Working with certificates of mobile devices

This section contains information about how to work with certificates of mobile devices. The section contains instructions on how to install certificates on users' mobile devices and how to configure certificate issuance rules. The section also contains instructions on how to integrate the application with the public keys infrastructure and how to configure the support of Kerberos.

Reissuing the mobile Administration Server certificate

You need to specify a reserve Administration Server certificate to meet the security requirements of your organization and maintain a continuous connection between managed devices and the Administration Server. A reserve certificate is not issued by default.

We recommend that you specify a reserve certificate when installing the Administration Server or no later than 30 days before the expiration of the existing certificate. The exact expiration time is available in the Valid to field of the certificate settings (in the context menu of the Administration Server, select Properties → Administration server connection settings → Certificates).

The maximum validity period of any Administration Server certificate does not exceed 397 days.

The reserve certificate is delivered to the device during synchronization and becomes the main certificate immediately after the existing certificate expires. If the certificate expires and no reserve has been specified, the connection between the Administration Server and Kaspersky Endpoint Security on managed devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall Kaspersky Endpoint Security on each of the managed devices.

To reissue the Administration Server certificate with delayed activation (to use a certificate as a reserve one):

1. In the console tree, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window, select Administration server connection settings → Certificates.
3. If you plan to continue using the certificate issued by Kaspersky Security Center:
   1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
   2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.

         It is recommended to specify a certificate activation period of at least 30 days so that all devices have time to receive the certificate. Please note that the specified period must be greater than the period for synchronizing devices with the Administration Server. For more information about configuring settings for device synchronization with the Administration Server, see the Configuring synchronization settings section.

      3. Click OK.
      4. In the confirmation window, click Yes.

   Alternatively, if you plan to use your own custom certificate:

   1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
   2. Select the Other certificate option and click Browse.
   3. In the Certificate window that opens, in the Certificate type field, select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
   4. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.
   5. In the Certificate window, click OK.
   6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

To immediately reissue the Administration Server certificate (not recommended if you have any managed mobile devices):

Do not select Immediately if you have any managed mobile devices. If you select this option, the connection with all managed devices will be lost, since the new certificate will not be delivered to devices, and the previously existing certificate will no longer be valid.

1. In the console tree, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window, select Administration server connection settings → Certificates.
3. If you plan to continue using the certificate issued by Kaspersky Security Center:
   1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
   2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select Immediately.
   3. Click OK.
   4. In the confirmation window, click Yes.

   Alternatively, if you plan to use your own custom certificate:

   1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
   2. Select the Other certificate option and click Browse.
   3. In the Certificate window that opens, in the Certificate type field select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
   4. In the Activation term group of settings, select Immediately.
   5. In the Certificate window, click OK.
   6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

For more information about certificates, please refer to the Kaspersky Security Center Help.

Configuring certificate issuance rules

The certificates are used for the device authentication on the Administration Server. All managed mobile devices must have certificates. You can configure how the certificates are issued.

To configure certificate issuance rules:

1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace of the Certificates folder, click the Add certificate button to open the Certificate issuance rules window.
3. Proceed to the section with the name of a certificate type:

   Issuance of mobile certificates—To configure the issuance of certificates for the mobile devices.

   Issuance of mail certificates—To configure the issuance of mail certificates.

   Issuance of VPN certificates—To configure the issuance of VPN certificates.

4. In the Issuance settings section, configure the issuance of the certificate:
   • Specify the certificate term in days.
   • Select a certificate source (Administration Server or Certificates are specified manually).

     Administration Server is selected as the default source of certificates.

   • Specify a certificate template (Default template, Other template).

     Configuration of templates is available if the Integration with PKI section features the integration with Public Key Infrastructure enabled.

5. For VPN and mail certificates if the integration with the PKI is configured, enable and configure automatic issuance of the certificate on device connection to Kaspersky Security Center.

   To do so, in the Automatic issuance of <certificate type> certificate on device connection section, select the Issue for KES devices managed by Kaspersky Secure Mobility Management and/or Issue for iOS MDM devices check boxes.

   If you selected the Issue for iOS MDM devices check box, select the tag for the certificate issuance from the drop-down list. The following tags are available: Certificate template 1, Certificate template 2, or Certificate template 3.

   You can configure the further use of the selected tag for the certificate issuance in the following sections:

   • If the Issuance of mail certificates section has been selected in the Certificate issuance rules window:
     • In the properties of the Email account for iOS MDM devices.
     • In the properties of the Exchange ActiveSync account for iOS MDM devices.
   • If the Issuance of VPN certificates section has been selected in the Certificate issuance rules window:
     • In the properties of the VPN network for iOS MDM devices.
     • In the properties of the Wi-Fi network for iOS MDM devices.
6. In the Automatic Updates settings section, configure automatic updates of the certificate:
   • In the Renew when certificate is to expire in (days) field, specify how many days before expiration the certificate must be renewed.
   • To enable automatic updates of certificates, select the Reissue certificate automatically if possible check box.

   A mobile certificate can be renewed manually only.

7. In the Password protection section, enable and configure the use of a password when decrypting certificates.

   Password protection is only available for mobile certificates.

   1. Select the Prompt for password during certificate installation check box.
   2. Use the slider to define the maximum number of symbols in the password for encryption.
8. Click OK.

Creating a certificate of mobile devices

Expand all | Collapse all

You can create the following types of certificates on a user's mobile device:

• Mobile certificates for identifying the mobile device
• Mail certificates for configuring the corporate mail on the mobile device
• VPN certificate for configuring access to a virtual private network on the mobile device

To create a certificate of mobile devices:

1. In the console tree, select the Mobile Device Management → Certificates folder.
2. In the workspace of the Certificates folder, click the Add certificate button to start the Certificate Installation wizard.
3. At the Certificate type step of the wizard, specify the type of certificate that must be installed on the user's mobile device:
   • Mobile certificate

     This certificate is needed for identifying the mobile device.

   • Mail certificate

     This certificate is needed for configuring the corporate mail on the mobile device.

   • VPN certificate

     This certificate is needed for configuring access to a virtual private network on the mobile device.

4. At the Selecting device type step of the wizard, specify the type of the operating system on the device:
   • iOS MDM device

     Select this option if you want to install a certificate on a mobile device that is connected to the iOS MDM Server by using iOS MDM protocol.

   • KES device managed by Kaspersky Security for Mobile

     Select this option if you want to install a certificate on a KES device. In this case, the certificate will be used for user identification upon every connection to the Administration Server.

   • KES device connected to Administration Server without user certificate authentication

     Select this option if you want to install a certificate on a KES device using no certificate authentication. In this case, at the final step of the wizard, in the User notification method window you must select the user authentication type used at every connection to the Administration Server.

   This step is displayed only if you selected Mail certificate or VPN certificate as the certificate type.

5. At the User selection step of the wizard, select users, user groups, or Active Directory user groups for which you want to create the certificate.
6. At the Certificate source step of the wizard, select the method by which the certificate is created.
   • To create a certificate automatically by using Administration Server tools, select Issue certificate through Administration Server tools.
   • To assign a previously created certificate to a user, select the Specify certificate file option. Click the Browse button to open the Certificate window and specify the certificate file in it.
7. At the Certificate publishing settings step of the wizard, select the Do not notify the user about a new certificate check box if you do not want to notify the user about certificate creation. In this case, the User notification method step will not be displayed.
8. At the User notification method step of the wizard, configure the settings of mobile device user notification about certificate creation using a text message or via email.

   This step is not displayed if you selected iOS MDM device as the device type or if you selected the Do not notify the user about a new certificate option.

   1. In the Authentication method field, specify the user authentication type:
      • Credentials (domain or alias)

        In this case, the user employs the domain password or the password of a Kaspersky Security Center internal user to receive a new certificate.

      • One-time password

        In this case, the user receives a one-time password that will be sent by email or by SMS. This password must be entered to receive a new certificate.

        This option changes to Password if you enabled (selected) the Allow the device multiple receipts of a single certificate (only for devices with Kaspersky security applications for mobile devices installed) option in the Certificate publishing settings window.

      This field is displayed if you selected Mobile certificate in the Certificate type window or if you selected KES device connected to Administration Server without user certificate authentication as the device type.

   2. Select the user notification option:
      • Show authentication password after the wizard finishes

        If you select this option, the user name, user name in Security Account Manager (SAM), and password for certificate retrieval for each of the selected users will be displayed at the final step of the Certificate installation wizard. Configuration of user notification about an installed certificate will be unavailable.

        When you add certificates for multiple users, you can save the provided credentials to a file by clicking the Export button at the last step of the Certificate installation wizard.

        This option is unavailable if you selected Credentials (domain or alias) at the User notification method step of the Certificate installation wizard.

      • Notify user of new certificate

        If you select this option, you can configure user notification about a new certificate.

        • By email

          In this group of settings, you can configure user notification about installation of a new certificate on his or her mobile device using email messages. This notification method is only available if the SMTP Server is enabled.

          Click the Edit message link to view and edit the notification message, if necessary.

        • By SMS

          In this group of settings, you can configure the user notification about using SMS to install a certificate on mobile devices. This notification method is only available if SMS notification is enabled.

          Click the Edit message link to view and edit the notification message, if necessary.

9. At the Generating the certificate step of the wizard, click Done to finish the Certificate Installation wizard.

After the wizard finishes, a certificate is created and added to the list of the user's certificates; in addition, a notification is sent to the user, providing the user with a link for downloading and installing the certificate on the mobile device. You can delete and reissue certificates, as well as view their properties.

Integration with Public Key Infrastructure

Integration with Public Key Infrastructure (hereinafter referred to as PKI) is primarily intended for simplifying the issuance of domain user certificates by Administration Server. Following integration, certificates are issued automatically.

The minimum supported PKI server version is Windows Server 2008.

The administrator can assign a domain certificate for a user in Administration Console. This can be done by using one of the following methods:

• Assign the user a special (customized) certificate from a file in the Certificate installation wizard.
• Perform integration with PKI and assign PKI to act as the source of certificates for a specific type of certificates or for all types of certificates.

General principle of integration with PKI for issuance of domain user certificates

Please note the following:

• The settings of integration with PKI provide you the possibility to specify the default template for all types of certificates. Note that the rules for issuance of certificates (available in the workspace of the Mobile Device Management / Certificates folder by clicking the Configure certificate issuance rules button) allow you to specify an individual template for every type of certificates.
• A special Enrollment Agent (EA) certificate must be installed on the device with Administration Server, in the certificates repository of the account under which integration with PKI is performed. The Enrollment Agent (EA) certificate is issued by the administrator of the domain's CA (Certificate Authority).

The account under which integration with PKI is performed must meet the following criteria:

• It is a domain user.
• It is a local administrator of the device with Administration Server from which integration with PKI is initiated.
• It has the right to Log On As Service.
• The device with Administration Server installed must be run at least once under this account to create a permanent user profile.

To create a permanent user profile, log on at least once under the configured user account on the device with Administration Server installed. In this user's certificate repository on the Administration Server device, install the Enrollment Agent certificate provided by domain administrators.

Configuring integration with PKI

To configure integration with the public keys infrastructure:

1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace, click the Certificate type button to open the Integration with PKI section of the Certificate issuance rules window.

   The Integration with PKI section of the Certificate issuance rules window opens.

3. Select the Integrate issuance of certificates with PKI check box.
4. In the Account field, specify the name of the user account to be used for integration with the public key infrastructure.
5. In the Password field, enter the domain password for the account.
6. In the Certificate template name in PKI system list, select the certificate template that will be used for the issuance of certificates to domain users.

   A dedicated service is run in Kaspersky Endpoint Security under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.

   When connecting a non-domain user's mobile device (running either Android or iOS) to Kaspersky Security Center, the attempt to issue a certificate may fail.

7. Click OK to save the settings.

Following integration, certificates are issued automatically.