Working with certificates of mobile devices

This section contains information about how to work with certificates of mobile devices. The section contains instructions on how to install certificates on users' mobile devices and how to configure certificate issuance rules. The section also contains instructions on how to integrate the application with the public keys infrastructure and how to configure the support of Kerberos.

Starting the Certificate Installation Wizard

You can install the following types of certificates on a user's mobile device:

• Shared certificates for identifying the mobile device
• Mail certificates for configuring the corporate mail on the mobile device
• VPN certificate for configuring access to a virtual private network on the mobile device

To install a certificate on a user's mobile device:

1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace of the Certificates folder, click the Add certificate link to run the Certificate Installation Wizard.

Follow the instructions of the Wizard.

After the Wizard finishes, a certificate will be created and added to the list of the user's certificates; in addition, a notification will be sent to the user, providing the user with a link for downloading and installing the certificate on the mobile device. You can view the list of all certificates and export it to a file. You can delete and reissue certificates, as well as view their properties.

Step 1. Selecting certificate type

Specify the type of certificate that must be installed on the user's mobile device:

• Mobile certificate—for identifying the mobile device
• Mail certificate—for configuring the corporate mail on the mobile device
• VPN certificate—for configuring access to a virtual private network on the mobile device

Step 2. Selecting device type

This window is displayed only if you selected Mail certificate or VPN certificate as the certificate type.

Specify the type of the operating system on the device:

• iOS MDM device. Select this option if you have to install a certificate on a mobile device that is connected to the iOS MDM Server by using iOS MDM protocol.
• KES device managed by Kaspersky Security for Mobile. Select this option if you have to install a certificate on a KES device. In this case, the certificate will be used for user identification upon every connection to the Administration Server.
• KES device connected to Administration Server without user certificate authentication. Select this option if you have to install a certificate on a KES device using no certificate authentication. In this case, at the final step of the Wizard, in the User notification method window the administrator must select the user authentication type used at every connection to the Administration Server.

Step 3. Selecting a user

In the list, select users, user groups, or Active Directory user groups for which you have to install the certificate.

In the User selection window, you can search for

Step 4. Selecting certificate source

In this window, you can select the certificate source that Administration Server will use to identify the mobile device. You can specify a certificate using one of the following methods:

• Create a certificate automatically, by means of Administration Server tools, then deliver the certificate to the device.
• Specify a certificate file that was created earlier. This method is not available if multiple users were selected at the previous step.

Select the Publish certificate check box if you have to send to a user a notification about creation of a certificate for his or her mobile device.

If the user's mobile device has already been previously authenticated using a certificate so there is no need to specify an account name and password to receive a new certificate, clear the Publish certificate check box. In this case, the User notification method window will not be displayed.

Step 5. Assigning a tag to the certificate

The Certificate tag window is displayed if iOS MDM device has been selected in the Device type.

In the drop-down list, you can assign a tag to the certificate of the user's iOS MDM device. The certificate with the assigned tag may have specific parameters set for this tag in the Kaspersky Device Management for iOS policy properties.

The drop-down list prompts you to select the Certificate template 1, Certificate template 2, or Certificate template 3 tag. You can configure the tags in the following sections:

• If Mail certificate has been selected in the Certificate type window, the tags for it can be configured in the properties of the Exchange ActiveSync account for mobile devices (Managed devices → Policies → Kaspersky Device Management for iOS policy properties > Exchange ActiveSync section → Add → Advanced).
• If VPN certificate has been selected in the Certificate type window, the tags for it can be configured in the properties of the VPN for mobile devices (Managed devices → Policies → Kaspersky Device Management for iOS policy properties → VPN section → Add → Advanced). You cannot configure the tags used for VPN certificates if the L2TP, PPTP, or IPSec (Cisco) connection type is selected for your VPN.

Step 6. Specifying certificate publishing settings

Expand all | Collapse all

In this window, you can specify the following certificate publishing settings:

• Do not notify the user about a new certificate

  Enable this option if you do not want to send a user a notification about creation of a certificate for the user's mobile device. In this case, the User notification method window will not be displayed.

  This option is only applicable to devices with Kaspersky Endpoint Security for Android installed.

  You might want to enable this option, for example, if the user's mobile device has already been previously authenticated by means of a certificate so there is no need to specify an account name and password to receive a new certificate.

• Allow the device to have multiple receipts of a single certificate (only for devices with Kaspersky Endpoint Security for Android installed)

  Enable this option if you want Kaspersky Security Center to automatically resend the certificate every time it is soon to expire or when it is not found on the target device.

  The certificate is automatically resent several days before the certificate expiration date. You can set the number of days in the Certificate issuance rules window.

  In some cases, the certificate cannot be found on the device. For example, this can happen when the user reinstalls the Kaspersky security application on the device or resets the device settings and data to factory defaults. In this case Kaspersky Security Center checks the device ID at the next attempt of the device to connect to the Administration Server. If the device has the same ID as it had when the certificate was issued, the application resends the certificate to the device.

Step 7. Selecting user notification method

Expand all | Collapse all

This window is not displayed if you selected iOS MDM device as the device type or if you selected the Do not notify the user about a new certificate option.

In the User notification method window, you can configure the user notification about certificate installation on the mobile device.

In the Authentication method field, specify the user authentication type:

• Credentials (domain or alias)

  In this case, the user employs the domain password or the password of a Kaspersky Security Center internal user to receive a new certificate.

• One-time password

  In this case, the user receives a one-time password that will be sent by email or by SMS. This password must be entered to receive a new certificate.

  This option changes to Password if you enabled (selected) the Allow the device multiple receipts of a single certificate (only for devices with Kaspersky security applications for mobile devices installed) option in the Certificate publishing settings window.

• Password

  In this case, the password is used every time the certificate is sent to the user.

  This option changes to One-time password, if you disabled (cleared) the Allow the device multiple receipts of a single certificate (only for devices with Kaspersky security applications for mobile devices installed) option in the Certificate publishing settings window.

This field is displayed if you selected Mobile certificate in the Certificate type window or if you selected KES device connected to Administration Server without user certificate authentication as the device type.

Select the user notification option:

• Show authentication password after the Wizard finishes

  If you select this option, the user name, user name in Security Account Manager (SAM), and password for certificate retrieval for each of the selected users will be displayed at the final step of the Certificate Installation Wizard. Configuration of user notification about an installed certificate will be unavailable.

  When you add certificates for multiple users, you can save the provided credentials to a file by clicking the Export button at the last step of the Certificate Installation Wizard.

  This option is unavailable if you selected Credentials (domain or alias) at the User notification method step of the Certificate Installation Wizard.

• Notify user of new certificate

  If you select this option, you can configure user notification about a new certificate.

  • By email

    In this group of settings, you can configure user notification about installation of a new certificate on his or her mobile device using email messages. This notification method is only available if the SMTP Server is enabled.

    Click the Edit message link to view and edit the notification message, if necessary.

  • By SMS

    In this group of settings, you can configure the user notification about using SMS to install a certificate on mobile devices. This notification method is only available if SMS notification is enabled.

    Click the Edit message link to view and edit the notification message, if necessary.

Step 8. Generating the certificate

At this step, the certificate is created.

You can click Finish to exit the Wizard.

The certificate is generated and displayed in the list of certificates in the workspace of the Certificates folder.

Configuring certificate issuance rules

The certificates are used for the device authentication on the Administration Server. All managed mobile devices must have certificates. You can configure how the certificates are issued.

To configure certificate issuance rules:

1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
3. Proceed to the section with the name of a certificate type:

   Issuance of mobile certificates—To configure the issuance of certificates for the mobile devices.

   Issuance of mail certificates—To configure the issuance of mail certificates.

   Issuance of VPN certificates—To configure the issuance of VPN certificates.

4. In the Issuance settings section, configure the issuance of the certificate:
   • Specify the certificate term in days.
   • Select a certificate source (Administration Server or Certificates are specified manually).

     Administration Server is selected as the default source of certificates.

   • Specify a certificate template (Default template, Other template).

     Configuration of templates is available if the Integration with PKI section features the integration with Public Key Infrastructure enabled.

5. In the Automatic Updates settings section, configure automatic updates of the certificate:
   • In the Renew when certificate is to expire in (days) field, specify how many days before expiration the certificate must be renewed.
   • To enable automatic updates of certificates, select the Reissue certificate automatically if possible check box.

   A mobile certificate can be renewed manually only.

6. In the Password protection section, enable and configure the use of a password when decrypting certificates.

   Password protection is only available for mobile certificates.

   1. Select the Prompt for password during certificate installation check box.
   2. Use the slider to define the maximum number of symbols in the password for encryption.
7. Click OK.

Integration with public key infrastructure

Integration of the application with the public key infrastructure (PKI) is required to simplify the issuance of domain certificates to users. Following integration, certificates are issued automatically.

The minimum supported PKI server version is Windows Server 2008.

You have to configure the account for integration with PKI. The account must meet the following requirements:

• Be a domain user and administrator on a device that has Administration Server installed.
• Be granted the SeServiceLogonRight privilege on the device with Administration Server installed.

To create a permanent user profile, log on at least once under the configured user account on the device with Administration Server installed. In this user's certificate repository on the Administration Server device, install the Enrollment Agent certificate provided by domain administrators.

To configure integration with the public keys infrastructure:

1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace, click the Integrate with public key infrastructure button to open the Integration with PKI section of the Certificate issuance rules window.

   The Integration with PKI section of the Certificate issuance rules window opens.

3. Select the Integrate issuance of certificates with PKI check box.
4. In the Account field, specify the name of the user account to be used for integration with the public key infrastructure.
5. In the Password field, enter the domain password for the account.
6. In the Certificate template name in PKI system list, select the certificate template that will be used for the issuance of certificates to domain users.

   A dedicated service is run in Kaspersky Security Center under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.

7. Click OK to save the settings.

Following integration, certificates are issued automatically.

Enabling support of Kerberos Constrained Delegation

The application supports usage of Kerberos Constrained Delegation.

To enable support of Kerberos Constrained Delegation:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.
5. In the properties window of the iOS MDM Server, select the Settings section.
6. In the Settings section, select the Ensure compatibility with Kerberos constrained delegation check box.
7. Click OK.