Managing certificates of mobile devices

Kaspersky Security Center Web Console lets you issue, renew, or delete mobile, mail, or VPN certificates of mobile devices.

This section contains information about how to manage mobile device certificates and configure their issuance rules.

Reissuing the mobile Administration Server certificate

You need to specify a reserve mobile Administration Server certificate to meet the security requirements of your organization and maintain a continuous connection between managed devices and the Administration Server. A mobile certificate issued by Kaspersky Security Center is reissued by default.

We recommend that you specify a reserve certificate when installing the Administration Server or no later than 30 days before the expiration of the existing certificate. The exact expiration time is available in the Expires field of the certificate settings (in the main menu, select → General → Certificates).

The maximum validity period of any Administration Server certificate is 397 days.

The reserve certificate is delivered to the device during synchronization and becomes the main certificate immediately after the existing certificate expires. If the certificate expires and no reserve certificate has been specified, the connection between the Administration Server and Kaspersky Endpoint Security on managed devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall Kaspersky Endpoint Security on each of the managed devices.

To reissue the Administration Server certificate with delayed activation (to use a certificate as a reserve certificate):

1. In the main menu, click the settings icon () next to the name of the Administration Server.

   The Administration Server properties window opens.

2. In the Administration Server properties window, select General → Certificates.
3. If you plan to continue using the certificate issued by Kaspersky Security Center:
   1. Click Reissue.
   2. In the window that opens:
      1. In the Connection address section, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activate new certificate section, select After this period expires, days and specify the number of days before the certificate becomes active.

         We recommend to specify a certificate activation period of at least 30 days so that all devices have time to receive the certificate. Please note that the specified period must be greater than the period for synchronizing devices with the Administration Server. For more information about configuring settings for device synchronization with the Administration Server, see the Configuring synchronization settings section.

      3. Click OK.

   Alternatively, if you plan to use your own custom certificate:

   1. Check whether your certificate meets the requirements of Kaspersky Security Center and Apple requirements for trusted certificates. If necessary, modify the certificate.
   2. Select the Other certificate option and click Manage certificate.
   3. In the window that opens, click Browse.
   4. In the window that opens, select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12, click the Browse button next to the Public key field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Private key password field.
      • If you select X.509, click the Browse button next to the Private key field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Private key password field. Then click the Browse button next to the Public key field and specify the public key on your hard drive.
   5. In the Activate new certificate section, select After this period expires, days and specify the number of days before the certificate becomes active.
   6. Click Save.
   7. Click OK.
   8. Click Save to save the changes you have made.

The certificate is reissued as a reserve certificate.

To immediately reissue the Administration Server certificate (not recommended if you have any managed mobile devices):

Do not select Immediately if you have any managed mobile devices. If you select this option, the connection with all managed devices will be lost, since the new certificate will not be delivered to devices, and the previous certificate will no longer be valid.

1. In the main menu, click the settings icon () next to the name of the Administration Server.

   The Administration Server properties window opens.

2. In the Administration Server properties window, select General → Certificates.
3. If you plan to continue using the certificate issued by Kaspersky Security Center:
   1. Click Reissue.
   2. In the window that opens:
      1. In the Connection address section, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activate new certificate section, select Immediately.
      3. Click OK.

   Alternatively, if you plan to use your own custom certificate:

   1. Check whether your certificate meets the requirements of Kaspersky Security Center and Apple requirements for trusted certificates. If necessary, modify the certificate.
   2. Select the Other certificate option and click Manage certificate.
   3. In the window that opens, click Browse.
   4. In the window that opens, select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12, click the Browse button next to the Public key field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Private key password field.
      • If you select X.509, click the Browse button next to the Private key field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Private key password field. Then click the Browse button next to the Public key field and specify the public key on your hard drive.
   5. In the Activate new certificate section, select Immediately.
   6. Click Save.
   7. Click OK.
   8. Click Save to save the changes you have made.

The certificate is reissued as the main Administration Server certificate.

For more information about certificates, please refer to the Kaspersky Security Center Help.

Configuring certificate issuance rules

Kaspersky Security Center Web Console lets you configure how the certificates for mobile devices are issued, renewed, and protected.

To configure certificate issuance rules:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, click Issuance rules.
   • In the PKI settings section:
     1. In the Integration with PKI block of settings, enable the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch to issue certificates automatically following integration.

        Click Select device, and then specify a device with Network Agent installed that will connect to Microsoft CA.

        For detailed information on PKI, refer to the Integration with Public Key Infrastructure section.

     2. In the Domain account for transmitting requests to issue certificates block of settings, specify the PKI account name (the name of the user account to be used for PKI integration in the userPrincipalName@DNSDomainName format) and Password (the domain password for the account).
     3. Click Save to apply the changes.
   • In the Mobile certificates section, you can do the following:
     1. In the Validity block of settings, in the Certificate validity period (days) field, specify the certificate lifetime in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.
     2. In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 30.

        Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.

     3. In the Password protection block of settings, select the Prompt for password during certificate installation check box to prompt the user for a password when the certificate is installed on a mobile device. The password is used only once during the installation of the certificate on the mobile device. The password will be automatically generated by Administration Server and sent to the user by email. You can specify the password length in the Password length field.

        Password protection is only available for mobile certificates.

     4. Click Save to apply the changes.
   • In the Mail certificates and VPN certificates sections, if PKI integration is configured:
     1. In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires.

        Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.

     2. In the PKI settings block of settings, specify the Certificate template name in PKI (the certificate template that will be used to issue certificates to domain users).

        The Network Agent for Windows service installed on a device which connects to CA is run under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.

        When connecting a non-domain user's mobile device (running either Android or iOS) to Kaspersky Security Center, the attempt to issue a certificate may fail.

     3. In the Automatic issuance of mail certificate on device connection and Automatic issuance of VPN certificate on device connection blocks of settings, select the Issue for devices managed by Kaspersky Endpoint Security for Android or Issue for iOS MDM devices check boxes to enable automatic issuance of a mail or VPN certificate when devices connect to Kaspersky Security Center.

        If you selected the Issue for iOS MDM devices check box, choose the certificate alias from the drop-down list. The certificate alias is a name that identifies the certificate. You can configure the subsequent use of the selected alias for the certificate issuance in the following policy sections:

        • For mail certificates: in the properties of the Email account for iOS MDM devices and in the properties of the Exchange ActiveSync account for iOS MDM devices.
        • For VPN certificates: in the properties of the VPN network for iOS MDM devices and in the properties of the Wi-Fi network for iOS MDM devices.

        You can also change the alias for individual or multiple mail and VPN certificates by clicking Modify alias in the list of certificates (Assets (Devices) → Mobile → Certificates).

     4. Click Save to apply the changes.

The specified settings will be used by Kaspersky Security Center to issue, renew, and protect the certificates of mobile devices.

Issuing mobile device certificates

You can issue mobile, mail, or VPN certificates for mobile devices.

To issue a certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, click Add.

   The Certificate issuance wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Welcome

On the welcome screen, you can read a summary of the Certificate issuance wizard steps.

Please note that the numbering and set of steps may vary depending on the certificate type, operating system, and the issuance settings defined in the Issuance rules section.

Step 1. Certificate type

At this step, choose the certificate to be issued.

• Mail certificate (to configure corporate email on devices).
• VPN certificate (to configure access to private networks and corporate web resources on devices).
• Mobile certificate (to identify mobile devices on the Administration Server).

Step 2. Operating system

At this step, choose the operating system of the devices for which the certificate will be issued.

• Android
• iOS

Step 3. Connection method

This step is displayed only if you selected Mail certificate or VPN certificate as the certificate type and Android as the operating system of the devices for which the certificate will be issued.

At this step, choose the method for connecting devices to Administration Server.

• Connect using mobile certificate authentication

  Select this option if you want the mobile certificate to be used for user identification upon connecting to Administration Server.

• Connect without mobile certificate authentication

  Select this option if you want to install a certificate on a device using no certificate authentication.

Step 4. Users

At this step, choose one or more users that will receive the details for installing certificates. If a user is not in the list, you can add a new user account without exiting the wizard.

• To choose an existing user, select check boxes next to the corresponding user names.
• To add a new user, click Add user.
  1. Specify user credentials in the Credentials block of settings.
     • User name
     • Password

       The password must meet the following complexity requirements:

       • It must contain between 8 and 16 characters.
       • It must contain the characters from at least three of these groups: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;).
  2. If necessary, specify the optional details in the Optional information group of settings.
     • Full user name
     • Description
     • Email address
     • Phone number
  3. Click OK to save the changes.

     The new user will be added and displayed in the list of users.

• To modify user details, click Edit user.

The fields you can modify depend on the user subtype - internal or domain.

Step 5. Certificate alias and source

At this step, choose the certificate alias and source for importing the certificate.

• Certificate alias

  A certificate alias is a name that identifies the certificate. You can use the selected alias later to configure policy settings: Email account for iOS MDM devices; Exchange ActiveSync account for iOS MDM devices; VPN network for iOS MDM devices; Wi-Fi network for iOS MDM devices.

  This option is available only if you selected Mail certificate or VPN certificate as the certificate type.

• Integrate issuance with Microsoft CA via PKI

  For this option, specify one of the available templates imported from Microsoft CA in the PKI template field.

  This option is available only if the integration with PKI is enabled in the Issuance rules.

• Upload file

  For this option, specify the Certificate format:

  • For the PKCS #12 format, in the Certificate file field, click Select, and then specify a P12 or PFX file.
  • For the X.509 format, in the Private key file field, click Select, and then specify a PRK or PEM file.

    In the Certificate file field, click Select, and then specify a CER, CRT, or CERT file.

    After you specify the files, you can also enter the Certificate password.

Step 6. Authentication method

This step is displayed only if you selected Mobile certificate as the certificate type, or if you selected Mail certificate or VPN certificate for Android devices and specified the Connect without mobile certificate authentication option as the connection method.

At this step, choose the user authentication method for receiving the certificate.

• Domain or internal user credentials. Users will access the certificate using the domain or internal user credentials. On mobile devices, users will have to specify the login in one of the following formats:
  • userPrincipalName@DNSDomainName
  • sAMAccountName
  • sAMADomain\sAMAccountName
• Password. Users will access the certificate using a password sent by email or displayed after completing the wizard.

In the Certificate use on device block of settings, click the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box if you want to allow using one certificate multiple times on the same device.

This option is available only if Android is chosen as the operating system of the devices for which the certificate will be issued.

Step 7. Send certificate details

At this step, choose how to send the certificate installation details. You can choose one of the following options:

• Send a message to users' email addresses

  Choose this option to send the certificate installation details by email to the selected users. These email addresses must be specified in the user account settings in Kaspersky Security Center.
  
  If you want to send the certificate installation details to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Send a copy of the message to an alternate email address check box, and then specify the required email address.

• Show the details after completing the wizard

  Choose this option to display the certificate installation details at the final step of the Certificate issuance wizard.

Step 8. Confirm

At this step, check the certificate issuance details specified in the earlier steps, and then click Confirm and issue certificate to confirm the operation.

Finish

On the Finish screen:

• If you chose the Send a message to users' email addresses option, the specified users will receive the emails with certificate installation details.
• If you chose the Show the details after completing the wizard option, certificate installation details are displayed on the Finish screen. You can view the displayed details or click Download list to receive a file with summarized information.

Click Close to exit the wizard.

After completing the Certificate issuance wizard, certificates are created and added to the list of user certificates. You can delete or renew certificates, as well as view their properties.

Renewing mobile device certificates

If one of the certificates is about to expire, you can renew it using Kaspersky Security Center Web Console.

By following the steps below, you can renew a mobile certificate or a mail or VPN certificate issued via PKI.

To renew a certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate you want to renew, and then click Renew.

The status of the certificate changes to Certificate renewed.

Deleting mobile device certificates

You can delete the certificates of mobile devices using Kaspersky Security Center Web Console.

Please note that if you delete a mobile certificate, the device can no longer synchronize with Administration Server and cannot be managed by means of Kaspersky Security Center.

When you delete a certificate, it is only removed from Kaspersky Security Center Web Console and is no longer renewed, but remains on the device. To delete a certificate from iOS MDM devices, corporate devices, or devices with corporate container, you must execute the Wipe corporate data command. On personal Android devices, users should delete the certificate manually.

When you delete a mobile certificate of the iOS MDM device, the device is not removed from Kaspersky Security Center Web Console, but it loses the ability to synchronize with iOS MDM Server and the "Inactive" status is assigned to it. In this case, you have to delete this device from the list of managed devices in Kaspersky Security Center Web Console, and then reconnect it using Mobile device connection wizard.

To delete a certificate from Kaspersky Security Center Web Console:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate you want to delete, and then click Delete.

The certificate is deleted and removed from the list of certificates.

Integration with Public Key Infrastructure

You can integrate the issuance of certificates with Microsoft Certification Authority (CA) via Public Key Infrastructure (PKI). Integration with PKI is primarily intended for simplifying the issuance of domain user certificates by Administration Server. Following integration, certificates are issued automatically.

You can perform the PKI integration with specified settings and assign PKI to act as the source of certificates for specific types of certificates. The PKI integration settings specified in the Issuance rules let you set the individual default template for all types of certificates.

The specifics of using PKI integration to issue certificates:

• The PKI integration is disabled by default. You can enable it using the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch. For detailed information on enabling PKI and configuring its settings, refer to the Configuring certificate issuance rules section.
• The certificate issuance is carried out using Network Agent Windows, which enables the integration between Administration Server and Microsoft CA. Since there can be multiple devices with Network Agent installed, you can specify the device that will connect to Microsoft CA in the Issuance rules. This device must have an Enrollment Agent (EA) certificate installed in the certificates repository of the account under which the integration with PKI is performed. The certificate is issued by the administrator of the domain's CA.
• The account under which integration with PKI is performed must be a domain user and have the right to Log On As Service.
• Kaspersky Security Center can only work with one PKI (Microsoft CA) integration at a time.

For detailed information on configuring integration with PKI to issue certificates, refer to the Configuring certificate issuance rules section.

Viewing the list of mobile device certificates

Kaspersky Security Center Web Console lets you view the created mobile device certificates and their properties.

To view the list of all certificates and their properties:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the window that opens, you can view the list of all created certificates and their properties displayed in the table.

To view the properties of an individual certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate whose properties you want to view.
3. In the Certificate details window, view the certificate properties:
   • User name
   • Status
   • Type
   • Protocol
   • Source
   • Expiration date
   • Issue date
   • Latest status update
   • Alias
   • Automatic renewal disabled
   • Thumbprint

To view the certificates installed on an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of mobile devices that opens, choose the device whose certificates you want to view.
3. In the device properties window that opens, choose the Certificates section.

   The list of certificates installed on the device and their properties are displayed.

   • Certificate name
   • User certificate
   • Certificate thumbprint