The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Preparing the Administration Console for deployment of the integrated solution

This section provides instructions on preparing the Administration Console for deployment of the integrated solution.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Administration Server settings for connection of mobile devices

In order for mobile devices to be able to connect to the Administration Server, before installing the Kaspersky Endpoint Security mobile app, configure the mobile device connection settings in the Administration Server properties.

To configure Administration Server settings for connecting mobile devices:

1. In the context menu of the Administration Server, select Properties.

   The Administration Server settings window opens.

2. Configure the Administration Server ports that will be used by mobile devices:
   1. Select Administration server connection settings → Additional ports.
   2. Select the Open port for mobile devices check box.
   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices check box is cleared or the wrong connection port is specified, mobile devices will not be able to connect to the Administration Server.

   4. In the Port for mobile device activation field, specify the port to be used by mobile devices to connect to the Administration Server for activation of the Kaspersky Endpoint Security for Android app.

      Port 17100 is used by default.

   5. Click OK.
3. If necessary, replace the certificate used by devices to connect to the Administration Server:

   By default, the certificate that has been created during the Administration Server installation is used. Replace this certificate with a different one or reissue the certificate.

   1. Select the Certificates section.
   2. Define the required settings.
4. Specify a reserve Administration Server certificate.

   You need to specify a reserve Administration Server certificate to meet the security requirements of your organization and maintain a continuous connection between managed devices and the Administration Server. A reserve certificate is not issued by default.

5. Click Save to save the changes you have made to the settings and exit the Administration Server properties window.

After you configure the mobile device connection settings, you can install the Kaspersky Endpoint Security app on mobile devices and connect them to the Administration Server by using the specified settings.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host
2. Configure the connection gateway on Kaspersky Security Center Administration Server

This article contains an overview of the scenario. For detailed instructions, please refer to the Kaspersky Security Center documentation.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway and click Properties.
   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.
   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on Administration Server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Displaying the Mobile Device Management folder in the Administration Console

By displaying the Mobile Device Management folder in the Administration Console, you can view the list of mobile devices managed by the Administration Server, configure the mobile device management settings, and install certificates on mobile devices of users.

To enable the display of the Mobile Device Management folder in the Administration Console:

1. In the context menu of the Administration Server, select View → Configuring interface.
2. In the window that opens, select the Display Mobile Device Management check box.
3. Click OK.

The Mobile Device Management folder is displayed in the Administration Console tree after the Administration Console is restarted.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

To perform centralized configuration of the Kaspersky Endpoint Security for Android app installed on the users' mobile devices, the group policies must be applied to the devices.

To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices using a group policy.

To create administration group, follow the steps below:

1. In the console tree, select the Managed devices folder.
2. In the workspace of the Managed devices folder or subfolder, select the Devices tab.
3. Click the New group  button.

   This opens the window in which you can create a new group.

4. In the Group name window type the group name and click OK.

A new administration group folder with the specified name appears in the console tree. For more detailed information on use of administration groups, see Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a rule for device automatic allocating to administration groups

You can centrally administer the settings of Kaspersky Endpoint Security for Android app installed on users' mobile devices only if the devices belong to a previously created administration group for which a group policy has been configured.

If the rule to automatically allocate mobile devices detected on the network to the administration group is not configured, during the first synchronization of the device with the Administration Server, the device is automatically sent to the Administration Console in the Advanced → Device discovery → Domains → KES10 folder (KES10 is used by default). A group policy does not apply to this device.

To create the rule for automatic allocating of mobile devices to administration group, follow the steps below:

1. In the console tree, select the Unassigned devices folder.
2. From the context menu of the Unassigned devices folder, select Properties.

   The Properties: Unassigned devices window appears.

3. In the Move devices section, click Add to start the process of creating a rule for automatically allocating devices to an administration group.

   The New rule window appears.

4. Type the rule name.
5. Specify the administration group to which mobile devices should be allocated after the Kaspersky Endpoint Security for Android mobile app has been installed on them. To do so, click Browse to the right of the Group to move devices to field and select the group in the window that appears.
6. In the Apply rule section, select Run once for each device.
7. Select the Move only devices not added to administration groups check box to prevent allocating to the selected group the mobile devices that were allocated to other administration groups when applying the rule.
8. Select the Enable rule check box, so that the rule can be applied to newly detected devices.
9. Open the Applications section and do the following:
   1. Select the Operating system version check box.
   2. Select one or several types of operating systems of the devices to be allocated to the specified group: Android or iOS.
10. Click OK.

The newly created rule is displayed in the list of device allocation rules in the Move devices section in the properties window of the Unassigned devices folder.

According to the rule, Kaspersky Security Center allocates all devices that meet the specified requirements from the Unassigned devices folder to the selected group. The mobile devices which were earlier allocated to the Unassigned devices folder can also be allocated to the required administration group of the Managed devices folder manually. For more detailed information on administration groups management and actions with undistributed devices, see Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Working with certificates of mobile devices

This section contains information about how to work with certificates of mobile devices. The section contains instructions on how to install certificates on users' mobile devices and how to configure certificate issuance rules. The section also contains instructions on how to integrate the application with the public keys infrastructure and how to configure the support of Kerberos.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Reissuing the mobile Administration Server certificate

You need to specify a reserve Administration Server certificate to meet the security requirements of your organization and maintain a continuous connection between managed devices and the Administration Server. A reserve certificate is not issued by default.

We recommend that you specify a reserve certificate when installing the Administration Server or no later than 30 days before the expiration of the existing certificate. The exact expiration time is available in the Valid to field of the certificate settings (in the context menu of the Administration Server, select Properties → Administration server connection settings → Certificates).

The maximum validity period of any Administration Server certificate does not exceed 397 days.

The reserve certificate is delivered to the device during synchronization and becomes the main certificate immediately after the existing certificate expires. If the certificate expires and no reserve has been specified, the connection between the Administration Server and Kaspersky Endpoint Security on managed devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall Kaspersky Endpoint Security on each of the managed devices.

To reissue the Administration Server certificate with delayed activation (to use a certificate as a reserve one):

1. In the console tree, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window, select Administration server connection settings → Certificates.
3. If you plan to continue using the certificate issued by Kaspersky Security Center:
   1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
   2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.

         It is recommended to specify a certificate activation period of at least 30 days so that all devices have time to receive the certificate. Please note that the specified period must be greater than the period for synchronizing devices with the Administration Server. For more information about configuring settings for device synchronization with the Administration Server, see the Configuring synchronization settings section.

      3. Click OK.
      4. In the confirmation window, click Yes.

   Alternatively, if you plan to use your own custom certificate:

   1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
   2. Select the Other certificate option and click Browse.
   3. In the Certificate window that opens, in the Certificate type field, select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
   4. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.
   5. In the Certificate window, click OK.
   6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

To immediately reissue the Administration Server certificate (not recommended if you have any managed mobile devices):

Do not select Immediately if you have any managed mobile devices. If you select this option, the connection with all managed devices will be lost, since the new certificate will not be delivered to devices, and the previously existing certificate will no longer be valid.

1. In the console tree, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window, select Administration server connection settings → Certificates.
3. If you plan to continue using the certificate issued by Kaspersky Security Center:
   1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
   2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select Immediately.
   3. Click OK.
   4. In the confirmation window, click Yes.

   Alternatively, if you plan to use your own custom certificate:

   1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
   2. Select the Other certificate option and click Browse.
   3. In the Certificate window that opens, in the Certificate type field select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
   4. In the Activation term group of settings, select Immediately.
   5. In the Certificate window, click OK.
   6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

For more information about certificates, please refer to the Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a certificate of mobile devices

Expand all | Collapse all

You can create the following types of certificates on a user's mobile device:

• Mobile certificates for identifying the mobile device
• Mail certificates for configuring the corporate mail on the mobile device
• VPN certificate for configuring access to a virtual private network on the mobile device

To create a certificate of mobile devices:

1. In the console tree, select the Mobile Device Management → Certificates folder.
2. In the workspace of the Certificates folder, click the Add certificate button to start the Certificate Installation Wizard.
3. In the Certificate type window of the Wizard, specify the type of certificate that must be installed on the user's mobile device:
   • Mobile certificate

     This certificate is needed for identifying the mobile device.

   • Mail certificate

     This certificate is needed for configuring the corporate mail on the mobile device.

   • VPN certificate

     This certificate is needed for configuring access to a virtual private network on the mobile device.

4. In the Selecting device type window of the Wizard, Specify the type of the operating system on the device:
   • iOS MDM device

     Select this option if you want to install a certificate on a mobile device that is connected to the iOS MDM Server by using iOS MDM protocol.

   • KES device managed by Kaspersky Security for Mobile

     Select this option if you want to install a certificate on a KES device. In this case, the certificate will be used for user identification upon every connection to the Administration Server.

   • KES device connected to Administration Server without user certificate authentication

     Select this option if you want to install a certificate on a KES device using no certificate authentication. In this case, at the final step of the wizard, in the User notification method window you must select the user authentication type used at every connection to the Administration Server.

   This window is displayed only if you selected Mail certificate or VPN certificate as the certificate type.

5. In the User selection window of the Wizard, select users, user groups, or Active Directory user groups for which you want to create the certificate.
6. In the Certificate source window of the Wizard, select the method by which the certificate is created.
   • To create a certificate automatically by using Administration Server tools, select Issue certificate through Administration Server tools.
   • To assign a previously created certificate to a user, select the Specify certificate file option. Click the Browse button to open the Certificate window and specify the certificate file in it.
7. In the Certificate publishing settings window of the Wizard, select the Do not notify the user about a new certificate check box if you do not want to notify the user about certificate creation. In this case, the User notification method window will not be displayed.
8. In the User notification method window of the Wizard, configure the settings of mobile device user notification about certificate creation using a text message or via email.

   This window is not displayed if you selected iOS MDM device as the device type or if you selected the Do not notify the user about a new certificate option.

   1. In the Authentication method field, specify the user authentication type:
      • Credentials (domain or alias)

        In this case, the user employs the domain password or the password of a Kaspersky Security Center internal user to receive a new certificate.

      • One-time password

        In this case, the user receives a one-time password that will be sent by email or by SMS. This password must be entered to receive a new certificate.

        This option changes to Password if you enabled (selected) the Allow the device multiple receipts of a single certificate (only for devices with Kaspersky security applications for mobile devices installed) option in the Certificate publishing settings window.

      This field is displayed if you selected Mobile certificate in the Certificate type window or if you selected KES device connected to Administration Server without user certificate authentication as the device type.

   2. Select the user notification option:
      • Show authentication password after the wizard finishes

        If you select this option, the user name, user name in Security Account Manager (SAM), and password for certificate retrieval for each of the selected users will be displayed at the final step of the Certificate installation wizard. Configuration of user notification about an installed certificate will be unavailable.

        When you add certificates for multiple users, you can save the provided credentials to a file by clicking the Export button at the last step of the Certificate installation wizard.

        This option is unavailable if you selected Credentials (domain or alias) at the User notification method step of the Certificate installation wizard.

      • Notify user of new certificate

        If you select this option, you can configure user notification about a new certificate.

        • By email

          In this group of settings, you can configure user notification about installation of a new certificate on his or her mobile device using email messages. This notification method is only available if the SMTP Server is enabled.

          Click the Edit message link to view and edit the notification message, if necessary.

        • By SMS

          In this group of settings, you can configure the user notification about using SMS to install a certificate on mobile devices. This notification method is only available if SMS notification is enabled.

          Click the Edit message link to view and edit the notification message, if necessary.

9. In the Generating the certificate window of the Wizard, click Done to finish the Certificate Installation Wizard.

After the wizard finishes, a certificate is created and added to the list of the user's certificates; in addition, a notification is sent to the user, providing the user with a link for downloading and installing the certificate on the mobile device. You can delete and reissue certificates, as well as view their properties.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring certificate issuance rules

The certificates are used for the device authentication on the Administration Server. All managed mobile devices must have certificates. You can configure how the certificates are issued.

To configure certificate issuance rules:

1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace of the Certificates folder, click the Add certificate button to open the Certificate issuance rules window.
3. Proceed to the section with the name of a certificate type:

   Issuance of mobile certificates—To configure the issuance of certificates for the mobile devices.

   Issuance of mail certificates—To configure the issuance of mail certificates.

   Issuance of VPN certificates—To configure the issuance of VPN certificates.

4. In the Issuance settings section, configure the issuance of the certificate:
   • Specify the certificate term in days.
   • Select a certificate source (Administration Server or Certificates are specified manually).

     Administration Server is selected as the default source of certificates.

   • Specify a certificate template (Default template, Other template).

     Configuration of templates is available if the Integration with PKI section features the integration with Public Key Infrastructure enabled.

5. For VPN and mail certificates if the integration with the PKI is configured, enable and configure automatic issuance of the certificate on device connection to Kaspersky Security Center.

   To do so, in the Automatic issuance of <certificate type> certificate on device connection section, select the Issue for KES devices managed by Kaspersky Secure Mobility Management and/or Issue for iOS MDM devices check boxes.

   If you selected the Issue for iOS MDM devices check box, select the tag for the certificate issuance from the drop-down list. The following tags are available: Certificate template 1, Certificate template 2, or Certificate template 3.

   You can configure the further use of the selected tag for the certificate issuance in the following sections:

   • If the Issuance of mail certificates section has been selected in the Certificate issuance rules window:
     • In the properties of the Email account for iOS MDM devices.
     • In the properties of the Exchange ActiveSync account for iOS MDM devices.
   • If the Issuance of VPN certificates section has been selected in the Certificate issuance rules window:
     • In the properties of the VPN network for iOS MDM devices.
6. In the Automatic Updates settings section, configure automatic updates of the certificate:
   • In the Renew when certificate is to expire in (days) field, specify how many days before expiration the certificate must be renewed.
   • To enable automatic updates of certificates, select the Reissue certificate automatically if possible check box.

   A mobile certificate can be renewed manually only.

7. In the Password protection section, enable and configure the use of a password when decrypting certificates.

   Password protection is only available for mobile certificates.

   1. Select the Prompt for password during certificate installation check box.
   2. Use the slider to define the maximum number of symbols in the password for encryption.
8. Click OK.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Integration with Public Key Infrastructure

Integration with Public Key Infrastructure (hereinafter referred to as PKI) is primarily intended for simplifying the issuance of domain user certificates by Administration Server. Following integration, certificates are issued automatically.

The minimum supported PKI server version is Windows Server 2008.

The administrator can assign a domain certificate for a user in Administration Console. This can be done by using one of the following methods:

• Assign the user a special (customized) certificate from a file in the Certificate installation wizard.
• Perform integration with PKI and assign PKI to act as the source of certificates for a specific type of certificates or for all types of certificates.

General principle of integration with PKI for issuance of domain user certificates

Please note the following:

• The settings of integration with PKI provide you the possibility to specify the default template for all types of certificates. Note that the rules for issuance of certificates (available in the workspace of the Mobile Device Management / Certificates folder by clicking the Configure certificate issuance rules button) allow you to specify an individual template for every type of certificates.
• A special Enrollment Agent (EA) certificate must be installed on the device with Administration Server, in the certificates repository of the account under which integration with PKI is performed. The Enrollment Agent (EA) certificate is issued by the administrator of the domain's CA (Certificate Authority).

The account under which integration with PKI is performed must meet the following criteria:

• It is a domain user.
• It is a local administrator of the device with Administration Server from which integration with PKI is initiated.
• It has the right to Log On As Service.
• The device with Administration Server installed must be run at least once under this account to create a permanent user profile.

To create a permanent user profile, log on at least once under the configured user account on the device with Administration Server installed. In this user's certificate repository on the Administration Server device, install the Enrollment Agent certificate provided by domain administrators.

Configuring integration with PKI

To configure integration with the public keys infrastructure:

1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace, click the Certificate type button to open the Integration with PKI section of the Certificate issuance rules window.

   The Integration with PKI section of the Certificate issuance rules window opens.

3. Select the Integrate issuance of certificates with PKI check box.
4. In the Account field, specify the name of the user account to be used for integration with the public key infrastructure.
5. In the Password field, enter the domain password for the account.
6. In the Certificate template name in PKI system list, select the certificate template that will be used for the issuance of certificates to domain users.

   A dedicated service is run in Kaspersky Endpoint Security under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.

7. Click OK to save the settings.

Following integration, certificates are issued automatically.