Deploying a mobile device management solution in Kaspersky Security Center Web Console

To connect and manage mobile devices using Kaspersky Security Center Web Console, you must deploy a mobile device management solution. This section describes the recommended actions when getting started with Kaspersky Secure Mobility Management.

Deploying Kaspersky Security Center Linux and Kaspersky Security Center Web Console

Select a Linux device that you intend to use as the administrator's workstation, ensure that the device meets the software and hardware requirements, and then install Kaspersky Security Center and Kaspersky Security Center Web Console on the device.

For instructions on installing Kaspersky Security Center Linux, refer to the Kaspersky Security Center Help.

For instructions on installing Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

Deploying mobile management plug-ins

To use the Kaspersky Secure Mobility Management solution and connect mobile devices, you must add and install the following mobile management plug-ins:

• Kaspersky Mobile Devices Protection and Management
  • on_prem_ksm_policies_<version>.zip

    Archive that contains the files required for the installation of the Kaspersky Mobile Devices Protection and Management plug-in:

    • plugin.zip

      Archive that contains the Kaspersky Mobile Devices Protection and Management plug-in.

    • signature.txt

      File that contains the signature for the Kaspersky Mobile Devices Protection and Management plug-in.

• iOS MDM Server settings
  • on_prem_iosmdm_<version>.zip

    Archive that contains the files required for the installation of the iOS MDM Server settings plug-in:

    • plugin.zip

      Archive that contains the iOS MDM Server settings plug-in.

    • signature.txt

      File that contains the signature for the iOS MDM Server settings plug-in.

To install a management plug-in:

1. In the main window of Kaspersky Security Center Web Console, select Settings > Web plug-ins.
2. In the window that opens, click Add.

   The list of available plug-ins is displayed.

3. In the list of available plug-ins, select the plug-in you want to install by clicking on its name.

   A plug-in description page is displayed.

4. On the plug-in description page, click Install plug-in.
5. When the installation is complete, click OK.

The management plug-in is downloaded with the default configuration and displayed in the list of management plug-ins.

You can add plug-ins and update downloaded plug-ins from a file. You can download management plug-ins and web management plug-ins from the Kaspersky Customer Service webpage.

To load or update a plug-in from a file:

1. In the main window of Kaspersky Security Center Web Console, select Settings > Web plug-ins.
2. In the window that opens:
   • Click Add from file to load a plug-in from a file.
   • Click Update from file to load an update of a plug-in from a file.
3. Specify the file and signature of the file.
4. Load the specified files.

The management plug-in is loaded from the file and displayed in the list of management plug-ins.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

Configuring Administration Server settings for connecting mobile devices

Before connecting mobile devices to Kaspersky Security Center Web Console, you must define the connection settings in the Administration Server properties.

To configure Administration Server settings for connecting mobile devices:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.
2. In the Administration Server properties window that opens, configure the Administration Server port that will be used by mobile devices:
   1. In the General tab, select the Additional ports section.
   2. Enable the Open port for mobile devices toggle button.

      If this option is enabled, the port for mobile devices will be open on the Administration Server.

   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices toggle button is off or an incorrect connection port is specified, mobile devices will not be able to connect to the Administration Server.

3. If necessary, edit the certificate that will be used by mobile devices to connect to the Administration Server.

   By default, Administration Server uses the certificate created after the port for mobile devices is opened. You can reissue or replace the certificate issued through the Administration Server with another certificate.

   To edit the certificate:

   1. In the General tab, select the Certificates section.
   2. Define the required settings.

      For more details on working with certificates in Kaspersky Security Center Linux, refer to the Kaspersky Security Center Help.

4. Click Save to save the changes you have made and exit the Administration Server properties window.

The mobile device connection settings are configured.

Scenario: Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Web Console

A connection gateway is Network Agent operating in a special mode. Network Agent is a Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications. A connection gateway receives connections from other Network Agents and tunnels them to the Administration Server through its own connection with the Server.

Unlike an ordinary Network Agent, a connection gateway may be configured to wait for connections from the Administration Server rather than establishing connections to it. A connection gateway in DMZ receives connections from the Administration Server through the 13000 TLS port. Since a connection gateway in DMZ cannot reach the Administration Server ports, the Administration Server creates and maintains a permanent signal connection with a connection gateway. The signal connection is not used for data transfer, it is only aimed at sending an invitation for network interaction. When a connection gateway needs to connect to the Administration Server, it notifies the Server through this signal connection, and then the Server establishes the required connection for data transfer.

A connection gateway lets you more efficiently use the security features to protect network infrastructure against potential vulnerabilities.

• Using a connection gateway makes it easier to monitor suspicious activity on a separate network node outside a LAN (local network area). It helps to avoid direct malicious attacks via a mobile protocol by implementing a different protocol for communications between the connection gateway and Kaspersky Security Center.
• The surface of potential network attacks is smaller, since a connection gateway receives connections from the Administration Server through a single port (by default, 13000) through which all requests are processed.
• Using a connection gateway makes it possible to verify the mobile certificate outside a LAN and prevent devices from sending data to Kaspersky Security Center before they are authenticated, which protects network infrastructure against vulnerabilities in low-level protocols such as TLS/SSL.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13293 or port 13292 must be open on the host with the connection gateway.

  These ports are designed to connect and synchronize mobile devices.

  • When using port 13293, the TLS certificate is verified on the connection gateway (without being sent to the Administration Server).
  • When using port 13292, the certificate is not verified (the LP_MobileMustUseTwoWayAuthOnPort13292 flag is ignored).
• Port 13000 must be open between the connection gateway and Kaspersky Security Center, through which the connection gateway receives connections from the Administration Server. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Stages

The configuration proceeds in the following steps:

1. Installing Network Agent in the connection gateway role on a host

   First, you need to install Network Agent on the selected host device acting in the gateway connection role.

   For information about generating a Network Agent installation package, refer to the Kaspersky Security Center Help.

   You can install Network Agent in interactive mode by specifying installation parameters step by step. Alternatively, you can use an answer file—a text file that contains a custom set of installation parameters: variables and their respective values. Using this answer file allows you to run an installation in silent mode, that is, without user participation. For information on installing Network Agent in silent mode, refer to the Kaspersky Security Center Help.

2. Configuring the connection gateway on Kaspersky Security Center Administration Server

   Once you have installed Network Agent in the connection gateway role, you must connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server.

   You must create a new group under the Managed Devices group and add the device acting as a connection gateway to the group that you have created. For information on manually adding devices to groups in Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

   After that, assign the device as a distribution point and configure the distribution point to act as a connection gateway in the Connection gateway section of the distribution point properties. Then enable the Open port for mobile devices (SSL authentication of the Administration Server only) and Open port for mobile devices (two-way SSL authentication) options and specify ports and DNS domain names of the distribution point to connect mobile devices.

   If the 'CA: true' basic constraint is not set for a custom mobile Administration Server certificate, the same certificate will be used for the connection gateway as for the Administration Server.

Results

The connection gateway will be configured. You will be able to add new mobile devices by specifying the connection gateway address.

To change the mobile device connection address, reissue the mobile certificate with a new connection address specified when configuring the connection gateway (in the Administration Server properties window, select General → Certificates). For detailed information on reissuing mobile certificates, refer to the Reissuing the mobile Administration Server certificate section.

To make sure mobile devices are synchronized with Kaspersky Security Center on the connection gateway, the connection address you have set when configuring the connection gateway must be specified in the properties of Kaspersky Endpoint Security for Android installation packages (Operations → Repositories → Installation packages).

Adding installation packages to Administration Server repository

For further deployment of mobile management systems, you need to add the following installation packages to the Administration Server repository:

• Network Agent Linux installation package (for later installation of Network Agent on a workstation).
• iOS MDM Server installation package (for later installation of iOS MDM Server to connect and manage iOS devices).
• Kaspersky Endpoint Security for Android installation package (for later installation of Kaspersky Endpoint Security for Android on devices).

For instructions on adding installation packages to the Administration Server repository, refer to the Kaspersky Security Center Help.

Adding a license key to the Administration Server repository

To connect mobile devices to Kaspersky Security Center Web Console and manage them, you must specify a license key that supports the Mobile Device Management solution.

The license under which the solution is used determines a scope of basic or advanced settings you can configure. With a license that does not provide the extended Kaspersky Secure Mobility Management functionality, only basic device protection settings are available in the Kaspersky Mobile Devices Protection and Management plug-in. For detailed information on licenses, refer to the About the license section.

To specify a license key in the current license settings of the Administration Server properties:

• In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.

  In the Administration Server properties window that opens:

  1. In the General tab, select the License keys section.
  2. In the Current license block of settings, click Select and do one of the following:
     • Choose one of the existing license keys.
     • Specify the KEY file you want to add.

     The license you choose must support the Mobile Management solution.

  3. Click Save.

The license key is specified in the current license settings of the Administration Server properties.

To add a license key to the Administration Server repository:

1. In the main window of Kaspersky Security Center Web Console, select Operations → Kaspersky licenses.
2. Click Add.
3. In the window that opens, click Add key file.
4. Click Select key file, and then specify the KEY file you want to add.

   The license you choose must support the Mobile Management solution.

5. Click Save.

The license key is added to the Administration Server repository.

Installing Network Agent Linux

Network Agent Linux is a Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications that are installed on a workstation or server.

To deploy an iOS device management system, you must install Network Agent on a workstation on which iOS MDM Server will later be deployed. After Network Agent is installed, you will be able to configure and install iOS MDM Server on it to subsequently connect and manage iOS devices.

For the instructions on installing Network Agent Linux, refer to the Kaspersky Security Center Help.

Configuring Kaspersky Security Center Linux Web Server settings

Kaspersky Security Center Linux Web Server (Web Server) is a component of Kaspersky Security Center Linux installed together with the Administration Server. Web Server is designed for network transmission of stand-alone installation packages, device management profiles, and files from a shared folder.

Installation packages that have been created are published on Web Server automatically and then removed after the first download. The administrator can send a new link to the user in any convenient way, such as by email.

For detailed information, refer to the Kaspersky Security Center Help.

To connect mobile devices, make sure the Web Server FQDN is specified correctly in the Administration Server properties:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.
2. In the Administration Server properties window that opens, on the General tab, select the Web Server section.
3. In the Web Server FQDN field, check if the specified FQDN (a fully qualified domain name) is publicly resolvable by DNS servers.

Configuring Web Server settings on a connection gateway (Network Agent for Linux)

A separate Web Server service is implemented on a distribution point in a connection gateway mode, which allows working with mobile devices connected to Kaspersky Security Center. This service is responsible for transferring app installation packages and device management profiles to devices without directly connecting them to the Administration Server. Files are transferred as the service processes HTTP/HTTPS file requests on a connection gateway.

Web Server on a connection gateway only works for downloading the following types of files to mobile devices:

• Kaspersky mobile apps

  Installation packages of Kaspersky mobile apps added to policies by the administrator via Kaspersky Security Center Web Console.

• Third-party mobile apps

  Installation packages of third-party mobile apps created by the administrator for their subsequent installation on devices from a local file.

• Device management profiles for iOS MDM devices

To connect new devices to Kaspersky Security Center, installation packages and device management profiles are published on the Web Server connection gateway if it has been deployed.

Links to installation packages are located in the policy settings and the "Apps & files" and "Installation packages" sections of Kaspersky Security Center.

This functionality is available with Kaspersky Security Center Linux 15.2 or later.

The Web Server service on a connection gateway is installed together with Network Agent Linux. To use this functionality, you must assign a device that will act as a distribution point in a connection gateway mode to be used as Web Server, and then specify the corresponding settings.

Assign a device that will act as a distribution point in a connection gateway mode

To assign a device that will act as a distribution point in a connection gateway mode:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.

   The Administration Server properties window opens.

2. In the General tab, select the Distribution points section.
3. Click Assign.
4. In the window that opens, select the device that you want to act as a distribution point.
5. Click OK.

   The selected device appears in the list of distribution points.

6. Click the name of the device.
7. In the properties window of the distribution points that opens, select the Connection gateway section.
8. Enable the Connection gateway toggle switch.
9. Specify the DNS domain name of the distribution point under which it will be available to mobile devices.
10. Click OK.

A device that will act as a distribution point in a connection gateway mode is assigned.

Configure Web Server settings on a connection gateway

To configure Web Server settings on a connection gateway:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.

   The Administration Server properties window opens.

2. In the General tab, select the Web Server section.
3. In the Web Server settings on connection gateway (Network Agent for Linux) block of settings, select the Launch an additional Web Server on connection gateway check box.

   This Web Server will be used to transfer files to devices.

4. In the Connection gateway field that appears, specify the host on which Web Server will be deployed to act as a connection gateway. Only hosts that support this functionality are displayed in the drop-down list.
5. In the Web Server settings for selected connection gateway block of settings that opens, configure the Web Server ports:
   1. Select Open Web Server HTTPS port if you want Web Server to be accessible on the HTTPS port and handle HTTPS requests. You will also need to configure a corresponding certificate to secure this port.
      1. Specify the HTTPS port.
      2. Specify the Certificate source for the Web Server HTTPS port.

         By default, the certificate issued by the Administration Server is used – it is valid for 397 days and is renewed automatically after it expires. If necessary, you can renew this certificate manually by clicking the Reissue button.

         To continue using this certificate, select Issue certificate through Administration Server. To upload a custom certificate manually, select Upload certificate from file.

         To upload a certificate from a file:

         • Click Upload from file.
         • In the window that opens, choose the Certificate format.
         • For a PKCS #12 certificate, specify the path to the certificate file (P12 or PFX) and enter the certificate password.

           For an X.509 certificate, specify the path to the public and private key files and enter the private key password.

         • Click Save.
      3. Make sure the addresses in the Web Server address (the address of Web Server whose requests will be processed by Kaspersky Security Center) and Certificate address (the address of the issued certificate) fields match. Otherwise, you need to reissue the certificate issued by the Administration Server or upload a different custom certificate.

      In order for devices to securely download files from Web Server on a connection gateway via HTTPS, the Web Server certificate must be installed on these devices.

   2. Select Open Web Server HTTP port if you want Web Server to be accessible on the HTTP port and handle HTTP requests.
      1. Specify the HTTP port.
   3. Click Save.

Web Server settings on a connection gateway are configured.

If HTTP or HTTPS port settings are changed, you need to update the links to previously published installation packages for mobile devices connected to Web Server on the connection gateway. Please republish the links in the policy settings and the "Apps & files" and "Installation packages" sections of Kaspersky Security Center.

To update the links to installation packages:

• In the "Apps & files" section:
  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps & files.
  2. Click Android or iOS depending on the required operating system.
  3. In the list of apps that opens, do one of the following:
     • Select the check boxes next to the names of the apps whose installation package links you want to update, and then click Republish.
     • Click the names of the apps whose installation package links you want to update, and then click Republish in the window that opens.
• In the "Installation packages" section:
  1. In the main window of Kaspersky Security Center Web Console, select Operations → Repositories → Installation packages.
  2. In the window that opens, click View the list of stand-alone packages.
  3. Select the app whose installation package link you want to update, and then click Unpublish.
  4. Click Publish.

The links to installation packages are updated.

Transferring the Web Server certificate to devices on the connection gateway

In order for devices to securely download files from Web Server on a connection gateway via HTTPS, the Web Server certificate must be installed on these devices.

Transferring the Web Server certificate to iOS MDM devices

When connecting new iOS MDM devices, Kaspersky Security Center automatically adds the certificate public key of Web Server on a connection gateway to the device management profiles.

This allows devices to verify the HTTPS connection and safely download third-party apps from Web Server on the connection gateway.

If the certificate changes, it is updated on iOS MDM devices during synchronization with iOS MDM Server.

Transferring the Web Server certificate to Android devices

If you use Web Server certificate issued through Kaspersky Security Center, the standard Android download manager lets you download files from Web Server on a connection gateway only via HTTP.

To securely download files to devices with a certificate issued through Kaspersky Security Center, you can use the built-in Kaspersky Endpoint Security for Android download manager that always downloads files via HTTPS. For detailed information, refer to the Selecting the download manager for Android devices section.