The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying a mobile device management solution in Kaspersky Security Center Web Console or Cloud Console

To manage mobile devices by using Kaspersky Security Center Web Console or Cloud Console, you must deploy a mobile device management solution.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scenarios

Deployment in Kaspersky Security Center Web Console

Deployment of mobile device management solution in Kaspersky Security Center Web Console consists of the following steps:

1. Preparing Kaspersky Security Center Web Console for deployment
2. Deploying administration plug-ins
3. Deploying the mobile app
4. (Optional, for Android only) Configuring the information exchange with Firebase Cloud Messaging

   It is recommended to perform this step to ensure timely delivery of commands to mobile devices and forced synchronization when policy settings are changed.

Deployment in Kaspersky Security Center Cloud Console

Deployment of mobile device management solution in Kaspersky Security Center Cloud Console consists of the following steps:

1. Preparing Kaspersky Security Center Cloud Console for deployment
2. Deploying the mobile app
3. (Optional, for Android only) Configuring the information exchange with Firebase Cloud Messaging

   It is recommended to perform this step to ensure timely delivery of commands to mobile devices and forced synchronization when policy settings are changed.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Preparing Kaspersky Security Center Web Console and Cloud Console for deployment

This section provides instructions on preparing Kaspersky Security Center Web Console and Cloud Console for deployment.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Administration Server for connection of mobile devices

To connect mobile devices to the Administration Server, you must define the connection settings before installing the app on devices.

• If you are using Kaspersky Security Center Web Console, configure its properties as described below.
• If you are using Kaspersky Security Center Cloud Console, the connection settings are defined during the initial configuration of Kaspersky Security Center Cloud Console. For more information, please refer to Kaspersky Security Center Cloud Console Help.

To define Kaspersky Security Center Web Console properties for a mobile device connection:

1. In the main window of Kaspersky Security Center Web Console, click Settings ().

   The Administration Server properties window opens.

2. Configure the Administration Server ports that will be used by mobile devices:
   1. Select the Additional ports section.
   2. Enable the Open port for mobile devices toggle button.
   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices toggle button is off or an incorrect connection port is specified, mobile devices will not be able to connect to the Administration Server.

   4. In the Port for mobile device activation field, specify the port to be used by mobile devices to connect to the Administration Server for activation of the mobile app.

      Port 17100 is used by default.

      If you specify an incorrect connection port, the users of mobile devices will not be able to activate the mobile app by using the Administration Server.

3. If necessary, edit the certificate that will be used by mobile devices to connect to the Administration Server.

   By default, Administration Server uses the certificate that was created during Administration Server installation. If you want, replace the certificate issued through the Administration Server with another certificate or reissue the certificate issued through the Administration Server.

   To edit the certificate:

   1. Select the Certificates section.
   2. Define the required settings.

      For detailed information about the certificates, please refer to Kaspersky Security Center Help.

4. Click the Save button to save the changes you have made to the settings and exit the Administration Server properties window.

After you configure the mobile device connection settings, you can install the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on mobile devices and connect them to the Administration Server by using the specified settings.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host
2. Configure the connection gateway on Kaspersky Security Center Administration Server

This article contains an overview of the scenario. For detailed instructions, please refer to the Kaspersky Security Center documentation.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway and click Properties.
   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.
   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on Administration Server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

Group policies are used to perform centralized configuration of the Kaspersky Endpoint Security for Android and Kaspersky Security for iOS apps installed on the users' mobile devices.

To apply a policy to a group of devices, you are advised to create a separate group for these devices in Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices by using a group policy.

To create an administration group:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Hierarchy of groups.
2. In the administration group structure, select the administration group that is to include the new administration group.
3. Click the Add button.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click the Add button.

A new administration group with the specified name appears in the hierarchy of administration groups.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a rule for automatically allocating a device to administration groups

When the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app is installed on mobile devices, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console or Cloud Console. In order to manage newly connected devices, you can move them to an administration group manually or create a rule for allocating them automatically to administration groups.

To create a rule for automatic allocation of mobile devices to administration groups:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Discovery & deployment > Deployment & assignment > Moving rules.
2. In the New rule window that opens, click the Add button.
3. In the Rule name field, specify the rule name.
4. In the Administration group field, select the administration group to which mobile devices will be allocated after the app has been installed on them.
5. In the Apply rule section, select Run once for each device.
6. Select the Move only devices not added to an administration group check box to prevent the moving of the mobile devices that are allocated to other administration groups when applying the rule.
7. Select the Enable rule check box, to apply the rule immediately after creating it.

   You can enable the rule at any time later by using the toggle button on the Moving rules page.

8. Select Rule conditions > Applications and do the following:
   1. Enable the Operating system version toggle button.
   2. In the list of operating systems that opens, select Android or iOS.

   The rule will be applied to the corresponding devices. You must specify at least one condition to create a rule.

9. Click Save to create the rule.

The newly created rule is displayed on the Moving rules page. According to the rule, Kaspersky Security Center will allocate all newly connected devices to the selected administration group.

For detailed information on administration groups management and actions with unassigned devices:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying administration plug-ins

To manage mobile devices in Kaspersky Security Center Web Console, the following administration plug-ins must be installed:

• Kaspersky Security for Mobile (Devices) plug-in
• Kaspersky Security for Mobile (Policies) plug-in

If you are using Kaspersky Security Center Cloud Console, you do not need to install the administration plug-ins. You only need to create an account in Kaspersky Security Center Cloud Console. For more information about creating an account, please refer to Kaspersky Security Center Cloud Console Help.

You can use the following methods to install administration plug-ins:

• By using the Quick Start Wizard of Kaspersky Security Center Web Console.

  Kaspersky Security Center Web Console automatically prompts you to run the Quick Start Wizard after Administration Server installation, at the first connection to it. You can also start the Quick Start Wizard manually at any time.

  For more information on the Quick Start Wizard for Kaspersky Security Center, please refer to Kaspersky Security Center Help.

• By using the list of available distribution packages in Kaspersky Security Center Web Console.

  The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.

• Download the distribution packages from an external source and add administration plug-ins to Kaspersky Security Center Web Console.

  For example, the distribution packages of administration plug-ins can be downloaded on the Kaspersky website.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing administration plug-ins from the list of available distribution packages

To install the administration plug-ins:

1. In the main window of Kaspersky Security Center Web Console, select Console settings > Web plug-ins.
2. Click the Add button.

   This opens the list of up-to-date versions of Kaspersky applications.

3. Install the administration plug-ins:
   1. In the list of available applications, click the Mobile devices section to expand it.
   2. Select Kaspersky Security for Mobile (Devices), and then click Install plug-in.
   3. Select Kaspersky Security for Mobile (Policies), and then click Install plug-in.

The distribution packages are downloaded and the plug-ins are installed. When each plug-in is installed and added to Kaspersky Security Center Web Console, a confirmation window is displayed.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing administration plug-ins from the distribution package

You can download the distribution package on the Kaspersky website.

To install the Kaspersky Security for Mobile (Devices) plug-in from the distribution package:

1. Copy the plugin.zip and signature.txt files from the on_prem_ksm_devices_xx.x.x.x.zip archive of the distribution package to the administrator's workstation.
2. In the main window of Kaspersky Security Center Web Console, select Console settings > Web plug-ins.
3. Click Add from file.
4. In the Add from file window that opens, click Upload ZIP file, and then browse for plugin.zip.
5. Click Upload signature, and then browse for signature.txt.
6. Click the Add button.

The Kaspersky Security for Mobile (Devices) plug-in is installed and added to Kaspersky Security Center Web Console.

To install the Kaspersky Security for Mobile (Policies) plug-in from the distribution package:

1. Copy the plugin.zip and signature.txt files from the on_prem_ksm_policies_xx.x.x.x.zip archive of the distribution package to the administrator's workstation.
2. In the main window of Kaspersky Security Center Web Console, select Console settings > Web plug-ins.
3. Click Add from file.
4. In the Add from file window that opens, click Upload ZIP file, and then browse for plugin.zip.
5. Click Upload signature, and then browse for signature.txt.
6. Click the Add button.

The Kaspersky Security for Mobile (Policies) plug-in is installed and added to Kaspersky Security Center Web Console.

You can make sure that the administration plug-ins have been installed by viewing the list of installed plug-ins on the Console settings > Web plug-ins page.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying the mobile app

To manage mobile devices in Kaspersky Security Center Web Console or Cloud Console, you must deploy the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on mobile devices. You can deploy apps on mobile devices by using Kaspersky Security Center Web Console or Cloud Console.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying the mobile app by using Kaspersky Security Center Web Console or Cloud Console

The mobile app is deployed on the mobile devices of users whose user accounts have been added to Kaspersky Security Center. For more information about user accounts in Kaspersky Security Center:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

You can use the Kaspersky Security for Mobile (Devices) plug-in to install the app from Kaspersky Security Center Web Console and Cloud Console by sending an installation link to a mobile device.

• On an Android device, the user receives a Google Play link to download the Kaspersky Endpoint Security for Android app. The app can be installed by following the standard installation procedure on the Android platform. After the installation of the app, the user must provide the required permissions.

  Some HUAWEI and Honor devices do not have Google services and therefore no access to apps in Google Play. If some users of HUAWEI and Honor devices cannot install the app from Google Play, they should be instructed to install the app from HUAWEI App Gallery.

• On an iOS device, the user receives an App Store link to download the Kaspersky Security for iOS app. The app can be installed by following the standard installation procedure on the iOS platform.

  Before connecting an iOS device, send the address of Kaspersky Security Center to the device user to improve connection security. The user will see this address during app installation and can cancel the connection if the displayed address doesn't match the address you sent.

The link contains the following data:

• Kaspersky Security Center synchronization settings
• Mobile certificate

To deploy the app on a mobile device:

1. Start the Mobile Device Connection Wizard:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices, and then click Add.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Users & roles > Users. Click the name of the user or the user group to whom you want to send the link for connecting a mobile device, and then select Devices. Click Add mobile device. In this case, skip step 3.

   Proceed through the Wizard by using the Next button.

2. Select the operating system of the devices that you want to add:
   • Android
   • iOS and iPadOS
3. Select users and user groups to whom you want to send the link for connecting a mobile device.
4. Select email addresses where to send the link:
   • All email addresses
   • Main email address
   • Alternative email address
   • Another email address

     If you select this option, specify the email address below.

5. The link summary is displayed.

   Make sure that all parameters of the link are correct, and then click Send.

6. A window opens with a confirmation that the link for adding a mobile device has been sent.

   Click OK to finish the Wizard.

When the user installs the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app, the user's device will be displayed on the Devices > Mobile > Devices tab of Web Console or Cloud Console.After installing the app on users' mobile devices, you will be able to configure the settings for devices and apps by using group policies. You will also be able to send commands to mobile devices (for Android only) for data protection in case devices are lost or stolen.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Activating the mobile app

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Endpoint Security for Android app and the Kaspersky Security for iOS app are fully functional, the Kaspersky Security Center license purchased by the organization must provide for the Mobile Device Management functionality. The Mobile Device Management functionality is intended for connecting mobile devices to Kaspersky Security Center and managing them.

For detailed information about licensing Kaspersky Security Center and licensing options:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

Activating the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on a mobile device is done by providing valid license information to the app. License information is delivered to the mobile device, together with the policy, when the device is synchronized with Kaspersky Security Center.

If the activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to the limited functionality mode. In this mode, most of the app components are not operational. When switched to the limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Therefore, if the activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the mobile app on their devices manually.

To activate the mobile app:

1. Open the policy properties window:
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
   • In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices. Click the mobile device that falls under the policy that you want to configure, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties page, select Application settings > Licenses.
3. Use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   If a key file is selected from the Kaspersky Security Center key storage and sent to the device, Kaspersky Security for iOS will be not able to process it, because Kaspersky Security for iOS does not support this activation method. To activate Kaspersky Security for iOS, you must add the license to Kaspersky Security Center as an activation code.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the If the key on device is different, replace with this key check box.

4. Click the Save button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Providing the required permissions for the Kaspersky Endpoint Security for Android app

Certain features of the Kaspersky Endpoint Security for Android app require permissions. Kaspersky Endpoint Security for Android asks for mandatory permissions during installation, as well as after installation and prior to using individual features of the app. It is impossible to install Kaspersky Endpoint Security for Android without providing the mandatory permissions.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts, in the device settings. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

On devices running Android 11 or later, you must disable the Remove permissions if app isn't used system setting. Otherwise, after the app is not used for a few months, the system automatically resets the permissions that the user granted to the app.

Permissions requested by the Kaspersky Endpoint Security for Android app

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Managing certificates

Mobile certificates are used for the purpose of identifying the users of mobile devices on the Administration Server.

Kaspersky Security Center Web Console and Cloud Console allow you to perform the following actions with user mobile certificates:

• View the certificates and their statuses.
• Create new certificates.
• Renew the expiring certificates.
• Delete certificates.

For more information on Kaspersky Security Center certificates:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Viewing the list of certificates

Kaspersky Security Center Web Console and Cloud Console allow you to view the applied user mobile certificates, their statuses, and properties.

To view the list of applied user mobile certificates:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.

The Mobile certificates page opens with information about the applied user mobile certificates. You can view details of a certificate by clicking it in the User name column.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Defining certificate settings

You can use Kaspersky Security Center Web Console or Cloud Console to configure the lifetime, automatic updates, and password protection of mobile certificates.

To define mobile certificate settings:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. Select Certificate settings.
4. In the Generate mobile certificates window that opens, you can configure the following:
   • Certificate validity period (days)

     Certificate lifetime period in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.

   • Reissue when certificate will expire in (days)

     The number of days remaining until the current certificate's expiration during which Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 1.

   • Reissue certificate automatically if possible

     If possible, certificates will be reissued automatically. If this option is disabled, certificates must be reissued manually as they expire. By default, this option is disabled.

   • Prompt for password during certificate installation

     The user will be prompted for a password when the certificate is installed on a mobile device. The password is used only once—during installation of the certificate on the mobile device. The password will be automatically generated by the Administration Server and sent to the user by email. You can specify the password length in the Password length field.

5. Click Save to apply the changes and close the window.

The specified settings will be used by Kaspersky Security Center for creating, updating, and protecting mobile certificates.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a certificate

You can create mobile certificates in Kaspersky Security Center Web Console and Cloud Console for the purpose of identifying the users of mobile devices.

To create a mobile certificate:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. In the Mobile certificates window that opens, click Add to start Mobile Certificate Creation Wizard. Proceed through the Wizard by using the Next button.
4. Select users or user groups whose mobile devices you want to manage with a new certificate.
5. Specify the Publication parameters:
   • If you want to notify the users about the new certificate, select the Notify user about the new certificate check box.
   • If you want to allow using one certificate multiple times on the same device, select the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box.
6. Select the Authentication type:
   • Select Credentials (domain login or user name) if you want users to access the certificate by using their credentials.

     On devices, users will have to specify the login in one of the following formats:

     • userPrincipalName@DNSDomainName
     • sAMAccountName
     • sAMADomain\sAMAccountName
   • Select One-time password if you want users to access the certificate by using a one-time password.

     This option is available if you did not select the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box in the previous step.

   • Select Password if you want users to access the certificate by using a password.

     This option is available if you selected the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box in the previous step.

7. Specify the method of certificate delivery in the Certificate delivery field:
   • If you have selected One-time password in the previous step, select one of the following options:
     • If you want to send the password by email, select Notify user by email.

       Then select which email address to use or select Another email address to specify another email address.

     • If you want to notify users about the password by other means, select Show the password after finishing the Wizard.
   • If you have selected Credentials (domain login or user name) in the previous step, select which email address to use or select Another email address to specify another email address.
8. The certificate summary is displayed.

   Make sure that all parameters are correct, and then click Create.

As a result, Mobile Certificate Creation Wizard creates a certificate that users can install on their mobile devices. The certificate becomes available after the next synchronization of mobile devices with Kaspersky Security Center.

For more information about creating certificates and configuring rules for issuing them:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Renewing a certificate

If any of the applied mobile certificates is about to expire, you can renew it by using Kaspersky Security Center Web Console or Cloud Console.

To renew a mobile certificate:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. Select the certificate that you want to renew, and then click Reissue.

The status of the certificate changes to The certificate has been reissued.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deleting a certificate

You can delete mobile certificates by using Kaspersky Security Center Web Console or Cloud Console.

If you delete a mobile certificate, the device can no longer synchronize with the Administration Server and cannot be managed by means of Kaspersky Security Center. To start managing the mobile device again, you will need to reinstall the Kaspersky Endpoint Security for Android app on it.

To delete a mobile certificate:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Devices.
2. Select Manage certificates.
3. Select the certificate that you want to delete, and then click Delete.

The certificate is deleted and removed from the list of certificates.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Exchanging information with Firebase Cloud Messaging

Kaspersky Endpoint Security for Android uses the Firebase Cloud Messaging (FCM) service to ensure timely delivery of commands to mobile devices and forced synchronization when policy settings are changed.

To use the Firebase Cloud Messaging service, you must define the service settings in Kaspersky Security Center Web Console or Cloud Console.

To enable Firebase Cloud Messaging in Kaspersky Security Center Web Console or Cloud Console:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Android devices synchronization.

   The Android devices synchronization window opens.

2. In the Sender ID and Server key fields, specify the Firebase Cloud Messaging settings: SENDER_ID and API Key.

Firebase Cloud Messaging is enabled.

To obtain a Sender ID and the Server key:

1. Register on Google portal.
2. Go to Google Cloud Platform.
3. Create a new project.

   Wait for the project to be created.

4. Find the relevant SENDER_ID of the project.
5. Enable Google Firebase Cloud Messaging for Android.
6. Follow the onscreen instructions to create credentials.
7. Retrieve the API Key from the properties of the newly created credentials.

For detailed information about operations in Google Cloud Platform, please refer to its documentation.

You now have a Sender ID and a Server key to configure the Firebase Cloud Messaging settings.

If the Firebase Cloud Messaging settings are not defined, commands on the mobile device and policy settings will be delivered when the device is synchronized with Kaspersky Security Center, according to the schedule set in the policy (for example, every 24 hours). In other words, commands and policy settings will be delivered with a delay.

For the purposes of supporting the main functionality of the product, you agree to automatically provide the Firebase Cloud Messaging service with the unique ID of the app installation (Instance ID), and the following data:

• Information about the installed software: app version, app ID, app build version, app package name.
• Information about the computer on which the software is installed: OS version, device ID, version of Google services.
• Information about FCM: app ID in FCM, FCM user ID, protocol version.

Data is transmitted to Firebase services over a secure connection. Access to and protection of information is regulated by the relevant terms of use of the Firebase services: Firebase Data Processing and Security Terms, Privacy and Security in Firebase.

To prevent the exchange of information with the Firebase Cloud Messaging service:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Mobile > Android devices synchronization.

   The Android devices synchronization window opens.

2. Click Reset.
3. In the window that opens, click the OK button to confirm resetting.

The Firebase Cloud Messaging settings are cleared.