of the Certificates folder.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 180806]

Configuring certificate issuance rules

The certificates are used for the device authentication on the Administration Server. All managed mobile devices must have certificates. You can configure how the certificates are issued.

To configure certificate issuance rules:

  1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
  2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
  3. Proceed to the section with the name of a certificate type:

    Issuance of mobile certificates—To configure the issuance of certificates for the mobile devices.

    Issuance of mail certificates—To configure the issuance of mail certificates.

    Issuance of VPN certificates—To configure the issuance of VPN certificates.

  4. In the Issuance settings section, configure the issuance of the certificate:
    • Specify the certificate term in days.
    • Select a certificate source (Administration Server or Certificates are specified manually).

      Administration Server is selected as the default source of certificates.

    • Specify a certificate template (Default template, Other template).

      Configuration of templates is available if the Integration with PKI section features the integration with Public Key Infrastructure enabled.

  5. In the Automatic Updates settings section, configure automatic updates of the certificate:
    • In the Renew when certificate is to expire in (days) field, specify how many days before expiration the certificate must be renewed.
    • To enable automatic updates of certificates, select the Reissue certificate automatically if possible check box.

    A mobile certificate can be renewed manually only.

  6. In the Password protection section, enable and configure the use of a password when decrypting certificates.

    Password protection is only available for mobile certificates.

    1. Select the Prompt for password during certificate installation check box.
    2. Use the slider to define the maximum number of symbols in the password for encryption.
  7. Click OK.

See also:

Starting the Certificate Installation Wizard

Scenario: Mobile Device Management deployment
Page top
[Topic 89286]

Integration with public key infrastructure

Integration of the application with the public key infrastructure (PKI) is required to simplify the issuance of domain certificates to users. Following integration, certificates are issued automatically.

The minimum supported PKI server version is Windows Server 2008.

You have to configure the account for integration with PKI. The account must meet the following requirements:

  • Be a domain user and administrator on a device that has Administration Server installed.
  • Be granted the SeServiceLogonRight privilege on the device with Administration Server installed.

To create a permanent user profile, log on at least once under the configured user account on the device with Administration Server installed. In this user's certificate repository on the Administration Server device, install the Enrollment Agent certificate provided by domain administrators.

To configure integration with the public keys infrastructure:

  1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
  2. In the workspace, click the Integrate with public key infrastructure button to open the Integration with PKI section of the Certificate issuance rules window.

    The Integration with PKI section of the Certificate issuance rules window opens.

  3. Select the Integrate issuance of certificates with PKI check box.
  4. In the Account field, specify the name of the user account to be used for integration with the public key infrastructure.
  5. In the Password field, enter the domain password for the account.
  6. In the Certificate template name in PKI system list, select the certificate template that will be used for the issuance of certificates to domain users.

    A dedicated service is run in Kaspersky Security Center under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.

  7. Click OK to save the settings.

Following integration, certificates are issued automatically.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89287]

Enabling support of Kerberos Constrained Delegation

The application supports usage of Kerberos Constrained Delegation.

To enable support of Kerberos Constrained Delegation:

  1. In the console tree, open the Mobile Device Management folder.
  2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
  3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
  4. In the context menu of the iOS MDM Server, select Properties.
  5. In the properties window of the iOS MDM Server, select the Settings section.
  6. In the Settings section, select the Ensure compatibility with Kerberos constrained delegation check box.
  7. Click OK.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89288]

Adding iOS mobile devices to the list of managed devices

Expand all | Collapse all

To add an iOS mobile device to the list of managed devices, a shared certificate must be delivered and installed on the device. Shared certificates are used by Administration Server for identifying mobile devices. A shared certificate for an iOS mobile device is delivered within an iOS MDM profile. After a shared certificate is delivered and installed on a mobile device, the device appears in the list of managed devices.

Kaspersky no longer supports Kaspersky Safe Browser.

You can add mobile devices of users to the list of managed devices by means of the New Mobile Device Connection Wizard.

To connect an iOS device to the Administration Server by using a shared certificate:

  1. Start the New Mobile Device Connection Wizard in one of the following ways:
    • Use the context menu in the User accounts folder:
      1. In the console tree, expand the Advanced folder and select the User accounts subfolder.
      2. In the workspace of the User accounts folder, select the users, user groups, or Active Directory user groups whose mobile devices you want to add to the list of managed devices.
      3. Right-click and in the context menu of the user account, select Add mobile device.

        The New Mobile Device Connection Wizard starts.

    • In the workspace of the Mobile devices folder click the Add mobile device button:
      1. In the console tree, expand the Mobile Device Management folder and select the Mobile devices subfolder.
      2. In the workspace of the Mobile devices subfolder, click the Add mobile device button.

        The New Mobile Device Connection Wizard starts.

  2. On the Operating system page of the Wizard, select iOS as the mobile device operating system type.
  3. On the Selecting iOS MDM Server page, select the iOS MDM Server.
  4. On the Select users whose mobile devices you want to manage page, select the users, user groups, or Active Directory user groups whose mobile devices you want to add to the list of managed devices.

    This step is skipped if you start the Wizard by selecting Add mobile device in the context menu of the User accounts folder.

    If you want to add a new user account into the list, click the Add button and enter the user account properties in the window that opens. If you want to modify or review the user account properties, select the user account from the list and click the Properties button.

  5. On the Certificate source page of the Wizard, specify the method for creating the shared certificate that Administration Server will use to identify the mobile device. You can specify a shared certificate in one of the following ways:
    • Issue certificate through Administration Server tools

      Select this option to create a new certificate by means of Administration Server tools if you did not create it previously.

      If this option is selected, the iOS MDM profile will be automatically signed with a certificate generated by Administration Server.

      This option is selected by default.

    • Specify certificate file

      Select this option to specify a certificate file that was created earlier.

      This method is not available if multiple users were selected at the previous step.

  6. On the User notification method page of the Wizard, define the settings for notifying the mobile device user by SMS or email about certificate creation:
    • Show link in Wizard

      If you select this option, a link to the installation package will be shown at the final step of the New Device Connection Wizard.

      This option is not available if multiple users were selected for the device connection.

    • Send link to user

      Selecting this option allows you to configure user notification of connection of a new mobile device.

      You can select the email address type, specify an additional email address, and edit the message text. You can also select the type of the user phone for sending an SMS message, specify an additional phone number, and edit the SMS message text.

      If the SMTP Server has not been configured, no email messages can be sent to users. If SMS notification has not been configured, no SMS messages can be sent to users.

  7. On the Result page, click Finish to close the Wizard.

The iOS MDM profile is automatically published on the Kaspersky Security Center Web Server. The mobile device user receives a notification with a link for downloading the iOS MDM profile from the Web Server. The user clicks the link. Next, the mobile device's operating system prompts the user to accept the iOS MDM profile installation. The user must agree to install the iOS MDM profile before the iOS MDM profile can be downloaded to the mobile device. After the iOS MDM profile is downloaded and the mobile device is synchronized with the Administration Server, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree.

For the user to proceed to the Kaspersky Security Center Web Server by using the link, connection with the Administration Server over port 8061 must be available on the mobile device.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 99423]

Adding Android mobile devices to the list of managed devices

Expand all | Collapse all

To add an Android mobile device to the list of managed devices, Kaspersky Endpoint Security for Android and a shared certificate must be delivered and installed on the mobile device. Shared certificates are used by Administration Server for identifying mobile devices. After a shared certificate is delivered and installed on a mobile device, the device appears in the list of managed devices.

You can add mobile devices of users to the list of managed devices by means of the New Mobile Device Connection Wizard. The New Mobile Device Connection Wizard provides two options for delivery and installation of a shared certificate and Kaspersky Endpoint Security for Android:

  • By using a Google Play link
  • By using a link from Kaspersky Security Center Web Server

    The Kaspersky Endpoint Security for Android installation package stored for distribution on Administration Server is used for installation

Starting the New Mobile Device Connection Wizard

To start the New Mobile Device Connection Wizard, do one of the following:

  • Use the context menu in the User accounts folder:
    1. In the console tree, expand the Advanced folder and select the User accounts subfolder.
    2. In the workspace of the User accounts folder, select the users, user groups, or Active Directory user groups whose mobile devices you want to add to the list of managed devices.
    3. Right-click and in the context menu of the user account, select Add mobile device.

      The New Mobile Device Connection Wizard starts.

  • In the workspace of the Mobile devices folder click the Add mobile device button:
    1. In the console tree, expand the Mobile Device Management folder and select the Mobile devices subfolder.
    2. In the workspace of the Mobile devices subfolder, click the Add mobile device button.

      The New Mobile Device Connection Wizard starts.

Adding an Android mobile device by using a Google Play link

To install Kaspersky Endpoint Security for Android and a shared certificate on a mobile device using a Google Play link:

  1. Start the New Mobile Device Connection Wizard.
  2. On the Operating system page of the Wizard, select Android as the mobile device operating system type.
  3. On the Kaspersky Endpoint Security for Android installation method page of the Wizard, select By using a Google Play link.
  4. On the Select users whose mobile devices you want to manage page of the Wizard, select the users, user groups, or Active Directory user groups whose mobile devices you want to add to the list of managed devices.

    This step is skipped if the Wizard is started by selecting Add mobile device in the context menu of User accounts folder.

    If you want to add a new user account into the list, click the Add button and enter the user account properties in the window that opens. If you want to modify or review the user account properties, select the user account from the list and click the Properties button.

  5. On the Certificate source page of the Wizard, specify the method for creating the shared certificate that Administration Server will use to identify the mobile device. You can specify a shared certificate in one of the following ways:
    • Issue certificate through Administration Server tools

      Select this option to create a new certificate by means of Administration Server tools if you did not create it previously.

      If this option is selected, the certificate is automatically issued by using Administration Server tools.

      This option is selected by default.

    • Specify certificate file

      Select this option to specify a certificate file that was created earlier.

      This method is not available if multiple users were selected at the previous step.

  6. On the User notification method page of the Wizard, define the settings for notifying the mobile device user by SMS or email about certificate creation:
    • Show link in Wizard

      If you select this option, a link to the installation package will be shown at the final step of the New Device Connection Wizard.

      This option is not available if multiple users were selected for the device connection.

    • Send link to user

      Selecting this option allows you to configure user notification of connection of a new mobile device.

      You can select the email address type, specify an additional email address, and edit the message text. You can also select the type of the user phone for sending an SMS message, specify an additional phone number, and edit the SMS message text.

      If the SMTP Server has not been configured, no email messages can be sent to users. If SMS notification has not been configured, no SMS messages can be sent to users.

  7. On the Result page, click Finish to close the Wizard.

After the Wizard finishes, a link and a QR code will be sent to the user's mobile device, allowing download of Kaspersky Endpoint Security for Android. The user clicks the link or scans the QR code. Next, the mobile device's operating system prompts the user to accept installation of Kaspersky Endpoint Security for Android installation. After Kaspersky Endpoint Security for Android is downloaded and installed, the mobile device connects to the Administration Server and downloads a shared certificate. After the certificate is installed on the mobile device, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree.

Adding an Android mobile device using a link from Kaspersky Security Center Web Server

Kaspersky Endpoint Security for Android installation package published on the Administration Server is used for installation.

To install Kaspersky Endpoint Security for Android and a shared certificate on a mobile device using a link from Web Server:

  1. Start the New Mobile Device Connection Wizard.
  2. On the Operating system page of the Wizard, select Android as the mobile device operating system type.
  3. On the Kaspersky Endpoint Security for Android installation method page of the Wizard, select By using a link from Web Server.

    In the field that appears below, select an installation package or create a new one by clicking New.

  4. On the Select users whose mobile devices you want to manage page of the Wizard, select the users, user groups, or Active Directory user groups whose mobile devices you want to add to the list of managed devices.

    This step is skipped if the Wizard is started by selecting Add mobile device in the context menu of User accounts folder.

    If you want to add a new user account into the list, click the Add button and enter the user account properties in the window that opens. If you want to modify or review the user account properties, select the user account from the list and click the Properties button.

  5. On the Certificate source page of the Wizard, specify the method for creating the shared certificate that Administration Server will use to identify the mobile device. You can specify a shared certificate in one of the following ways:
    • Issue certificate through Administration Server tools

      Select this option to create a new certificate by means of Administration Server tools if you did not create it previously.

      If this option is selected, the certificate is automatically issued by using Administration Server tools.

      This option is selected by default.

    • Specify certificate file

      Select this option to specify a certificate file that was created earlier.

      This method is not available if multiple users were selected at the previous step.

  6. On the User notification method page of the Wizard, define the settings for notifying the mobile device user by SMS or email about certificate creation:
    • Show link in Wizard

      If you select this option, a link to the installation package will be shown at the final step of the New Device Connection Wizard.

      This option is not available if multiple users were selected for the device connection.

    • Send link to user

      Selecting this option allows you to configure user notification of connection of a new mobile device.

      You can select the email address type, specify an additional email address, and edit the message text. You can also select the type of the user phone for sending an SMS message, specify an additional phone number, and edit the SMS message text.

      If the SMTP Server has not been configured, no email messages can be sent to users. If SMS notification has not been configured, no SMS messages can be sent to users.

  7. On the Result page, click Finish to close the Wizard.

The mobile app package of Kaspersky Endpoint Security for Android is automatically published on the Kaspersky Security Center Web Server. The mobile app package contains the app, the settings for connecting the mobile device to the Administration Server, and a certificate. The mobile device user will receive a notification containing a link for downloading the package from the Web Server. The user clicks the link. The operating system of the device then prompts the user to accept installation of the mobile app package. If the user agrees, the package will be downloaded to the mobile device. After the package is downloaded and the mobile device is synchronized with the Administration Server, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 188458]

Managing Exchange ActiveSync mobile devices

This section describes advanced features for management of EAS devices through Kaspersky Security Center.

In addition to management of EAS devices by means of commands, the administrator can use the following options:

  • Create management profiles for EAS devices, assign them to users' mailboxes. EAS device management profile is a policy of Exchange ActiveSync that is used on a Microsoft Exchange server to manage EAS devices. In an EAS device management profile, you can configure the following groups of settings:
    • User password management settings
    • Mail synchronization settings
    • Restrictions on the use of the mobile device features
    • Restrictions on the use of mobile applications on the mobile device

    Depending on the mobile device model, settings of a management profile can be applied partially. The status of an Exchange ActiveSync policy that has been applied can be viewed in the mobile device properties.

  • View information about the settings of EAS device management. For example, in the mobile device properties, the administrator can view the time of the last synchronization with a Microsoft Exchange server, the EAS device ID, the Exchange ActiveSync policy name and its current status on the mobile device.
  • Disconnect EAS devices from management if they are out of use.
  • Define the settings of Active Directory polling by the Exchange Mobile Device Server, which allows updating the information about users' mailboxes and mobile devices.

In this section

Adding a management profile

Removing a management profile

Handling Exchange ActiveSync policies

Configuring the scan scope

Working with EAS devices

Viewing information about an EAS device

Disconnecting an EAS device from management

User's rights to manage Exchange ActiveSync mobile devices

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 64779]

Adding a management profile

To manage EAS devices, you can create EAS device management profiles and assign them to selected Microsoft Exchange mailboxes.

Only one EAS device management profile can be assigned to a Microsoft Exchange mailbox.

To add an EAS device management profile for a Microsoft Exchange mailbox:

  1. In the console tree, open the Mobile Device Management folder.
  2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
  3. In the workspace of the Mobile Device Servers folder, select an Exchange Mobile Device Server.
  4. In the context menu of the Exchange Mobile Device Server, select Properties.

    The Mobile Device Server properties window opens.

  5. In the properties window of the Exchange Mobile Device Server, select the Mailboxes section.
  6. Select a mailbox and click the Assign profile button.

    The Policy profiles window opens.

  7. In the Policy profiles window, click the Add button.

    The New profile window opens.

  8. Configure the profile on the tabs of the New profile window.
    • If you want to specify the profile name and the update interval, select the General tab.
    • If you want to configure the password of the mobile device user, select the Password tab.
    • If you want to configure synchronization with the Microsoft Exchange server, select the Synchronization tab.
    • If you want to configure restrictions on the mobile device features, select the Feature Restrictions tab.
    • If you want to configure restrictions on the use of mobile applications on the mobile device, select the Application Restrictions tab.
  9. Click OK.

    The new profile will be displayed in the list of profiles in the Policy profiles window.

    If you want this profile to be automatically assigned to new mailboxes, as well as to mailboxes whose profiles have been deleted, select it in the list of profiles and click the Set as default profile button.

    The default profile cannot be deleted. To delete the current default profile, you must assign the "default profile" attribute to a different profile.

  10. In the Policy profiles window, click OK.

    The management profile settings will be applied on the EAS device at the next synchronization of the device with the Exchange Mobile Device Server.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89289]

Removing a management profile

To remove an EAS device management profile for a Microsoft Exchange mailbox:

  1. In the console tree, open the Mobile Device Management folder.
  2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
  3. In the workspace of the Mobile Device Servers folder, select an Exchange Mobile Device Server.
  4. In the context menu of the Exchange Mobile Device Server, select Properties.

    The Mobile Device Server properties window opens.

  5. In the properties window of the Exchange Mobile Device Server, select the Mailboxes section.
  6. Select a mailbox and click the Change profiles button.

    The Policy profiles window opens.

  7. In the Policy profiles window, select the profile that you want to remove and click the red Delete button.

    The selected profile will be removed from the list of management profiles. The current default profile will be applied to EAS devices managed by the profile that has been removed.

    If you want to remove the current default profile, re-assign the "default profile" property to another profile, then remove the first one.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89291]

Handling Exchange ActiveSync policies

After you install Exchange Mobile Device Server, in the Mailboxes section of the Server properties window, you can view information about accounts of the Microsoft Exchange server that have been retrieved by polling the current domain or domain forest.

Also, in the Exchange Mobile Device Server properties window, you can use the following buttons:

  • Change profiles allows you to open the Policy profiles window, which contains a list of policies retrieved from the Microsoft Exchange server. In this window, you can create, edit, or delete Exchange ActiveSync policies. The Policy profiles window is almost identical to the policy editing window in Exchange Management Console.
  • Assign profiles to mobile devices allows you to assign a selected Exchange ActiveSync policy to one or several accounts.
  • Enable/disable ActiveSync allows you to enable or disable Exchange ActiveSync HTTP for one or multiple accounts.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 92544]

Configuring the scan scope

In the properties of the newly installed Exchange Mobile Device Server, in the Settings section, you can configure the scan scope. By default, the scan scope is the current domain in which the Exchange Mobile Device Server is installed. Selecting the Entire domain forest value expands the scan scope to include the entire domain forest.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 92545]

Working with EAS devices

Devices retrieved by scanning the Microsoft Exchange server will be added to the common list of devices, which is located in the Mobile Device Management node, in the Mobile devices folder.

If you want the Mobile devices folder to display Exchange ActiveSync devices only (hereinafter referred to as EAS devices), filter the device list by clicking the Exchange ActiveSync (EAS) link that is located above this list.

You can manage EAS devices by means of commands. For example, the Reset to factory settings command allows you to remove all data from a device and reset the device settings to the factory settings. This command is useful if the device is lost or stolen, when you need to prevent corporate or personal data from falling into the hands of a third party.

If all data has been deleted from the device, it will be deleted again the next time the device connects to the Microsoft Exchange Server. The command will be reiterated until the device is removed from the list of devices. This behavior is caused by the operation principles of the Microsoft Exchange server.

To remove an EAS device from the list, in the context menu of the device, select Delete. If the Exchange ActiveSync account is not deleted from the EAS device, the latter will reappear on the list of devices after the next synchronization of the device with the Microsoft Exchange server.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 92546]

Viewing information about an EAS device

To view information about an EAS device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter EAS devices by clicking the Exchange ActiveSync (EAS) link.
  3. From the context menu of the mobile device select Properties.

    The properties window of the EAS device opens.

The properties window of the mobile device displays information about the connected EAS device.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 64435]

Disconnecting an EAS device from management

To disconnect an EAS device from management by the Exchange Mobile Device Server:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter EAS devices by clicking the Exchange ActiveSync (EAS) link.
  3. Select the mobile device that you want to disconnect from management by the Exchange Mobile Device Server.
  4. In the context menu of the mobile device, select Delete.

The EAS device is marked for removal with a red cross icon. The mobile device is removed from the list of managed devices after it is removed from the Exchange ActiveSync Server database. To do so, the administrator must remove the user account on the Microsoft Exchange server.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 67818]

User's rights to manage Exchange ActiveSync mobile devices

To manage mobile devices running under the Exchange ActiveSync protocol with Microsoft Exchange Server 2010 or Microsoft Exchange Server 2013, make sure that the user is included in a role group for which the following commandlets are allowed to execute:

  • Get-CASMailbox
  • Set-CASMailbox
  • Remove-ActiveSyncDevice
  • Clear-ActiveSyncDevice
  • Get-ActiveSyncDeviceStatistics
  • Get-AcceptedDomain
  • Set-AdServerSettings
  • Get-ActiveSyncMailboxPolicy
  • New-ActiveSyncMailboxPolicy
  • Set-ActiveSyncMailboxPolicy
  • Remove-ActiveSyncMailboxPolicy

To manage mobile devices running under Exchange ActiveSync protocol with Microsoft Exchange Server 2007, make sure that the user has been granted administrator rights. If the rights have not been granted, execute the commandlets to assign the administrator rights to the user (see the table below).

Administrator rights required for managing Exchange ActiveSync mobile devices on Microsoft Exchange Server 2007

Access

Object

Cmdlet

Full

Branch "CN=Mobile Mailbox Policies,CN=Your Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=yourdomain"

Add-ADPermission -User <User or group name> -Identity "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericAll

Read

Branch "CN= Your Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= yourdomain"

Add-ADPermission -User <User or group name> -Identity "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"  -InheritanceType All -AccessRight GenericRead

Read/write

Properties msExchMobileMailboxPolicyLink and msExchOmaAdminWirelessEnable for objects in Active Directory

Add-ADPermission -User <User or group name> -Identity "DC=<Domain name>" -InheritanceType All -AccessRight ReadProperty,WriteProperty -Properties msExchMobileMailboxPolicyLink, msExchOmaAdminWirelessEnable

Full

Mailbox repositories for ms-Exch-Store-Admin

Get-MailboxDatabase | Add-ADPermission -User <user or group name> -ExtendedRights ms-Exch-Store-Admin

For detailed information about how to use commandlets in Exchange Management Shell console, please refer to the Microsoft Exchange Server Technical Support website.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 77974]

Managing iOS MDM devices

This section describes advanced features for management of iOS MDM devices through Kaspersky Security Center. The application supports the following features for management of iOS MDM devices:

  • Define the settings of managed iOS MDM devices in centralized mode and restrict features of devices through configuration profiles. You can add or modify configuration profiles and install them on mobile devices.
  • Install apps on mobile devices by means of provisioning profiles, bypassing App Store. For example, you can use provisioning profiles for installation of in-house corporate apps on users' mobile devices. A provisioning profile contains information about an app and a mobile device.
  • Install apps on an iOS MDM device through the App Store. Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server.

Every 24 hours, a push notification is sent to all connected iOS MDM devices in order to synchronize data with the iOS MDM Server.

For information about the configuration profile and the provisioning profile, as well as apps installed on an iOS MDM device, please refer to the properties window of the device.

In this section

Signing an iOS MDM profile by a certificate

Adding a configuration profile

Installing a configuration profile on a device

Removing the configuration profile from a device

Adding a new device by publishing a link to a profile

Adding a new device through profile installation by the administrator

Adding a provisioning profile

Installing a provisioning profile to a device

Removing a provisioning profile from a device

Adding a managed application

Installing an app on a mobile device

Removing an app from a device

Configuring roaming on an iOS MDM mobile device

Viewing information about an iOS MDM device

Disconnecting an iOS MDM device from management

Sending commands to a device

Checking the execution status of commands sent

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 64780]

Signing an iOS MDM profile by a certificate

You can sign an iOS MDM profile by a certificate. You can use a certificate that you issued yourself or you can receive a certificate from trusted certification authorities.

To sign an iOS MDM profile by a certificate:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
  2. In the context menu of the Mobile devices folder, select Properties.
  3. In the properties window of the folder, select the Connection settings for iOS devices section.
  4. Click the Browse button under the Select certificate file field.

    The Certificate window.

  5. In the Certificate type field, specify the public or private certificate type:
    • If the PKCS #12 container value is selected, specify the certificate file and the password.
    • If the X.509 certificate value is selected:
      1. Specify the private key file (one with the *.prk or *.pem extension).
      2. Specify the private key password.
      3. Specify the public key file (one with the *.cer extension).
  6. Click OK.

The iOS MDM profile is signed by a certificate.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 100168]

Adding a configuration profile

To create a configuration profile, you can use Apple Configurator 2, which is available at the Apple Inc. website. Apple Configurator 2 works only on devices running macOS; if you do not have such devices at your disposal, you can use iPhone Configuration Utility on the device with Administration Console instead. However, Apple Inc. does not support iPhone Configuration Utility any longer.

To create a configuration profile using iPhone Configuration Utility and to add it to an iOS MDM Server:

  1. In the console tree, select the Mobile Device Management folder.
  2. In the workspace of the Mobile Device Management folder, select the Mobile Device Servers subfolder.
  3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
  4. In the context menu of the iOS MDM Server, select Properties.

    The Mobile Device Server properties window opens.

  5. In the properties window of the iOS MDM Server, select the Configuration profiles section.
  6. In the Configuration profiles section, click the Create button.

    The New configuration profile window opens.

  7. In the New configuration profile window, specify a name and ID for the profile.

    The configuration profile ID should be unique; the value should be specified in Reverse-DNS format, for example, com.companyname.identifier.

  8. Click OK.

    iPhone Configuration Utility then starts if you have it installed.

  9. Reconfigure the profile in iPhone Configuration Utility.

    For a description of the profile settings and instructions on how to configure the profile, please refer to the documentation enclosed with iPhone Configuration Utility.

After you configure the profile with iPhone Configuration Utility, the new configuration profile is displayed in the Configuration profiles section in the properties window of the iOS MDM Server.

You can click the Modify button to modify the configuration profile.

You can click the Import button to load the configuration profile to a program.

You can click the Export button to save the configuration profile to a file.

The profile that you have created must be installed on iOS MDM devices.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89292]

Installing a configuration profile on a device

To install a configuration profile to a mobile device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
  3. Select the user mobile device on which you have to install a configuration profile.

    You can select multiple mobile devices to install the profile on them simultaneously.

  4. In the context menu of the mobile device, select Show command log.
  5. In the Mobile device management commands window, proceed to the Install profile section and click the Send command button.

    You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install profile.

    The Select profiles window opens showing a list of profiles. Select from the list the profile that you have to install on the mobile device. You can select multiple profiles to install them on the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.

  6. Click OK to send the command to the mobile device.

    When the command is executed, the selected configuration profile will be installed on the user's mobile device. If the command is successfully executed, the current status of the command in the command log will be shown as Done.

    You can click the Resend button to send the command to the user's mobile device again.

    You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

    The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

  7. Click OK to close the Mobile device management commands window.

You can view the profile that you installed and remove it, if necessary.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89293]

Removing the configuration profile from a device

To remove a configuration profile from a mobile device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter iOS MDM devices by clicking the iOS MDM link.
  3. Select the user's mobile device from which you have to remove the configuration profile.

    You can select multiple mobile devices to remove the profile from them simultaneously.

  4. In the context menu of the mobile device, select Show command log.
  5. In the Mobile device management commands window, proceed to the Remove profile section and click the Send command button.

    You can also send the command to the mobile device by selecting All commands from the context menu of the device, and then selecting Remove profile.

    The Remove profiles window opens showing a list of profiles.

  6. Select from the list the profile that you have to remove from the mobile device. You can select multiple profiles to remove them from the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.
  7. Click OK to send the command to the mobile device.

    When the command is executed, the selected configuration profile will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.

    You can click the Resend button to send the command to the user's mobile device again.

    You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

    The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

  8. Click OK to close the Mobile device management commands window.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89296]

Adding a new device by publishing a link to a profile

In Administration Console, the administrator creates a new iOS MDM profile, using the New Mobile Device Connection Wizard. The Wizard performs the following actions:

  • The iOS MDM profile is automatically published on the Web Server.
  • The user is sent a link to the iOS MDM profile by SMS or by email. Upon receiving the link, the user installs the iOS MDM profile on the mobile device.
  • The mobile device connects to the iOS MDM Server.

Due to a stricter security policy introduced by Apple, you have to set up TLS 1.1 and TLS 1.2 protocol versions when connecting a mobile device running iOS 11 to an Administration Server that has integration with Public Key Infrastructure (PKI) enabled.

See also:

Kaspersky Security Center Web Server

Scenario: Mobile Device Management deployment
Page top
[Topic 92554]

Adding a new device through profile installation by the administrator

To connect a mobile device to an iOS MDM Server by installing an iOS MDM profile on that mobile device, the administrator must perform the following actions:

  1. In Administration Console, open the New Device Connection Wizard.
  2. Create a new iOS MDM profile by selecting the Show certificate after the Wizard finishes check box in the New Profile Wizard window.
  3. Save the iOS MDM profile.
  4. Install the iOS MDM profile on the user's mobile device through the Apple Configurator utility.

The mobile device connects to the iOS MDM Server.

Due to a stricter security policy introduced by Apple, you have to set up TLS 1.1 and TLS 1.2 protocol versions when connecting a mobile device running iOS 11 to an Administration Server that has integration with Public Key Infrastructure (PKI) enabled.

See also:

Kaspersky Security Center Web Server

Scenario: Mobile Device Management deployment
Page top
[Topic 92555]

Adding a provisioning profile

To add a provisioning profile to an iOS MDM Server:

  1. In the console tree, open the Mobile Device Management folder.
  2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
  3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
  4. In the context menu of the iOS MDM Server, select Properties.

    The Mobile Device Server properties window opens.

  5. In the properties window of the iOS MDM Server, go to the Provisioning profiles section.
  6. In the Provisioning profiles section, click the Import button and specify the path to a provisioning profile file.

The profile will be added to the iOS MDM Server settings.

You can click the Export button to save the provisioning profile to a file.

You can install the provisioning profile that you imported on iOS MDM devices.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89294]

Installing a provisioning profile to a device

To install a provisioning profile on a mobile device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
  3. Select the user's mobile device on which you have to install the provisioning profile.

    You can select multiple mobile devices to install the provisioning profile simultaneously.

  4. In the context menu of the mobile device, select Show command log.
  5. In the Mobile device management commands window, proceed to the Install provisioning profile section and click the Send command button.

    You can also send the command to the mobile device by selecting All commands from the context menu of that mobile device, and then selecting Install provisioning profile.

    The Select provisioning profiles window opens showing a list of provisioning profiles. Select from the list the provisioning profile that you have to install on the mobile device. You can select multiple provisioning profiles to install them on the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.

  6. Click OK to send the command to the mobile device.

    When the command is executed, the selected provisioning profile will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log is shown as Completed.

    You can click the Resend button to send the command to the user's mobile device again.

    You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

    The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

  7. Click OK to close the Mobile device management commands window.

You can view the profile that you installed and remove it, if necessary.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89295]

Removing a provisioning profile from a device

To remove a provisioning profile from a mobile device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
  3. Select the user's mobile device from which you have to remove the provisioning profile.

    You can select multiple mobile devices to remove the provisioning profile from them simultaneously.

  4. In the context menu of the mobile device, select Show command log.
  5. In the Mobile device management commands window, proceed to the Remove provisioning profile section and click the Send command button.

    You can also send the command to the mobile device by selecting All commands from the context menu and then selecting Remove provisioning profile.

    The Remove provisioning profiles window opens showing a list of profiles.

  6. Select from the list the provisioning profile that you need to remove from the mobile device. You can select multiple provisioning profiles to remove them from the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.
  7. Click OK to send the command to the mobile device.

    When the command is executed, the selected provisioning profile will be removed from the user's mobile device. Applications that are related to the deleted provisioning profile will not be operable. If the command is executed successfully, the current status of the command will be shown as Completed.

    You can click the Resend button to send the command to the user's mobile device again.

    You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

    The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

  8. Click OK to close the Mobile device management commands window.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 89297]

Adding a managed application

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. An application is considered managed if it has been installed on a device through Kaspersky Security Center. A managed application can be managed remotely by means of Kaspersky Security Center.

To add a managed application to an iOS MDM Server:

  1. In the console tree, open the Mobile Device Management folder.
  2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
  3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
  4. In the context menu of the iOS MDM Server, select Properties.

    This opens the properties window of the iOS MDM Server.

  5. In the properties window of the iOS MDM Server, select the Managed applications section.
  6. Click the Add button in the Managed applications section.

    The Add an application window opens.

  7. In the Add an application window, in the App name field, specify the name of the application to be added.
  8. In the Apple ID or App Store link field, specify the Apple ID of the application to be added, or specify a link to a manifest file that can be used to download the application.
  9. If you want a managed application to be removed from the user's mobile device along with the iOS MDM profile when removing the latter, select the Remove together with iOS MDM profile check box.
  10. If you want to block the application data backup through iTunes, select the Block data backup check box.
  11. Click OK.

The added application is displayed in the Managed applications section of the properties window of the iOS MDM Server.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 65163]

Installing an app on a mobile device

To install an app on an iOS MDM mobile device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. Select the iOS MDM device on which you want to install an app.

    You can select multiple mobile devices to install the application on them simultaneously.

  3. In the context menu of the mobile device, select Show command log.
  4. In the Mobile device management commands window, proceed to the Install app section and click the Send command button.

    You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install app.

    The Select apps window opens showing a list of profiles. Select from the list the application that you have to install on the mobile device. You can select multiple applications to install them on the mobile device simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.

  5. Click OK to send the command to the mobile device.

    When the command is executed, the selected application will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log will be shown as Completed.

    You can click the Resend button to send the command to the user's mobile device again. You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

    The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

  6. Click OK to close the Mobile device management commands window.

Information about the application installed is displayed in the properties of the iOS MDM mobile device. You can remove the application from the mobile device through the command log or the context menu of the mobile device.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 90688]

Removing an app from a device

To remove an app from a mobile device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
  3. Select the user's mobile device from which you have to remove the app.

    You can select multiple mobile devices to remove the app from them simultaneously.

  4. In the context menu of the mobile device, select Show command log.
  5. In the Mobile device management commands window, proceed to the Remove app section and click the Send command button.

    You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Remove app.

    The Remove apps window opens showing a list of applications.

  6. Select from the list the app that you need to remove from the mobile device. You can select multiple apps to remove them simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.
  7. Click OK to send the command to the mobile device.

    When the command is executed, the selected app will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.

    You can click the Resend button to send the command to the user's mobile device again.

    You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

    The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

  8. Click OK to close the Mobile device management commands window.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 90835]

Configuring roaming on an iOS MDM mobile device

Expand all | Collapse all

To configure roaming:

  1. In the console tree, open the Mobile Device Management folder.
  2. In the Mobile Device Management folder, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  3. Select the iOS MDM device owned by the user for whom you have to configure roaming.

    You can select multiple mobile devices to configure roaming on them simultaneously.

  4. In the context menu of the mobile device, select Show command log.
  5. In the Mobile device management commands window, proceed to the Configure roaming section and click the Send command button.

    You can also send the command to the mobile device by selecting All commandsConfigure roaming from the context menu of the device.

  6. In the Roaming settings window, specify the relevant settings:
    • Enable voice roaming

      If this option is enabled, the voice roaming is enabled on the iOS MDM mobile device. The user of the iOS MDM mobile device can make and answer calls while in roaming.

      By default, this option is enabled.

    • Enable data roaming

      If this option is enabled, the data roaming is enabled on the iOS MDM mobile device. The user of the iOS MDM mobile device can surf the internet while in roaming.

      By default, this option is disabled.

Roaming is configured for the selected devices.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 158212]

Viewing information about an iOS MDM device

To view information about an iOS MDM device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter iOS MDM devices by clicking the iOS MDM link.
  3. Select the mobile device for which you want to view the information.
  4. From the context menu of the mobile device select Properties.

    The properties window of the iOS MDM device opens.

The properties window of the mobile device displays information about the connected iOS MDM device.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 90816]

Disconnecting an iOS MDM device from management

To disconnect an iOS MDM device from the iOS MDM Server:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter iOS MDM devices by clicking the iOS MDM link.
  3. Select the mobile device that you have to disconnect.
  4. In the context menu of the mobile device, select Delete.

The iOS MDM device will be marked in the list for removal. The mobile device will be automatically removed from the list of managed devices after it is removed from the iOS MDM Server database. The mobile device will be removed from the iOS MDM Server database within one minute.

After the iOS MDM device is disconnected from management, all installed configuration profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile option has been enabled, will be removed from the mobile device.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 90605]

Sending commands to a device

To send a command to an iOS MDM device:

  1. In Administration Console, open the Mobile Device Management node.
  2. Select the Mobile devices folder.
  3. In the Mobile devices folder, select the mobile device to which the commands need to be sent.
  4. In the context menu of the mobile device, select Show command log.
  5. In the list that appears, select the command to be sent to the mobile device.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 92556]

Checking the execution status of commands sent

To check the execution status of a command that has been sent to a mobile device:

  1. In Administration Console, open the Mobile Device Management node.
  2. Select the Mobile devices folder.
  3. In the Mobile devices folder, select the mobile device on which the execution status needs to be checked for the selected commands.
  4. In the context menu of the mobile device, select Show command log.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 92557]

Managing KES devices

In Kaspersky Security Center, you can manage KES mobile devices in the following ways:

In this section

Creating a mobile applications package for KES devices

Enabling certificate-based authentication of KES devices

Viewing information about a KES device

Disconnecting a KES device from management

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 90824]

Creating a mobile applications package for KES devices

A Kaspersky Endpoint Security for Android license is required to create a mobile applications package for KES devices.

To create a mobile applications package:

  1. In the Remote installation folder of the console tree, select the Installation packages subfolder.

    The Remote installation folder is a subfolder of the Advanced folder by default.

  2. Click the Additional actions button and select Manage mobile apps packages in the drop-down list.
  3. In the Mobile apps package management window, click the New button.
  4. The Mobile Applications Package Creation Wizard starts. Follow the instructions of the Wizard.

The newly created mobile applications package is displayed in the Mobile apps package management window.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 90737]

Enabling certificate-based authentication of KES devices

To enable certificate-based authentication of a KES device:

  1. Open the system registry of the client device that has Administration Server installed (for example, locally, using the regedit command in the StartRun menu).
  2. Go to the following hive:
    • For 32-bit systems:

      HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\.core\.independent\KLLIM

    • For 64-bit systems:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\.core\.independent\KLLIM

  3. Create a key with the LP_MobileMustUseTwoWayAuthOnPort13292 name.
  4. Specify REG_DWORD as the key type.
  5. Set the key value on 1.
  6. Restart the Administration Server service.

Mandatory certificate-based authentication of the KES device using a shared certificate will be enabled after you run the Administration Server service.

The first connection of the KES device to the Administration Server does not require a certificate.

By default, certificate-based authentication of KES devices is disabled.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 112804]

Viewing information about a KES device

To view information about a KES device:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter KES devices by protocol type (KES).
  3. Select the mobile device for which you want to view the information.
  4. From the context menu of the mobile device select Properties.

The properties window of the KES device opens.

The properties window of the mobile device displays information about the connected KES device.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 91145]

Disconnecting a KES device from management

To disconnect a KES device from management, the user has to remove Network Agent from the mobile device. After the user has removed Network Agent, the mobile device details are removed from the Administration Server database, and the administrator can remove the mobile device from the list of managed devices.

To remove a KES device from the list of managed devices:

  1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

    The folder workspace displays a list of managed mobile devices.

  2. In the workspace, filter KES devices by protocol type (KES).
  3. Select the mobile device that you must disconnect from management.
  4. In the context menu of the mobile device, select Delete.

The mobile device is removed from the list of managed devices.

If Kaspersky Endpoint Security for Android has not been removed from the mobile device, that mobile device reappears in the list of managed devices after synchronization with the Administration Server.

See also:

Scenario: Mobile Device Management deployment
Page top
[Topic 91146]