Connecting mobile devices to Kaspersky Security Center Web Console

Expand all | Collapse all

To manage mobile devices and the mobile management apps installed on them, you must connect these devices to Kaspersky Security Center.

Before connecting, make sure the license that supports the Mobile Management solution is configured in the License keys section of the Administration Server properties.

To connect a mobile device to Kaspersky Security Center:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of mobile devices that opens, click Add.

   The Mobile device connection wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Welcome

On the welcome screen, you can read a summary of the Mobile device connection wizard steps.

Step 1. Policy

At this step, choose a policy for devices that will connect. Devices operate according to the security settings specified in the policy.

• Use an existing policy

  For this option, specify the administration group of the policy you want to choose. The policy name, operating systems and operating modes of the devices managed by this policy will be displayed.

  If necessary, click Go to policy to view the properties of the policy you have selected.

• Create a new policy

  For this option, click the Create policy button that appears. You will be redirected to the Mobile policy wizard. After a policy with the required properties is created, you can return to the Mobile device connection wizard.

Step 2. Operating systems

At this step, choose the operating systems of the devices that will connect. The policy settings determine the available operating systems: Android, iOS, or Aurora.

• Android

  After you select this operating system, the Kaspersky Endpoint Security for Android Installation settings will be displayed. To modify them, click Edit settings.

  1. Choose the Installation source for Kaspersky Endpoint Security for Android:
     • Kaspersky website

       Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated from the Kaspersky website or using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

       This installation source works for all operating modes.

     • RuStore

       The user will receive a link to RuStore. The app can be installed from RuStore by following the standard installation procedure on the Android platform.

       The link contains the following data:

       • Kaspersky Security Center synchronization settings.
       • Details for automatic receiving of the mobile certificate upon the first synchronization.
       • Indication of whether the End User License Agreement for Kaspersky Endpoint Security for Android and additional Statements were accepted. If the administrator accepts the agreements in the Kaspersky Security Center Web Console, Kaspersky Endpoint Security for Android skips the acceptance step during the app installation.

       This installation source works only for personal devices and devices with a corporate container.

     • Installation package

       The Kaspersky Endpoint Security for Android installation package will be downloaded from the Kaspersky Security Center server and updated via Kaspersky Security Center using policy settings. You can choose this method if mobile devices in your company have no access to the internet.

       For this installation source, before connecting mobile devices, create the Kaspersky Endpoint Security for Android installation package.

       This installation source works for all operating modes.

       • To choose an installation package, click Select installation package, and then select the installation package from the list that opens.
       • If there are no available installation packages, you will be offered to create one. Click Create installation package, and then follow the steps of the New package wizard as described in the Kaspersky Security Center Help to create an installation package from a file or create a stand-alone installation package. After the installation package is created, you can return to the Mobile device connection wizard.

       Automatic app updates through the store are not available with this installation method. You can update the app manually in the App update section of the policy settings.
       The latest installation package uploaded to Kaspersky Security Center is used to install the app on devices.

       For corporate devices, make sure the Allow using HTTP to download the app on corporate devices check box is selected to ensure Kaspersky Endpoint Security for Android is downloaded. Otherwise, the app will be downloaded via HTTPS only if the Kaspersky Security Center Web Server certificate was issued by a trusted certificate authority.

       For more information on the installation methods, refer to the Installing Kaspersky Endpoint Security for Android section.

  2. Choose Installation network for Kaspersky Endpoint Security for Android (corporate devices only):
     • Prompt the user to select a Wi-Fi network on device

       If you choose this option, the user will be prompted to connect to any available Wi-Fi network for downloading the app.

     • Only use the specified Wi-Fi network (Android 9 or later)

       To choose an installation network, click Select network.

       In the window that opens, specify the following settings:

       • Service set identifier (SSID)

         Specifies the name of a wireless network with an access point (SSID). The wireless network name should not be longer than 32 characters.

       • Hidden network

         Specifies whether the selected network broadcasts its SSID.

       • Network protection

         Specifies a wireless network security type. Possible values:

         • NONE

           If selected, the network is not protected.

         • WPA

           If selected, the network is protected using the WPA security protocol. This option requires entering a password to access the network.

         • WEP

           If selected, the network is protected using the WEP protocol. This option requires entering a password to access the network and applies only to devices running Android 9 or earlier.

       • Password

         Specifies the password for accessing a wireless network protected using a WPA or WEP protocol. The password will be sent to the user in a QR code.

         Do not send a password for a confidential Wi-Fi network that must not be publicly accessible. The password is sent to the user in unencrypted form along with other device configuration data.

       • Use proxy server

         Specifies the use of a proxy server. If this check box is selected, you need to provide the proxy server address and port. You can also specify a list of addresses for which the proxy will be bypassed.

       • Proxy server address

         Specifies the IP address or the symbol name (web address) of the proxy server. The maximum number of characters is 256.

       • Proxy server port

         Specifies the port number of the proxy server. The value should be in the interval between 0 and 65536.

       • PAC file URL

         A URL to a proxy auto-configuration (PAC) file for the Wi-Fi network.

       • Do not use proxy server for the following addresses

         Specifies the addresses for which the proxy server should not be used.

         You can enter the address in example.com format. If you enter example.com, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

       Do not use a password for a confidential Wi-Fi network that must not be publicly accessible. The unencrypted password is sent to the user in a QR code along with other device configuration data.

     • Try to use mobile network (Android 8 or later)

       If you choose this option, the device will try to use mobile data to download the app. If the device does not have a SIM card or the mobile network is not available, the user will be prompted to select any available Wi-Fi network.

  3. Click the Enable all system apps check box (corporate devices only) if you want system apps to remain active on the device. If necessary, they can be disabled later in the App Control section.
• iOS

  To connect and manage iOS devices in basic control and supervised operating modes, you must have an iOS MDM Server installed in the selected administration group. For detailed information on installing iOS MDM Server, refer to the Deploying iOS MDM Server section.

  The Kaspersky Protection for iOS app will be installed on personal iOS devices in the basic protection operating mode.

  A device management profile will be installed on the devices operating in basic control and supervised operating modes.

  On devices running iOS 12.1 or later, you must manually confirm the installation of a device management profile on a mobile device. You must also grant the permission for remote management of the device.

• Aurora

  To connect Aurora devices, you need to have Kaspersky Endpoint Security for Aurora pre-installed on the devices that will connect.

Step 3. Accept agreements

At this step, choose who must accept the End User License Agreement (EULA) and Privacy Policy.

• Administrator

  The agreements are accepted by the administrator in the next step of the wizard. In this case, the app skips the acceptance step during the app installation.

• Users

  The agreements are accepted on mobile devices by users.

This step only applies to Android and iOS operating systems. If you are connecting Aurora devices, the agreements are only accepted by users on their mobile devices.

Please note that the administrator will be offered to accept the EULA only after the same version of the EULA is accepted by users on devices for the first time. After the connection and first synchronization of devices with Kaspersky Security Center, the administrator will be able to accept this version of EULA upon subsequent connection of devices.

The list of accepted agreements is available in the End User License Agreements section of the Administration Server properties.

Step 4. End User License Agreement and Privacy Policy

At this step, if Administrator is selected as the recipient of the agreements in the previous step of the wizard, you will be offered to read the Privacy Policy, EULA, and all the documents associated with it. You must accept the terms and conditions of the EULA and Privacy Policy before installation of the mobile device management apps.

Step 5. Users

At this step, choose one or more users of the devices that will connect. These users will receive the details for installing the app to connect their devices to Kaspersky Security Center. If a user is not in the list, you can add a new user account without exiting the wizard.

• To choose an existing user, select check boxes next to the corresponding user names.
• To add a new user, click Add user.
  1. Specify user credentials in the Credentials block of settings.
     • User name
     • Password

       The password must meet the following complexity requirements:

       • It must contain between 8 and 16 characters.
       • It must contain the characters from at least three of these groups: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;).
  2. If necessary, specify the optional details in the Optional information group of settings.
     • Full user name
     • Description
     • Email address
     • Phone number
  3. Click OK to save the changes.

     The new user will be added and displayed in the list of users.

• To modify user details, click Edit user.

  The fields you can modify depend on the user subtype - internal or domain.

Step 6. Send connection details

At this step, choose how to send the QR codes and links for installing the mobile management apps or device management profiles. You can choose one of the following options:

• Send a message to users' email addresses

  Choose this option to send the connection details by email to the selected users. To install the app or a device management profile, the user needs to scan the QR code using the camera of the mobile device or open the link to the installation package.

  These email addresses must be specified in the user account settings in Kaspersky Security Center.
  
  If you want to send the connection details to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Send a copy of the message to an alternate email address check box, and then specify the required email address.

• Show QR codes and links after completing the wizard

  Choose this option to scan the QR code with the camera of the mobile device or follow the link in the wizard.

Step 7. Confirm

At this step, check the mobile device connection details specified in the earlier steps, and then click Finish to confirm the operation.

If you select a large number of users or user groups, creating QR codes and connection links may take several minutes.

Finish

On the Finish screen:

• If you chose the Send a message to users' email addresses option, the specified users will receive the emails with QR codes and links for connecting mobile devices to the Administration Server.
• If you chose the Show QR codes and links after completing the wizard option, the connection details will be available on the Finish screen. You can view the displayed details or click Download list to receive a file with summarized information.

Click Close to exit the wizard.

As soon as users install the mobile management apps, their devices are connected to the Administration Server and displayed on the Devices tab of Kaspersky Security Center Web Console.

You can now configure the settings for devices and mobile management apps using policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

Direct connection of Android devices to Kaspersky Security Center

Android devices can connect directly to port 13292 of the Administration Server.

Depending on the method used for authentication, two connection options are possible.

Connecting devices with a user certificate

When connecting a device with a user certificate, the device is associated with the user account to which the corresponding certificate has been assigned through the Administration Server tools.

In this case, two-way SSL authentication (mutual authentication) will be used. Both the Administration Server and the device will be authenticated with certificates.

Connecting devices without a user certificate

When connecting a device without a user certificate, the device is associated with none of the user's accounts on Administration Server. However, when the device receives any certificate, the device will be associated with the user to which the corresponding certificate has been assigned through the Administration Server tools.

When connecting that device to the Administration Server, one-way SSL authentication will be applied, which means that only Administration Server is authenticated with the certificate. After the device retrieves the user certificate, the type of authentication will change to two-way SSL authentication (2-way SSL authentication, mutual authentication).

Moving unassigned mobile devices to administration groups

When the mobile devices are connected to Kaspersky Security Center, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console. To manage newly connected devices, you can create a rule that automatically assigns them to administration groups or you can move them to an administration group manually.

To move an unassigned mobile device to an administration group:

1. In the main window of Kaspersky Security Center web console, select Discovery & deployment > Unassigned devices.
2. Select the device that you want to move to an administration group, and then click Move to group.
3. In the tree of administration groups that opens, select the target group to which you want to move the device.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.

The device is moved to the specified administration group and the corresponding policy is applied to it.

Actions on mobile devices to connect to Administration Server

Depending on the mode in which your device will operate, you may have to perform additional actions to protect your device and connect it to the Administration Server.

Install a mobile certificate

If you received a certificate password, you must use it to install the mobile certificate on your device.

To install the mobile certificate:

1. Remember or write down the password you received from your administrator by email.
2. Do one of the following:
   • On an Android device, enter the certificate password when prompted by Kaspersky Endpoint Security for Android.
   • On an iOS device, enter the certificate password during installation of the device management profile.

The mobile certificate will be installed on your device.

Pre-configure corporate Android devices

To connect a corporate Android device to the Administration Server, you must pre-configure the device depending on the operating system version and availability of a QR code scanner.

Install Kaspersky Endpoint Security for Aurora

The QR code that you received from your administrator contains the settings used to connect your device to the Administration Server. Before you connect the device, you must install Kaspersky Endpoint Security for Aurora. For more information on installing Kaspersky Endpoint Security on Aurora devices, see the Kaspersky Endpoint Security for Aurora Help.