Kaspersky Secure Mobility Management
6.0
English

Contents

Deploying a management system using the iOS MDM protocol

iOS devices with basic control and supervised operating modes are managed using the iOS MDM protocol. To deploy a mobile management system using the iOS MDM protocol and connect iOS devices to Kaspersky Security Center, follow these steps:

  1. Deploy iOS MDM Server
  2. Receive an APNs certificate
  3. Install the APNs certificate on iOS MDM Server
  4. Connect iOS devices to Kaspersky Security Center
Page top
[Topic 274697]

Deploying iOS MDM Server

iOS MDM Server is a component of Kaspersky Secure Mobility Management which allows iOS MDM devices to connect to Kaspersky Security Center and facilitates management of these devices through Apple Push Notifications (APNs) by installing dedicated device management profiles on them.

iOS MDM Server receives inbound connections from mobile devices through its TLS port (by default, port 443), which is managed by Kaspersky Security Center using Network Agent. Network Agent is installed locally on a device with an iOS MDM Server deployed.

The number of copies of iOS MDM Server to be installed can be selected either based on available hardware or on the total number of mobile devices covered.

Please keep in mind that the recommended maximum number of mobile devices to be managed through iOS MDM Server is 50,000. In order to reduce the load, the entire pool of devices can be distributed among several servers that have iOS MDM Server installed.

Page top
[Topic 274696]

Configuring an iOS MDM Server installation package

Before you install iOS MDM Server, you need to configure the iOS MDM Server installation package properties.

The iOS MDM Server installation package is an archive that contains the files required for the installation of the iOS MDM Server depending on the package manager and architecture: kliosmdm-<architecture>-<version>-<package manager>_<language>.tar.gz

To configure an iOS MDM Server installation package:

  1. In the main window of Kaspersky Security Center We Console, select Operations > Repositories > Installation packages.
  2. In the window that opens, click the iOS MDM Server installation package you want to configure.

    The installation package properties window opens.

  3. In the Settings tab, specify the iOS MDM Server properties.
    1. In the Connection settings group of settings, configure the following properties:

      It is recommended to use the default values.

      • iOS MDM external connection port. In this field, specify an external port for connecting mobile devices to the iOS MDM service.

        External port 5223 is used by mobile devices for communication with the APNs server. Make sure that port 5223 is open in the Firewall for connecting with the address range 17.0.0.0/8.

        Port 443 is used for connecting to iOS MDM Server by default. If port 443 is already in use by another service or application, it can be replaced with, for example, port 9443.

        Port 2197 is used by iOS MDM Server to send notifications to the APNs server. APNs servers run in load-balancing mode. Mobile devices do not always connect to the same IP addresses to receive notifications. The 17.0.0.0/8 address range is reserved for Apple, and it is therefore recommended to specify this entire range as an allowed range in Firewall settings.

      • Network Agent connection port. In this field, specify a port for connecting the iOS MDM service to Network Agent. The default port number is 9799.
      • iOS MDM local connection port. In this field, specify a local port for connecting Network Agent to the iOS MDM service. The default port number is 9899.
    2. In the iOS MDM Server address group of settings, specify the address of the workstation on which iOS MDM Server is to be installed. This address will be used for connecting managed mobile devices to the iOS MDM service. The workstation must be available for connection of iOS MDM devices.

      Choose one of the following options:

      • Use FQDN device name. The fully qualified domain name (FQDN) of the device will be used.
      • Use specified address. Specify the specific address of the device manually.

        Do not add the URL scheme and the port number in the address string. These values will be added automatically.

  4. Click Save.

The iOS MDM Server installation package properties are configured. Now you can install iOS MDM Server with the specified settings.

Page top
[Topic 274868]

Installing iOS MDM Server using a remote installation task

Kaspersky Security Center Web Console lets you install iOS MDM Server remotely using a remote installation task. This task is created and assigned to up to 1000 devices through a corresponding wizard. The wizard will help install iOS MDM Server in an administration group, on devices with specific IP addresses, or on a selection of managed devices.

Please note that you will not be able to specify the iOS MDM Server settings during the installation. The settings are configured in the iOS MDM Server installation package properties.

Before installing iOS MDM Server on a device, make sure the Kaspersky Mobile Devices Protection and Management and iOS MDM Server settings plug-ins are installed.

To install iOS MDM Server using a remote installation task:

  1. Install Network Agent on a workstation on which iOS MDM Server will be deployed.
  2. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers.
  3. Click Install.

    The New task wizard starts. Proceed through the wizard using the Next button.

  4. In the New task settings window that opens:
    1. In the Task name field, specify a custom name for the task, if necessary (The default name is "Install iOS MDM Server").
    2. In the Devices to which the task will be assigned group of settings, choose Specify device addresses manually or import addresses from a list. You can specify DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
  5. At the Task scope step:
    1. Click Add devices.
    2. In the window that opens, in the drop-down list, choose the Select networked devices detected by Administration Server option.
    3. Select devices or a device selection.
    4. Click Add.

    After you add the devices, they are displayed in the table.

  6. At the Installation packages step, specify the following settings:
    1. In the Select installation package field, select the configured iOS MDM Server installation package.
    2. In the Select Network Agent field, select the installed Network Agent.
    3. In the Force installation package download group of settings, select the Using Network Agent check box to distribute the files that are required for iOS MDM Server installation via Network Agent.
    4. In the Maximum number of concurrent downloads field, specify the maximum allowed number of devices to which Administration Server can simultaneously transmit the files.
    5. In the Maximum number of installation attempts field, specify the maximum number of times the installer will be allowed to run.
    6. Specify the additional settings:
      • Click the Do not re-install application if it is already installed check box. The application will not be re-installed if it has already been installed on the device.
      • Click the Verify operating system type before downloading check box. Before transmitting the files to devices, Kaspersky Security Center checks if the installation utility settings are applicable to the operating system of the device. If the settings are not applicable, Kaspersky Security Center does not transmit the files and does not attempt to install the application. For example, to install some application to devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.
  7. At the next step of the wizard, you will be prompted to select the action that will be performed if installation process prompts to restart the operating system. Select the Do not restart the device option or skip this step, as it does not apply to Linux operating system.
  8. At the Select accounts to access devices step, choose the No account required (Network Agent installed) option. If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running. If Network Agent has not been installed on devices, this option is unavailable.
  9. At the Finish task creation step, click the Finish button to create the task and close the wizard.

iOS MDM Server is installed using a remote installation task.

Page top
[Topic 274867]

Local installation of iOS MDM Server on a device via an installation package

Kaspersky Security Center Web Console lets you install iOS MDM Server on a local device using an installation package, that is, without interactively inputting the installation settings.

Before installing iOS MDM Server on a device, make sure the Kaspersky Mobile Devices Protection and Management and iOS MDM Server settings plug-ins are installed.

To install and configure iOS MDM Server on a local device manually:

  1. Install iOS MDM Server:
    1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
    2. Depending on your operating system, run one of the following commands to launch the installation file:
      1. For Debian:

        apt install /<path>/kliosmdm_<version_number>_amd64.deb

      2. For Red Hat Enterprise Linux:

        yum install /<path>/kliosmdm_<version_number>.x86_64.rpm -y

        iOS MDM Server is installed. The installer offers to start the setup procedure by executing the postinstall.pl script.

  2. Configure iOS MDM Server using one of the methods:
    1. Configuration with the postinstall settings specified by the interactive step-by-step wizard:
      1. Run the following command:

        /opt/kaspersky/iosmdm/lib/bin/setup/postinstall.pl

    2. Configuration with the key arguments specified as postinstall settings:
      1. Run the following command:

        opt/kaspersky/bin/postinstall.pl -- <params>

        where <params> is one of the settings specified in the iOS MDM Server installation settings table below.

The names and possible values for the settings that can be configured when installing iOS MDM Server are listed in the table. You can specify these settings in any convenient order.

iOS MDM Server installation settings

 

Setting name

Setting description

Values

EULA_ACCEPTED

Acceptance of the terms of the End User License Agreement.

This setting is mandatory.
  • 1 - I have fully read, understand and accept the terms of the End User License Agreement
  • Other value or no value - I do not accept the terms of the License Agreement (installation is not performed)

DONT_USE_ANSWER_FILE

Whether or not to use a TXT answer file with iOS MDM Server installation settings.

The file is included in the installation package or stored on the Administration Server. You do not have to specify an additional path to the file.

This setting is mandatory.
  • 1 - Do not use an answer with settings
  • Other value or no value - Use an answer file with settings

CONNECTORPORT

Local port for connecting the iOS MDM service to Network Agent.

The default port number is 9799.

This setting is optional.

Numerical value - 9799

LOCALSERVERPORT

Local port for connecting Network Agent to the iOS MDM service.

The default port number is 9899.

This setting is optional.

Numerical value - 9899

EXTERNALSERVERPORT

Port for connecting a device to iOS MDM Server.

The default port number is 443.

This setting is optional.

Numerical value - 443

EXTERNAL_SERVER_URL

External address of the device on which iOS MDM Server is to be installed. This address will be used for connecting managed mobile devices to the iOS MDM service. The device must be available for connection through iOS MDM.

The address must not include the URL scheme and number of the port because these values will be added automatically.

This setting is optional.

Device FQDN - example.fqdn.com

Example:

/opt/kaspersky/bin/postinstall.pl --EULA 1 --DONT_USE_ANSWER_FILE 1 --EXTERNALSERVERPORT 9443 --CONNECTORPORT 9799

To install and configure iOS MDM Server in silent mode automatically using an answer file:

An answer file is a text file that contains a custom set of installation settings (variables and their corresponding values).

  1. Create an answer file (in TXT format) in the directory where the installation will be performed: /tmp/answers.txt.
  2. Specify the required values in the answer file:
    • EULA_ACCEPTED=1

      Acceptance of the terms of the End User License Agreement.

    • KLIOSMDM_AUTOINSTALL=1

      Using a TXT answer file with iOS MDM Server installation settings.

    • EXTERNALSERVERPORT=443

      Port for connecting a device to iOS MDM Server.

    • CONNECTORPORT=9799

      Local port for connecting the iOS MDM service to Network Agent.

    • LOCALSERVERPORT=9899

      Local port for connecting Network Agent to the iOS MDM service.

    • EXTERNAL_SERVER_URL=example.fqdn.com

      External address of the device on which iOS MDM Server is to be installed.

  3. Set the value of the KLAUTOANSWERS environment variable by entering the full name of the answer file (including the path), for example: export KLAUTOANSWERS=/tmp/answers.txt.
  4. Launch the iOS MDM Server installation.

iOS MDM Server is installed and configured in silent mode automatically using an answer file.

Page top
[Topic 274870]

Updating iOS MDM Server using a remote installation task or locally

Kaspersky Security Center Web Console lets you update iOS MDM Server using a remote installation task or locally on a device.

Please note that you will not be able to specify the iOS MDM Server settings during the update. The settings are configured in the iOS MDM Server installation package properties.

To update iOS MDM Server using a remote installation task:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers.
  2. Click Update.

    The New task wizard starts. Proceed through the wizard using the Next button.

  3. In the New task settings window that opens:
    1. In the Task name field, specify a custom name for the task, if necessary (The default name is Update iOS MDM Server).
    2. In the Devices to which the task will be assigned group of settings, the device on which iOS MDM Server is installed will be displayed.
  4. At the Installation packages step, specify the following settings:
    1. In the Select installation package field, select the configured iOS MDM Server installation package.
    2. In the Force installation package download group of settings, select the Using Network Agent check box to distribute the files that are required to update iOS MDM Server via Network Agent.
    3. In the Maximum number of concurrent downloads field, specify the maximum allowed number of client devices to which Administration Server can simultaneously transmit the files.
    4. In the Maximum number of installation attempts field, specify the maximum number of times the installer will be allowed to run.
    5. Specify the additional settings:
      • Click the Do not re-install application if it is already installed check box. The application will not be re-installed if it has already been installed on this device.
      • Click the Verify operating system type before downloading check box. Before transmitting the files to devices, Kaspersky Security Center checks if the installation utility settings are applicable to the operating system of the device. If the settings are not applicable, Kaspersky Security Center does not transmit the files and does not attempt to install the application. For example, to install some application on devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.
  5. At the next step of the wizard, you will be asked to select the action that will be performed if the application installation prompts you to restart the operating system. Select the Do not restart the device option or skip this step, as it does not apply to the Linux operating system.
  6. At the Select accounts to access devices step, choose the No account required (Network Agent installed) option. If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running. If Network Agent has not been installed on devices, this option is unavailable.
  7. At the Finish task creation step, click the Finish button to create the task and close the wizard.

iOS MDM Server is updated using the remote installation task.

To update iOS MDM Server locally, follow the steps described for Local installation of iOS MDM Server on a device via installation package using the newer version of the installation package.

Page top
[Topic 287006]

Deleting iOS MDM Server using a remote uninstallation task

Kaspersky Security Center Web Console lets you delete iOS MDM Server remotely using a remote uninstallation task.

Before deleting iOS MDM Server, make sure the iOS MDM Server installation package has been created and added to the Administration Server repository (Operations > Repositories > Installation packages).

To delete iOS MDM Server:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers.
  2. Select the iOS MDM Server that you want to uninstall, and then click Delete.

    The New task wizard starts. Follow the wizard steps as described in the Kaspersky Security Center Help.

Page top
[Topic 287071]

Viewing the list of installed iOS MDM Servers and configuring their settings

Kaspersky Security Center Web Console lets you view the list of installed iOS MDM Servers and access their settings.

To view the installed iOS MDM Servers:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers.
  2. In the list of installed iOS MDM Servers that opens:
    1. To install iOS MDM Server, click Install.
    2. To update iOS MDM Server, click Update.
    3. To delete iOS MDM Server, click Delete.
    4. To view or configure the iOS MDM Server settings, do one of the following:
      • Select the check box next to the iOS MDM Server whose settings you want view or configure, and then click Modify settings.

        The Application settings tab of the iOS MDM Server settings window opens.

      • Click the name of the iOS MDM Server whose settings you want view or configure.

        In the iOS MDM Server settings window that opens, navigate to the Application settings tab.

To view or configure the iOS MDM Server settings:

  1. Navigate to the Application settings tab of the iOS MDM Server settings window using the instructions above.
    1. In the General section, you can view the general iOS MDM Server properties.
      • Name. The iOS MDM Server custom name.
      • Version. The version of the installed iOS MDM Server.
      • Modified. The date and time of the latest iOS MDM Server update or modification.
      • Host name. The name of the device on which iOS MDM Server is installed.
      • Host path. The path to iOS MDM Server on the device on which it is installed.

        You cannot modify the settings in this section.

    2. In the APNs proxy server section, you can specify the following settings for Apple Push Notification Service (APNs):
      • Address. APNs proxy server address.
      • Port. APNs proxy server port.
      • User name. APNs proxy user name.
      • Password. APNs proxy password.

        If you intend to access APNs from the iOS MDM service through a proxy server, the Use proxy server to connect to APNs option must be enabled.

        For detailed information on APNs proxy server, refer to the Configuring access to Apple Push Notification service section.

    3. In the Certificates section, you can manage the certificates required for the operation of iOS MDM Server.
      • Apple Push Notification service (APNs) certificate. The APNs certificate is signed by Apple and lets you use Apple Push Notification. Through Apple Push Notification, an iOS MDM Server can manage iOS devices. For detailed information on the APNs certificate, refer to the Receiving or renewing an APNs certificate section.
      • iOS MDM Server certificate. The iOS MDM Server certificate is used to establish the connection and verify trust between iOS devices and iOS MDM Server.
      • iOS MDM Server reserve certificate. The iOS MDM Server reserve certificate ensures seamless switching of iOS devices after the main iOS MDM Server certificate expires. For detailed information on the iOS MDM Server reserve certificate, refer to the Configuring a reserve iOS MDM Server certificate section.
      • iOS MDM Server root certificate. The iOS MDM Server root certificate is used to issue client certificates to authenticate on iOS MDM Server.
    4. In the Connection settings section, you can view and configure the settings for mobile device connection to iOS MDM Server.
      • In the Synchronization block of settings, you can enable or disable the synchronization of managed devices with iOS MDM Server and specify the Synchronization period (min).
      • In the Local access point block of settings, you can specify the Network Agent connection port (a port for connecting iOS devices to Network Agent) and iOS MDM local connection port (a local port for connecting Network Agent to the iOS MDM service). For detailed information on these values, refer to the Configuring an iOS MDM Server installation package section.
      • In the External access point block of settings, you can specify the iOS MDM external connection port (external port for connecting mobile devices to the iOS MDM service).
      • In the iOS MDM installation profile block of settings, you can configure the installation profile properties. You can specify Profile name (a mandatory field), Company, and Profile description.

        Please note that the settings in this section are applied to newly connected iOS MDM devices or to previously connected iOS MDM devices when their mobile certificates are renewed.

      • In the Configuration profiles section, you can view and manage configuration profiles, which are used to centrally define the settings of managed iOS devices and restrict the features of these devices. For detailed information on managing configuration profiles, refer to the Adding a configuration profile, Installing a configuration profile on a device, and Removing a configuration profile from a device sections.
Page top
[Topic 274721]

Configuring an iOS MDM Server certificate

The iOS MDM server certificate is used to establish a connection and verify trust between the iOS MDM device and iOS MDM Server.

The iOS MDM Server certificate is issued by Kaspersky Security Center automatically upon the initial deployment of iOS MDM Server and installed on a device where iOS MDM Server is deployed. If you want to use a certificate issued by your certification authority, you need to specify a custom certificate file that will be used as an iOS MDM Server certificate.

If you specify a custom iOS MDM Server certificate, the Issue button for the iOS MDM Server reserve certificate will become unavailable. You need to specify the reserve certificate manually by clicking Install.

To specify a custom iOS MDM Server certificate:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
  2. In the iOS MDM Server settings window, select Application settings.
  3. Select the Certificates tab.
    1. In the iOS MDM Server certificate block of settings, click Install.
    2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

      Make sure the certificate you install complies with the following security requirements:

      • Common Name (CN) is specified;
      • a correct Subject Alternative Name (SAN) of DNS is specified and matches the iOS MDM Server connection address;
      • a correct certificate publisher is specified;
      • a correct certificate expiration date is specified;
      • the certificate chain is complete;
      • Extended Key Usage (EKU) is XKU_SSL_SERVER (1.3.6.1.5.5.7.3.1 serverAuth);
      • the root certificate is the same as the root certificate of the current certificate;
      • the RSA key size in the certificate chain is at least 2048 bits;
      • the RSA key size of the root certificate is at least 4096 bits;
      • the hash algorithm in the certificate chain is from the SHA-2 family.
    3. In the Installing certificate window that opens, enter the certificate password, and then click Install.
    4. Click Save.

Your custom certificate is specified as the iOS MDM Server certificate. The certificate details are displayed in the iOS MDM Server certificate block of settings.

Page top
[Topic 287007]

Configuring a reserve iOS MDM Server certificate

The iOS MDM Server functionality lets you issue a reserve certificate. This certificate is intended for use in device management profiles to ensure seamless switching of managed iOS devices after the iOS MDM Server certificate expires.

If your iOS MDM Server uses a default certificate issued by Kaspersky, you can issue a reserve certificate (or specify your own custom certificate as a reserve one) before the iOS MDM Server certificate expires. By default, the reserve certificate is automatically issued 60 days before the iOS MDM Server certificate expires. The reserve iOS MDM Server certificate becomes the main certificate immediately after the iOS MDM Server certificate expires. The public key is distributed to all managed devices through configuration profiles, so you do not have to transmit it manually.

Please note that the reserve iOS MDM Server certificate is not issued automatically if you use an iOS MDM Server custom certificate. If you use a custom certificate, we recommend that you specify a reserve certificate when installing iOS MDM Server or no later than 30 days before the expiration of the existing iOS MDM Server certificate.

If the certificate expires and no reserve has been specified, the connection between iOS MDM Server and iOS MDM devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall device management profiles on each of the managed devices.

To issue a reserve iOS MDM Server certificate or specify a custom reserve certificate:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
  2. In the iOS MDM Server settings window, select Application settings.
  3. Select the Certificates tab.
  4. In the iOS MDM Server reserve certificate block of settings, do one of the following:
    • If you plan to continue using a self-signed certificate (the one issued by Kaspersky):
      1. Click Issue.

        If you have a custom iOS MDM Server certificate specified, the Issue button for the iOS MDM Server reserve certificate will be unavailable. You need to specify the reserve certificate manually by clicking Install.

      2. In the Apply iOS MDM Server reserve certificate window that opens, select one of the two options for the date when the reserve certificate should be applied:
        • If you want to apply the reserve certificate when the current certificate expires, select the After the current certificate expires option.
        • If you want to apply the reserve certificate before the current certificate expires, select the After specified period (days) option. In the entry field next to this option, specify the duration of the period after which the reserve certificate must replace the current certificate.

        The validity period of the reserve certificate that you specify cannot exceed the validity period of the current iOS MDM Server certificate.

      3. Click OK.

      The self-signed reserve iOS MDM Server certificate is issued and specified as the reserve iOS MDM Server certificate.

      Please note that when you specify the date when the reserve certificate should be applied, the certificate will be issued before you save the changes in the Certificates section. If you want to issue a new reserve certificate, open the iOS MDM Server settings again, remove the previously issued reserve certificate by clicking Delete, and issue a new reserve certificate by following the instructions above.

    • If you plan to use a custom certificate issued by your certification authority:
      1. Click Install.
      2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

        Make sure the certificate you install complies with the following security requirements:

        • a correct Subject Alternative Name (SAN) of DNS is specified and matches the iOS MDM Server connection address;
        • a correct certificate publisher is specified;
        • a correct certificate expiration date is specified;
        • the certificate chain is complete;
        • Extended Key Usage (EKU) is XKU_SSL_SERVER (1.3.6.1.5.5.7.3.1 serverAuth);
        • the root certificate is the same as the root certificate of the current certificate;
        • the RSA key size in the certificate chain is at least 2048 bits;
        • the RSA key size of the root certificate is at least 4096 bits;
        • the hash algorithm in the certificate chain is from the SHA-2 family.
      3. In the Installing certificate window that opens, enter the certificate password, and then click Install.
      4. Click Save.

      Your custom certificate is specified as the reserve iOS MDM Server certificate.

      Please note that when you specify the date when the reserve certificate should be applied, the certificate will be issued before you save the changes in the Certificates section. If you want to issue a new reserve certificate, open the iOS MDM Server settings again, remove the previously issued reserve certificate by clicking Delete, and issue a new reserve certificate by following the instructions above.

You have a specified reserve iOS MDM Server certificate. The reserve certificate details are displayed in the iOS MDM Server reserve certificate block of settings.

Page top
[Topic 274863]

Receiving or renewing an APNs certificate

To ensure proper functioning of the iOS MDM service and timely responses of mobile devices to the administrator's commands, you need to specify an Apple Push Notification service certificate (APNs certificate) in the iOS MDM Server settings.

If you already have an APNs certificate, please consider renewing it instead of receiving a new one. When you replace the existing APNs certificate with a newly created one, Administration Server can no longer manage the previously connected iOS MDM devices.

To issue or renew an APNs certificate:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
  2. In the iOS MDM Server settings window, select Application settings.
  3. Select the Certificates tab.
  4. In the Apple Push Notification service (APNs) certificate block of settings, click Issue or renew.

    The APNs certificate wizard opens. Click Start and then proceed through the wizard using the Back and Next buttons.

    When the Certificate Signing Request (CSR) is created at the first step of the wizard, its private key is stored in the RAM of your device. Accordingly, all the steps of the wizard must be completed without interruption within a single session.

Step 1. Create a Certificate Signing Request (CSR)

To create a CSR:

  1. Specify the required information for generating a request file: Common Name (CN), Organization Name (O), Organization Unit Name (OU), City (L), Region (S), Country (C).
  2. Click Save.

    After you save the changes, a CSR file will be generated, and the private key of the certificate will be saved in the device memory.

Step 2. Sign the CSR file

At this step, send the CSR file that you received in the previous step of the wizard to Kaspersky for signing:

  1. Click Go to Kaspersky CompanyAccount.
  2. Send the created CSR file to Kaspersky to be signed.

    Please note that you will be able to sign the CSR file only after you upload a key that lets you use the Mobile Device Management solution.

  3. After your request is successfully processed, you will receive a CSR file signed by Kaspersky.
  4. Save the received file.

Step 3. Receive the APNs certificate public key

At this step, do one of the following if you want to issue a new certificate or renew an existing one:

To issue a new certificate:

  1. Click Go to Apple portal.
  2. Log in to the Apple portal with a corporate Apple ID.

    We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

  3. Upload a signed CSR file.

    The file will be used to generate the public key of the APNs certificate.

  4. After your CSR is processed by Apple, you will receive the public key of the APNs certificate.

    Save the received file.

To renew a certificate:

  1. Click Go to Apple portal.
  2. Log in to the Apple portal with a corporate Apple ID.

    We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

  3. Specify the certificate you want to renew.
  4. Upload a signed CSR file.

    The file will be used to generate the public key of the APNs certificate.

  5. After your CSR is processed by Apple, you will receive the public key of the APNs certificate.

    Save the received file.

Step 4. Specify the APNs certificate public key

At this step, upload the public key file received from Apple in the previous step of the wizard:

  1. Click Select.
  2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

Step 5. Specify the APNs certificate private key password

At this step, enter the certificate name and private key password:

  1. In the Certificate name field, specify a custom name for the certificate.
  2. In the Private key password field, specify the private key password for the certificate.

    This password will be used to install the APNs certificate on iOS MDM Server.

  3. In the Confirm password, enter the password again.

Step 6. Complete the CSR

At this step, the APNs certificate is generated and ready to be installed on iOS MDM Server.

  1. To complete the CSR, click Download APNs certificate to save the created certificate.
  2. Click Done to exit the wizard.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PEM format.

Now you can install the generated APNs certificate on iOS MDM Server.

Page top
[Topic 274861]

Installing an APNs certificate on iOS MDM Server

After the APNs certificate is received, you can install it on iOS MDM Server.

To install the APNs certificate on iOS MDM Server:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
  2. In the iOS MDM Server settings window, select Application settings.
  3. Select the Certificates tab.
  4. In the Apple Push Notification service (APNs) certificate block of settings:
    1. Click Install.
    2. In the File Explorer window that opens, specify a certificate file in PEM format, and then click Open.

      Make sure the certificate you install complies with the following security requirements:

      • Common Name (CN) is specified;
      • a correct APNs topic is specified;
      • a correct certificate publisher is specified;
      • a correct certificate expiration date is specified.
    3. In the Installing certificate window that opens, enter the private key password specified when receiving the APNs certificate, and then click Install.

The APNs certificate will be installed on iOS MDM Server. The certificate details will be displayed in the Apple Push Notification service (APNs) certificate block of settings.

Page top
[Topic 274864]

Configuring access to Apple Push Notification service

To ensure proper functioning of the iOS MDM service and timely responses from mobile devices to the administrator's commands, you need to specify an Apple Push Notification Service certificate (APNs certificate) in the iOS MDM Server settings.

When interacting with Apple Push Notification service (APNs), the iOS MDM service connects to the external address api.push.apple.com through port 2197 (outbound). Therefore, the iOS MDM service requires access to port TCP 2197 for the range of addresses 17.0.0.0/8. From the iOS device, this interaction requires access to port TCP 5223 for the range of addresses 17.0.0.0/8.

If you intend to access APNs from the iOS MDM service through a proxy server, you must enable the use of a proxy server for connecting to APNs.

To enable the use of a proxy server to connect to APNs:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
  2. In the iOS MDM Server settings window, select Application settings.
  3. Select the APNs proxy server tab.
  4. In the window that opens, enable the Use proxy server to connect to APNs toggle switch.
  5. Configure the following settings:
    1. In the Address field, specify the APNs proxy server address.
    2. In the Port field, specify the APNs proxy server port.
    3. In the User name field, specify the APNs proxy user name.
    4. In the Password field, specify the APNs proxy password.
  6. Click Save.

Proxy server is now used to connect to APNs.

Page top
[Topic 274865]

iOS MDM Server events

Kaspersky Security Center Web Console lets you view the events related to iOS MDM Server. The events have different severity levels: Information, Warning, Critical, Functional failure.

For each event that can be generated by iOS MDM Server, you can specify notification and storage settings on the Event configuration tab of the iOS MDM Server settings. We recommend that you configure the settings for each event type after deploying iOS MDM Server to limit the displayed number of events and reduce the event list loading time.

If you want to configure notification settings for all events at once, configure general notification settings in the Administration Server properties. For detailed information on notifications, refer to the Kaspersky Security Center Help.

To view iOS MDM Server events:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose events you want to view.
  2. In the iOS MDM Server settings window, select Application settings.
  3. Select the Events tab.

The iOS MDM Server events are displayed.

For detailed information on viewing events in Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

The table below shows the events of iOS MDM Server that have the Information severity level.

iOS MDM Server information events

Event type display name

Event type

Default storage term

General information about mobile device requested

DEVICEINFORMATION_COMMAND_SUCCESSFUL

30 days

Security information requested

SECURITYINFO_COMMAND_SUCCESSFUL

30 days

New mobile device connected

NEW_DEVICE_CONNECTED

30 days

List of profiles requested

PROFILELIST_COMMAND_SUCCESSFUL

30 days

Profile installed

INSTALLPROFILE_COMMAND_SUCCESSFUL

30 days

Profile deleted

REMOVEPROFILE_COMMAND_SUCCESSFUL

30 days

List of provisioning profiles requested

PROVISIONINGPROFILELIST_COMMAND_SUCCESSFUL

30 days

Provisioning profile installed

INSTALLPROVISIONINGPROFILE_COMMAND_SUCCESSFUL

30 days

Provisioning profile deleted

REMOVEPROVISIONINGPROFILE_COMMAND_SUCCESSFUL

30 days

List of installed certificates requested

CERTIFICATELIST_COMMAND_SUCCESSFUL

30 days

List of installed apps requested

INSTALLEDAPPLICATIONLIST_COMMAND_SUCCESSFUL

30 days

List of managed apps requested

MANAGEDAPPLICATIONLIST_COMMAND_SUCCESSFUL

30 days

App installation requested

INSTALLAPPLICATION_COMMAND_SUCCESSFUL

30 days

App configuration applied

APPCONFIG_APPLIED_SUCCESSFUL

30 days

Managed app deleted

REMOVEAPPLICATION_COMMAND_SUCCESSFUL

30 days

App redemption code set

APPLYREDEMPTIONCODE_COMMAND_SUCCESSFUL

30 days

Mobile device locked

DEVICELOCK_COMMAND_SUCCESSFUL

30 days

Password reset

CLEARPASSCODE_COMMAND_SUCCESSFULL

30 days

Data from mobile device wiped

ERASEDEVICE_COMMAND_SUCCESSFUL

30 days

Operating system update scheduled

SCHEDULEOSUPDATE_COMMAND_SUCCESSFULL

30 days

Roaming settings applied

SETROAMINGSETTINGS_COMMAND_SUCCESSFUL

30 days

Bluetooth settings applied

SETBLUETOOTHSETTINGS_COMMAND_SUCCESSFUL

30 days

Lost Mode enabled

ENABLE_LOST_MODE_COMMAND_SUCCESSFUL

30 days

Sound played in Lost Mode

PLAY_LOST_MODE_SOUND_COMMAND_SUCCESSFUL

30 days

Mobile device location received

GET_DEVICE_LOCATION_COMMAND_SUCCESSFUL

30 days

Lost Mode disabled

DISABLE_LOST_MODE_COMMAND_SUCCESFUL

30 days

Activation lock bypass code received

GET_ACTIVATION_LOCK_BYPASS_CODE_COMMAND_SUCCESSFUL

30 days

Compliance Control check started

COMPLIANCE_CONTROL_CHEKING_RULES_STARTED

30 days

Compliance Control check completed

COMPLIANCE_CONTROL_CHEKING_RULES_COMPLETED

30 days

Compliance Control response started

COMPLIANCE_CONTROL_ACTION_STARTED

30 days

Compliance Control response completed

COMPLIANCE_CONTROL_ACTION_COMPLETED

30 days

The table below shows the events of iOS MDM Server that have the Warning severity level.

iOS MDM Server warning events

Event type display name

Event type

Default storage term

Attempt to connect locked mobile device detected

INACTICE_DEVICE_TRY_CONNECTED

30 days

Device management profile deleted

MDM_PROFILE_WAS_REMOVED

30 days

Attempt to reuse user certificate detected

CLIENT_CERT_ALREADY_IN_USE

30 days

Non-compliance with Compliance Control criterion detected

COMPLIANCE_CONTROL_CONDITIONS_MATCH_DETECTED

30 days

Failed to perform Compliance Control response

COMPLIANCE_CONTROL_ACTION_FAILED

30 days

Inactive mobile device detected

FOUND_INACTIVE_DEVICE

30 days

Redemption code is required

NEED_REDEMPTION_CODE

30 days

Device management profile deleted from mobile device

UMDM_PROFILE_WAS_REMOVED

30 days

The table below shows the events of iOS MDM Server that have the Functional failure severity level.

iOS MDM Server functional failure events

Event type display name

Event type

Default storage term

Failed to request general information about mobile device

DEVICEINFORMATION_COMMAND_FAILED

30 days

Failed to request security information

SECURITYINFO_COMMAND_FAILED

30 days

Failed to request list of profiles

PROFILELIST_COMMAND_FAILED

30 days

Failed to install profile

INSTALLPROFILE_COMMAND_FAILED

30 days

Failed to delete profile

REMOVEPROFILE_COMMAND_FAILED

30 days

Failed to request list of provisioning profiles

PROVISIONINGPROFILELIST_COMMAND_FAILED

30 days

Failed to install provisioning profile

INSTALLPROVISIONINGPROFILE_COMMAND_FAILED

30 days

Failed to delete provisioning profile

REMOVEPROVISIONINGPROFILE_COMMAND_FAILED

30 days

Failed to request list of installed certificates

CERTIFICATELIST_COMMAND_FAILED

30 days

Failed to request list of installed apps

INSTALLEDAPPLICATIONLIST_COMMAND_FAILED

30 days

Failed to request list of managed apps

MANAGEDAPPLICATIONLIST_COMMAND_FAILED

30 days

Failed to request app installation

INSTALLAPPLICATION_COMMAND_FAILED

30 days

Failed to apply app configuration

APPCONFIG_APPLIED_FAILED

30 days

Failed to delete managed app

REMOVEAPPLICATION_COMMAND_FAILED

30 days

Failed to set app redemption code

APPLYREDEMPTIONCODE_COMMAND_FAILED

30 days

Failed to lock mobile device

DEVICELOCK_COMMAND_FAILED

30 days

Failed to reset password

CLEARPASSCODE_COMMAND_FAILED

30 days

Failed to wipe data from mobile device

ERASEDEVICE_COMMAND_FAILED

30 days

Failed to schedule operating system update

SCHEDULEOSUPDATE_COMMAND_FAILED

30 days

Failed to apply roaming settings

SETROAMINGSETTINGS_COMMAND_FAILED

30 days

Failed to apply Bluetooth settings

SETBLUETOOTHSETTINGS_COMMAND_FAILED

30 days

Failed to enable Lost Mode

ENABLE_LOST_MODE_COMMAND_FAILED

30 days

Failed to play sound in Lost Mode

PLAY_LOST_MODE_SOUND_COMMAND_FAILED

30 days

Failed to receive mobile device location

GET_DEVICE_LOCATION_COMMAND_FAILED

30 days

Failed to disable Lost Mode

DISABLE_LOST_MODE_COMMAND_FAILED

30 days

Failed to receive activation lock bypass code

GET_ACTIVATION_LOCK_BYPASS_CODE_COMMAND_FAILED

30 days

Error in app operation

PRODUCT_FAILURE

30 days

Command result contains incorrect data

MALFORMED_COMMAND

30 days

Failed to send message

SEND_PUSH_NOTIFICATION_FAILED

30 days

Failed to send command (Compliance Control)

SEND_COMMAND_FAILED

30 days

Failed to find device

DEVICE_NOT_FOUND

30 days

Page top
[Topic 274719]

Obtaining iOS MDM Server diagnostic data

When creating a request to Kaspersky Technical Support, you may be asked to create and attach a trace file. Trace files are used by Technical Support for diagnostic purposes. They contain all steps of application command execution written in the file, which allows to detect the step on which an error occurs.

We recommend that you obtain the traces of iOS MDM Server together with the traces of Network Agent, as they contain the iOS MDM Server connector details.

There are several tracing levels for iOS MDM Server:

  • 0 - CRITICAL
  • 1 - ERROR
  • 2 - MESSAGE
  • 3 - DEBUG

Ask a support engineer which tracing level to set. If the Technical Support engineer has not specified the trace level, we recommend obtaining level 2 traces.

To enable the iOS MDM Server tracing and create trace files:

  1. Open the iOS MSM Server settings file /var/opt/kaspersky/iosmdm/settings.ini.
  2. Specify the values required to enable tracing. We recommend that you specify the following default values:
    • LogCommEnabled=1

      Enabling or disabling the tracing of the iOS MDM Server and connector communication library.

    • LogSettingsEnabled=1

      Enabling or disabling the tracing of the iOS MDM Server and connector settings library.

    • LogCommVerboseLevel=2

      The tracing level of the iOS MDM Server and connector communication library.

    • LogSettingsVerboseLevel=2

      The tracing level of the iOS MDM Server and connector settings library.

    • LogVerboseLevel=2

      The tracing level of iOS MDM Server.

    • LogFolder=/var/opt/kaspersky/iosmdm

      The directory for writing trace files.

  3. Restart the iOS MDM Server and Network Agent services by running the following commands:

    systemctl restart klnagent

    systemctl restart kliosmdm

The iOS MDM Server tracing is enabled. Trace files are created in the directory that you specified as the LogFolder value: klcon_comm.log, klcon_settings.log, klsrv.log, klsrv_comm.log, klsrv_settings.log.

To disable the iOS MDM Server tracing:

  1. Open the iOS MSM Server settings file /var/opt/kaspersky/iosmdm/settings.ini.
  2. Modify the file by deleting the strings that have been created to enable tracing:
    • LogCommEnabled=1
    • LogSettingsEnabled=1
    • LogCommVerboseLevel=2
    • LogSettingsVerboseLevel=2
    • LogVerboseLevel=2
    • LogFolder=/var/opt/kaspersky/iosmdm
  3. Restart the iOS MDM Server and Network Agent services by running the following commands:

    systemctl restart klnagent

    systemctl restart kliosmdm

The iOS MDM Server tracing is disabled.

Page top
[Topic 287089]