The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deploying a system for management by using iOS MDM protocol

Kaspersky Endpoint Security allows you to manage mobile devices running iOS. iOS MDM devices refer to iOS mobile devices that are connected to an iOS MDM Server and managed by an Administration Server.

Connection of mobile devices to an iOS MDM Server is performed in the following sequence:

1. The administrator installs iOS MDM Server on the selected client device.
2. The administrator retrieves an Apple Push Notification Service (APNs) certificate.

   The APNs certificate allows Administration Server to connect to the APNs server to send push notifications to iOS MDM devices.

3. The administrator installs the APNs certificate on the iOS MDM Server.
4. The administrator creates an iOS MDM profile for the user of the iOS mobile device.

   The iOS MDM profile contains a collection of settings for connecting iOS mobile devices to Administration Server.

5. The administrator issues a shared certificate to the user.

   The shared certificate is required to confirm that the mobile device is owned by the user.

6. The user clicks the link sent by the administrator and downloads an installation package to the mobile device.

   The installation package contains a certificate and an iOS MDM profile.

   After the iOS MDM profile is downloaded and the iOS MDM device is synchronized with the Administration Server, the device is displayed in the Mobile devices folder, which is a subfolder of the Mobile Device Management folder in the console tree.

7. The administrator adds a configuration profile on the iOS MDM Server and installs the configuration profile on the mobile device after it is connected.

   The configuration profile contains a collection of settings and restrictions for the iOS MDM device, for example, settings for installation of applications, settings for the use of various features of the device, email and scheduling settings. A configuration profile allows you to configure iOS MDM mobile devices in accordance with the organization's security policies.

8. If necessary, the administrator adds provisioning profiles on the iOS MDM Server and then installs these provisioning profiles on mobile devices.

   Provisioning profile is a profile that is used for managing applications distributed in ways other than through App Store. A provisioning profile contains information about the license; it is linked to a specific application.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

iOS MDM Server deployment scenarios

The number of copies of iOS MDM Server to be installed can be selected either based on available hardware or on the total number of mobile devices covered.

Please keep in mind that the recommended maximum number of mobile devices for a single installation of Kaspersky Device Management for iOS is 50,000 at most. In order to reduce the load, the entire pool of devices can be distributed among several servers that have iOS MDM Server installed.

Authentication of iOS MDM devices is performed through user certificates (any profile installed on a device contains the certificate of the device owner). Thus, two deployment schemes are possible for an iOS MDM Server:

• Simplified scheme
• Deployment scheme involving Kerberos constrained delegation (KCD)

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Simplified deployment scheme

When deploying an iOS MDM Server under the simplified scheme, mobile devices connect to the iOS MDM web service directly. In this case, user certificates issued by Administration Server can only be applied for devices authentication. Integration with Public Key Infrastructure (PKI) is impossible for user certificates.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Deployment scheme involving Kerberos constrained delegation (KCD)

The deployment scheme with Kerberos constrained delegation (KCD) requires the Administration Server and the iOS MDM Server to be located on the internal network of the organization.

This deployment scheme provides for the following:

• Integration with Microsoft Forefront TMG
• Use of KCD for authentication of mobile devices
• Integration with the PKI for applying user certificates

When using this deployment scheme, you must do the following:

• In Administration Console, in the settings of the iOS MDM web service, select the Ensure compatibility with Kerberos constrained delegation check box.
• As the certificate for the iOS MDM web service, specify the customized certificate that was defined when the iOS MDM web service was published on TMG.
• User certificates for iOS devices must be issued by the Certificate Authority (CA) of the domain. If the domain contains multiple root CAs, user certificates must be issued by the CA that was specified when the iOS MDM web service was published on TMG.

  You can ensure that the user certificate is in compliance with the this CA-issuance requirement by using one of the following methods:

  • Specify the user certificate in the New iOS MDM profile wizard and in the Certificate installation wizard.
  • Integrate the Administration Server with the domain's PKI and define the corresponding setting in the rules for issuance of certificates:
    1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
    2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
    3. In the Integration with PKI section, configure integration with the Public Key Infrastructure.
    4. In the Issuance of mobile certificates section, specify the source of certificates.

Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:

• The iOS MDM web service is running on port 443.
• The name of the device with TMG is tmg.mydom.local.
• The name of device with the iOS MDM web service is iosmdm.mydom.local.
• The name of external publishing of the iOS MDM web service is iosmdm.mydom.global.

Service Principal Name for http/iosmdm.mydom.local

In the domain, you have to register the service principal name (SPN) for the device with the iOS MDM web service (iosmdm.mydom.local):

setspn -a http/iosmdm.mydom.local iosmdm

Configuring the domain properties of the device with TMG (tmg.mydom.local)

To delegate traffic, trust the device with TMG (tmg.mydom.local) to the service that is defined by the SPN (http/iosmdm.mydom.local).

To trust the device with TMG to the service defined by the SPN (http/iosmdm.mydom.local), the administrator must perform the following actions:

1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with TMG installed (tmg.mydom.local).
2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
3. Add the SPN (http/iosmdm.mydom.local) to the Services to which this account can present delegated credentials list.

Special (customized) certificate for the published web service (iosmdm.mydom.global)

You have to issue a special (customized) certificate for the iOS MDM web service on the FQDN iosmdm.mydom.global and specify that it replaces the default certificate in the settings of iOS MDM web service in Administration Console.

Please note that the certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).

Publishing the iOS MDM web service on TMG

On TMG, for traffic that goes from a mobile device to port 443 of iosmdm.mydom.global, you have to configure KCD on the SPN (http/iosmdm.mydom.local), using the certificate issued for the FQDN (iosmdm.mydom.global). Please note that publishing, and the published web service must share the same server certificate.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Enabling support of Kerberos Constrained Delegation

The application supports usage of Kerberos Constrained Delegation.

To enable support of Kerberos Constrained Delegation:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.
5. In the properties window of the iOS MDM Server, select the Settings section.
6. In the Settings section, select the Ensure compatibility with Kerberos constrained delegation check box.
7. Click OK.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing iOS MDM Server

To install iOS MDM Server on a client device:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. Click the Install iOS MDM Server button.

   The iOS MDM Server Deployment wizard starts. Proceed through the wizard by using the Next button.

3. On the Select installation package step of the wizard, select the iOS MDM Server installation package that you want to install.

   If there is no suitable package in the list, click the New button and create the required package.

4. If necessary, on the Selecting Network Agent installation package for combined installation step of the wizard, keep the Install Network Agent together with this application check box, and then select the Network Agent version that you want to install.
   Network Agent

   A Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications that are installed on a specific network node (workstation or server).

   is needed for the iOS MDM Server to connect to Kaspersky Security Center. You can skip this step if Network Agent is already installed on the device where you plan to install the iOS MDM Server.

5. On the Connection settings step of the wizard, in the External port for connection to iOS MDM field, specify an external port for connecting mobile devices to the iOS MDM service.

   External port 5223 is used by mobile devices for communication with the APNs server. Make sure that port 5223 is open in the firewall for connection with the address range 17.0.0.0/8.

   Port 443 is used for connection to iOS MDM Server by default. If port 443 is already in use by another service or application, it can be replaced with, for example, port 9443.

   The iOS MDM Server uses external port 2197 to send notifications to the APNs server.

   APNs servers run in load-balancing mode. Mobile devices do not always connect to the same IP addresses to receive notifications. The 17.0.0.0/8 address range is reserved for Apple, and it is therefore recommended to specify this entire range as an allowed range in Firewall settings.

6. If you want to configure interaction ports for application components manually, select the Set up local ports manually option, and then specify values for the following settings:
   • Port for connection to Network Agent

     In this field, specify a port for connecting the iOS MDM service to Network Agent. The default port number is 9799.

   • Local port to connect to iOS MDM service

     In this field, specify a local port for connecting Network Agent to the iOS MDM service. The default port number is 9899.

   It is recommended to use default values.

7. Under iOS MDM Server address, specify the address of the client device on which iOS MDM Server is to be installed.

   This address will be used for connecting managed mobile devices to the iOS MDM service. The client device must be available for connection of iOS MDM devices.

   You can specify the address of a client device in any of the following formats:

   • Use device FQDN

     The fully qualified domain name (FQDN) of the device will be used.

   • Use this address

     Specify the specific address of the device manually.

   Please avoid adding the URL scheme and the port number in the address string: these values will be added automatically.

8. On the Select devices for installation step of the wizard, select the devices on which you want to install the iOS MDM Server.
9. On the Move to list of managed devices step of the wizard, select whether you want to move the devices to any administration group after Network Agent installation.

   This option is applicable if you selected one or more unassigned devices on the previous step. If you selected only managed devices, skip this step.

10. Define other settings of the wizard. For detailed information about the remote installation of apps, please refer to Kaspersky Security Center help.

When the wizard finishes, iOS MDM Server is installed on the selected devices. The iOS MDM Server is displayed in the Mobile Device Management folder in the console tree.

The wizard proceeds to the Install APNs certificate step. If you do not want to manage the certificate right now, you can create a certificate or install an already existing certificate later.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Receiving an APNs certificate

If you already have an APNs certificate, please consider renewing it instead of creating a new one. When you replace the existing APNs certificate with a newly created one, the Administration Server loses the ability to manage the currently connected iOS mobile devices.

When the Certificate Signing Request (CSR) is created at the first step of the APNs Certificate Wizard, its private key is stored in the RAM of your device. Therefore, all the steps of the wizard must be completed within a single session of the application.

To receive an APNs certificate:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings, click the Request new button.

   The Request new APNs certificate wizard starts.

6. Create a Certificate Signing Request (hereinafter referred to as CSR):
   1. Click the Create CSR button.
   2. In the Create CSR window that opens, specify a name for your request, the names of your company and department, your city, region, and country.
   3. Click the Save button and specify a name for the file to which your CSR will be saved.

   The private key of the certificate is saved in the device memory.

7. Use your CompanyAccount to send the file with the CSR you have created to Kaspersky to be signed.

   Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows using Mobile Device Management.

   After your online request is processed, you will receive a CSR file signed by Kaspersky.

8. Send the signed CSR file to Apple Inc. website, using a random Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

   After your CSR is processed in Apple Inc., you will receive the public key of the APNs certificate. Save the file on disk.

9. Export the APNs certificate together with the private key created when generating the CSR, in PFX file format:
   1. In the Request new APNs certificate wizard, click the Complete CSR button.
   2. In the Open window, choose a file with the public key of the certificate received from Apple Inc. as the result of CSR processing, and then click the Open button.

      The certificate export process starts.

   3. In the next window, enter the private key password and click OK.

      This password will be used for the APNs certificate installation on the iOS MDM Server.

   4. In the Save APNs certificate window that opens, specify a file name for APNs certificate, choose a folder, and then click Save.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PFX format. After this, you can install the APNs certificate on the iOS MDM Server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Renewing an APNs certificate

To renew an APNs certificate:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings click the Renew button.

   The Renew APNs certificate wizard starts.

6. Create a Certificate Signing Request (hereinafter referred to as CSR):
   1. Click the Create CSR button.
   2. In the Create CSR window that opens, specify a name for your request, the names of your company and department, your city, region, and country.
   3. Click the Save button and specify a name for the file to which your CSR will be saved.

   The private key of the certificate is saved in the device memory.

7. Use your CompanyAccount to send the file with the CSR you have created to Kaspersky to be signed.

   Signing of your CSR will only be available after you upload to CompanyAccount portal a key that allows using Mobile Device Management.

   After your online request is processed, you will receive a CSR file signed by Kaspersky.

8. Send the signed CSR file to Apple Inc. website, using a random Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

   After your CSR is processed in Apple Inc., you will receive the public key of the APNs certificate. Save the file on disk.

9. Request the public key of the certificate. To do this, perform the following actions:
   1. Proceed to Apple Push Certificates portal. To log in to the portal, use the Apple Id received at the initial request of the certificate.
   2. In the list of certificates, select the certificate whose APSP name (in "APSP: <number>" format) matches the APSP name of the certificate used by iOS MDM Server and click the Renew button.

      The APNs certificate is renewed.

   3. Save the certificate created on the portal.
10. Export the APNs certificate together with the private key created when generating the CSR, in PFX file format:
    1. In the Renew APNs certificate wizard, click the Complete CSR button.
    2. In the Open window, choose a file with the public key of the certificate, received from Apple Inc. as the result of CSR processing, and click the Open button.

       The certificate export process will start.

    3. In the next window, enter the private key password and click OK.

       This password will be used for the APNs certificate installation on the iOS MDM Server.

    4. In the Renew APNs certificate window that opens, specify a file name for APNs certificate, choose a folder, and then click Save.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PFX format.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a reserve iOS MDM Server certificate

The iOS MDM Server functionality enables you to issue a reserve certificate. This certificate is intended for use in iOS MDM profiles, to ensure seamless switching of managed iOS devices after the iOS MDM Server certificate expires.

If your iOS MDM Server uses a default certificate issued by Kaspersky, you can issue a reserve certificate (or specify your own custom certificate as reserve) before the iOS MDM Server certificate expires. By default, the reserve certificate is automatically issued 60 days before the iOS MDM Server certificate expiration. The reserve iOS MDM Server certificate becomes the main certificate immediately after the iOS MDM Server certificate expiration. The public key is distributed to all managed devices through configuration profiles, so you do not have to transmit it manually.

To issue an iOS MDM Server reserve certificate or specify a custom reserve certificate:

1. In the console tree, in the Mobile Device Management folder, select the Mobile Device Servers subfolder.
2. In the list of Mobile Device Servers, select the relevant iOS MDM Server, and on the right pane, click the Configure iOS MDM Server button.
3. In the iOS MDM Server settings window that opens, select the Certificates section.
4. In the Reserve certificate block of settings, do one of the following:
   • If you plan to continue using a self-signed certificate (that is, the one issued by Kaspersky):
     1. Click the Issue button.
     2. In the Activation date window that opens, select one of the two options for the date when the reserve certificate must be applied:
        • If you want to apply the reserve certificate at the time of expiration of the current certificate, select the When current certificate expires option.
        • If you want to apply the reserve certificate before the current certificate expires, select the After specified period (days) option. In the entry field next to this option, specify the duration of the period after which the reserve certificate must replace the current certificate.

        The validity period of the reserve certificate that you specify cannot exceed the validity term of the current iOS MDM Server certificate.

     3. Click the OK button.

     The reserve iOS MDM Server certificate is issued.

   • If you plan to use a custom certificate issued by your certification authority:
     1. Click the Add button.
     2. In the File Explorer window that opens, specify a certificate file in the PEM, PFX, or P12 format, which is stored on your device, and then click the Open button.

     Your custom certificate is specified as the reserve iOS MDM Server certificate.

You have a reserve iOS MDM Server certificate specified. The details of the reserve certificate are displayed in the Reserve certificate block of settings (certificate name, issuer name, expiration date, and the date the reserve certificate must be applied, if any).

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Installing an APNs certificate on an iOS MDM Server

After you receive the APNs certificate, you must install it on the iOS MDM Server.

To install the APNs certificate on the iOS MDM Server:

1. In the Mobile Device Management folder of the console tree, select the Mobile Device Servers subfolder.
2. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
3. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

4. In the properties window of the iOS MDM Server, select the Certificates section.
5. In the Certificates section, in the Apple Push Notification certificate group of settings click the Install button.
6. Select the PFX file that contains the APNs certificate.
7. Enter the password of the private key specified when exporting the APNs certificate.

The APNs certificate will be installed on the iOS MDM Server. The certificate details will be displayed in the properties window of the iOS MDM Server, in the Certificates section.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring access to Apple Push Notification service

To ensure a proper functioning of the iOS MDM web service and timely responses of mobile devices to the administrator's commands, you need to specify an Apple Push Notification Service certificate (hereinafter referred to as APNs certificate) in the iOS MDM Server settings.

Interacting with Apple Push Notification (hereinafter referred to as APNs), the iOS MDM web service connects to the external address api.push.apple.com through port 2197 (outbound). Therefore, the iOS MDM web service requires access to port TCP 2197 for the range of addresses 17.0.0.0/8. From the iOS device side is access to port TCP 5223 for the range of addresses 17.0.0.0/8.

If you intend to access APNs from the iOS MDM web service side through a proxy server, you must perform the following actions on the device with the iOS MDM web service installed:

1. Add the following strings to the registry:
   • For 32-bit operating systems:

   HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset "ApnProxyHost"="<Proxy Host Name>" "ApnProxyPort"="<Proxy Port>" "ApnProxyLogin"="<Proxy Login>" "ApnProxyPwd"="<Proxy Password>"

   • For 64-bit operating systems:

   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset "ApnProxyHost"="<Proxy Host Name>" "ApnProxyPort"="<Proxy Port>" "ApnProxyLogin"="<Proxy Login>" "ApnProxyPwd"="<Proxy Password>"

2. Restart the iOS MDM web service.