Contents
Preparing to mobile device management
This section provides the following information:
- About Exchange Mobile Device Server intended for management of mobile devices over the Exchange ActiveSync protocol
- About iOS MDM Server intended for management of iOS devices by installing dedicated iOS MDM profiles on them
- About management of mobile devices that have Kaspersky Endpoint Security for Android installed
Exchange Mobile Device Server
An Exchange Mobile Device Server allows you to manage mobile devices that are connected to an Administration Server using the Exchange ActiveSync protocol (EAS devices).
How to deploy an Exchange Mobile Device Server
If multiple Microsoft Exchange servers within a Client Access Server array have been deployed in the organization, an Exchange Mobile Device Server must be installed on each of the servers in that array. The Cluster mode option must be enabled in the Exchange Mobile Device Server Installation Wizard. In this case, the set of instances of the Exchange Mobile Device Server installed on servers in the array is called the cluster of Exchange Mobile Device Servers.
If no Client Access server array of Microsoft Exchange Servers has been deployed in the organization, an Exchange Mobile Device Server must be installed on a Microsoft Exchange Server that has Client Access. In this case, the Standard mode option must be enabled in the Setup Wizard of the Exchange Mobile Device Server.
Together with the Exchange Mobile Device Server, Network Agent must be installed on the device; it helps integrate the Exchange Mobile Device Server with Kaspersky Security Center.
The default scan scope of the Exchange Mobile Device Server is the current Active Directory domain in which it was installed. Deploying an Exchange Mobile Device Server on a server with Microsoft Exchange Server (versions 2010, 2013) installed allows you to expand the scan scope to include the entire domain forest in the Exchange Mobile Device Server (see section "Configuring the scan scope"). Information requested during a scan includes accounts of Microsoft Exchange server users, Exchange ActiveSync policies, and users' mobile devices connected to the Microsoft Exchange Server over Exchange ActiveSync protocol.
Multiple instances of Exchange Mobile Device Server cannot be installed within a single domain if they run in Standard mode being managed by a single Administration Server. Within a single Active Directory domain forest, multiple instances of Exchange Mobile Device Server (or multiple clusters of Exchange Mobile Device Servers) cannot be installed either—if they run in Standard mode with an expanded scan scope that includes the entire domain forest and if they are connected to a single Administration Server.
Rights required for deployment of Exchange Mobile Device Server
Deployment of an Exchange Mobile Device Server on Microsoft Exchange Server (2010, 2013) requires domain administrator rights and the Organization Management role. Deployment of an Exchange Mobile Device Server on Microsoft Exchange Server (2007) requires domain administrator rights and membership in the Exchange Organization Administrators security group.
Account for Exchange ActiveSync service
When an Exchange Mobile Device Server is installed, an account is automatically created in Active Directory:
- On Microsoft Exchange Server (2010, 2013): KLMDM4ExchAdmin***** account with the KLMDM Role Group role.
- On Microsoft Exchange Server (2007): KLMDM4ExchAdmin***** account, a member of the KLMDM Secure Group security group.
The Exchange Mobile Device Server service runs under this account.
If you want to cancel the automatic generation of an account, you need to create a custom one with the following rights:
- When using Microsoft Exchange Server (2010, 2013), the account must be assigned a role that has been allowed to execute the following cmdlets:
- Get-CASMailbox
- Set-CASMailbox
- Remove-ActiveSyncDevice
- Clear-ActiveSyncDevice
- Get-ActiveSyncDeviceStatistics
- Get-AcceptedDomain
- Set-AdServerSettings
- Get-ActiveSyncMailboxPolicy
- New-ActiveSyncMailboxPolicy
- Set-ActiveSyncMailboxPolicy
- Remove-ActiveSyncMailboxPolicy
- When using a Microsoft Exchange Server (2007), the account must be granted the access rights to Active Directory objects (see the table below).
Access rights to Active Directory objects
Access
Object
Cmdlet
Full
Thread "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"
Add-ADPermission -User <User or group name> -Identity "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericAllRead
Thread "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"
Add-ADPermission -User <User or group name> -Identity "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericReadRead/write
Properties msExchMobileMailboxPolicyLink and msExchOmaAdminWirelessEnable for objects in Active Directory
Add-ADPermission -User <User or group name> -Identity "DC=<Domain name>" -InheritanceType All -AccessRight ReadProperty,WriteProperty -Properties msExchMobileMailboxPolicyLink, msExchOmaAdminWirelessEnableExtended right ms-Exch-Store-Active
Mailbox repositories of Exchange server, thread "CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"
Get-MailboxDatabase | Add-ADPermission -User <User or group name> -ExtendedRights ms-Exch-Store-Admin
iOS MDM Server
iOS MDM Server allows you to manage iOS devices by installing dedicated iOS MDM profiles on them. The following features are supported:
- Device lock
- Password reset
- Data wipe
- Installation or removal of apps
- Use of an iOS MDM profile with advanced settings (such as VPN settings, email settings, Wi-Fi settings, camera settings, certificates, etc.)
iOS MDM Server is a web service that receives inbound connections from mobile devices through its TLS port (by default, port 443), which is managed by Kaspersky Security Center using Network Agent. Network Agent is installed locally on a device with an iOS MDM Server deployed.
When deploying an iOS MDM Server, the administrator must perform the following actions:
- Provide Network Agent with access to the Administration Server
- Provide mobile devices with access to the TCP port of the iOS MDM Server
This section addresses two standard configurations of an iOS MDM Server.
Standard configuration: Kaspersky Device Management for iOS in DMZ
An iOS MDM Server is located in the DMZ of an organization's local network with internet access. A special feature of this approach is the absence of any problems when the iOS MDM web service is accessed from devices over the internet.
Because management of an iOS MDM Server requires Network Agent to be installed locally, you must ensure the interaction of Network Agent with the Administration Server. You can ensure this by using one of the following methods:
- By moving the Administration Server to the DMZ.
- By using a connection gateway:
- On the device with iOS MDM Server deployed, connect Network Agent to the Administration Server through a connection gateway.
- On the device with iOS MDM Server deployed, assign Network Agent to act as connection gateway.
Standard configuration: iOS MDM Server on the local network of an organization
An iOS MDM Server is located on the internal network of an organization. Port 443 (default port) must be enabled for external access, for example, by publishing the iOS MDM web service on Microsoft Forefront Threat Management Gateway (hereinafter referred to as TMG).
Any standard configuration requires access to Apple web services for the iOS MDM Server (range 17.0.0.0/8) through TCP port 2197. This port is used for notifying devices of new commands by means of a dedicated service named APNs.
Page topManaging mobile devices with Kaspersky Endpoint Security for Android
Mobile devices with installed Kaspersky Endpoint Security for Android (hereinafter referred to as KES devices) are managed by means of the Administration Server. Kaspersky Security Center 10 Service Pack 1, as well as later versions, supports the following features for managing KES devices:
- Handling mobile devices as client devices:
- Membership in administration groups
- Monitoring, such as viewing statuses, events, and reports
- Modifying local settings and assigning policies for Kaspersky Endpoint Security for Android
- Sending commands in centralized mode
- Installing mobile apps packages remotely
Administration Server manages KES devices through TLS, TCP port 13292.