Managing client devices

Kaspersky Next XDR Expert allows you to manage client devices:

• View settings and statuses of managed devices, including clusters and server arrays.
• Configure distribution points.
• Manage tasks.

You can use administration groups to combine client devices in a set that can be managed as a single unit. A client device can be included in only one administration group. Devices can be allocated to a group automatically based on Rule conditions:

• Creating device moving rules.
• Copying device moving rules.
• Conditions for a device moving rule.

You can use device selections to filter devices based on a condition. You can also tag devices for creating selections, for finding devices, and for distributing devices among administration groups.

Settings of a managed device

Expand all | Collapse all

To view the settings of a managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the required device.

The properties window of the selected device is displayed.

The following tabs are displayed in the upper part of the properties window representing the main groups of the settings:

• General

  This tab comprises the following sections:

  • The General section displays general information about the client device. Information is provided on the basis of data received during the last synchronization of the client device with the Administration Server:
    • Name

      In this field, you can view and modify the client device name in the administration group.

    • Description

      In this field, you can enter an additional description for the client device.

    • Device status

      Status of the client device assigned on the basis of the criteria defined by the administrator for the status of anti-virus protection on the device and the activity of the device on the network.

    • Device owner

      Name of the device owner. You can assign or remove a user as a device owner by clicking the Manage device owner link.

    • Full group name

      Administration group, which includes the client device.

    • Last update of anti-virus databases

      Date the anti-virus databases or applications were last updated on the device.

    • Connected to Administration Server

      Date and time Network Agent installed on the client device last connected to the Administration Server.

    • Last visible

      Date and time the device was last visible on the network.

    • Network Agent version

      Version of the installed Network Agent.

    • Created

      Date of the device creation within Open Single Management Platform.

    • Do not disconnect from the Administration Server

      If this option is enabled, continuous connectivity between the managed device and the Administration Server is maintained. You may want to use this option if you are not using push servers, which provide such connectivity.

      If this option is disabled and push servers are not in use, the managed device only connects to the Administration Server to synchronize data or to transmit information.

      The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

      This option is disabled by default on managed devices. This option is enabled by default on the device where the Administration Server is installed and stays enabled even if you try to disable it.

  • The Network section displays the following information about the network properties of the client device:
    • IP address

      Device IP address.

    • Windows domain

      Workgroup that contains the device.

    • DNS name

      Name of the DNS domain of the client device.

    • NetBIOS name

      Name of the client device.

    • IPv6 address
  • The System section provides information about the operating system installed on the client device:
    • Operating system
    • CPU architecture
    • Device name
    • Virtual machine type

      The virtual machine manufacturer.

    • Dynamic virtual machine as part of VDI

      This row displays whether the client device is a dynamic virtual machine as part of VDI.

  • The Protection section provides the following information about the current status of anti-virus protection on the client device:
    • Visible

      Visibility status of the client device.

    • Device status

      Status of the client device assigned on the basis of the criteria defined by the administrator for the status of anti-virus protection on the device and the activity of the device on the network.

    • Status description

      Status of the client device protection and connection to Administration Server.

    • Protection status

      This field shows the current status of real-time protection on the client device.

      When the status changes on the device, the new status is displayed in the device properties window only after the client device is synchronized with the Administration Server.

    • Last full scan

      Date and time the last malware scan was performed on the client device.

    • Virus detected

      Total number of threats detected on the client device since installation of the security application (first scan), or since the last reset of the threat counter.

    • Objects that have failed disinfection

      Number of unprocessed files on the client device.

      This field ignores the number of unprocessed files on mobile devices.

    • Disk encryption status

      The current status of file encryption on the local drives of the device. For a description of the statuses, see the Kaspersky Endpoint Security for Windows Help.

      Files can be only encrypted on the managed devices on which Kaspersky Endpoint Security for Windows is installed.

  • The Device status defined by application section provides information about the device status that is defined by the managed application installed on the device. This device status can differ from the one defined by Open Single Management Platform.
• Applications

  This tab lists all Kaspersky applications installed on the client device.This tab contains the Start and Stop buttons that allow you to start and stop the selected Kaspersky application (excluding Network Agent). You can use these buttons if port 15000 UDP is available on the managed device for receipt push-notifications from Administration Server. If the managed device is unavailable for push-notifications, but the mode of continuous connection to Administration Server is enabled (the Do not disconnect from the Administration Server option in the General section is enabled), the Start and Stop buttons are available too. Otherwise, when you try to start or stop the application, an error message is displayed. Also you can click the application name to view general information about the application, a list of events that have occurred on the device, and the application settings.

• Active policies and policy profiles

  This tab lists the policies and policy profiles that are currently assigned to the managed device.

• Tasks

  On the Tasks tab, you can manage client device tasks: view the list of existing tasks, create new ones, remove, start and stop tasks, modify their settings, and view execution results. The list of tasks is provided based on data received during the last session of client synchronization with the Administration Server. The Administration Server requests the task status details from the client device. If port 15000 UDP is available on the managed device for receipt push-notifications from Administration Server, the task status is displayed and buttons for managing the task are enabled. If the managed device is unavailable for push-notifications, but the mode of continuous connection to Administration Server is enabled (the Do not disconnect from the Administration Server option in the General section is enabled), the actions with tasks are available too.

  If connection is not established, the status is not displayed and buttons are disabled.

• Events

  The Events tab displays events logged on the Administration Server for the selected client device.

• Security issues

  In the Security issues tab, you can view, edit, and create security issues for the client device. Security issues can be created either automatically, through managed Kaspersky applications installed on the client device, or manually by the administrator. For example, if some users regularly move malware from their removable drives to devices, the administrator can create a security issue. The administrator can provide a brief description of the case and recommended actions (such as disciplinary actions to be taken against a user) in the text of the security issue, and can add a link to the user or users.

  A security issue for which all of the required actions have been taken is called processed. The presence of unprocessed security issues can be chosen as the condition for a change of the device status to Critical or Warning.

  This section contains a list of security issues that have been created for the device. Security issues are classified by severity level and type. The type of a security issue is defined by the Kaspersky application, which creates the security issue. You can highlight processed security issues in the list by selecting the check box in the Processed column.

• Tags

  In the Tags tab, you can manage the list of keywords that are used for finding client devices: view the list of existing tags, assign tags from the list, configure auto-tagging rules, add new tags and rename old tags, and remove tags.

• Advanced

  This tab comprises the following sections:

  • Applications registry. In this section, you can view the registry of applications installed on the client device and their updates; you can also set up the display of the applications registry.

    Information about installed applications is provided if Network Agent installed on the client device sends required information to the Administration Server. You can configure sending of information to the Administration Server in the properties window of Network Agent or its policy, in the Repositories section.

    Clicking an application name opens a window that contains the application details and a list of the update packages installed for the application.

  • Executable files. This section displays executable files found on the client device.
  • Distribution points. This section provides a list of distribution points with which the device interacts.
    • Export to file

      Click the Export to file button to save to a file a list of distribution points with which the device interacts. By default, the application exports the list of devices to a CSV file.

    • Properties

      Click the Properties button to view and configure the distribution point with which the device interacts.

  • Hardware registry. In this section, you can view information about hardware installed on the client device.

If you use a PostgreSQL, MariaDB or MySQL DBMS, the Events tab may display an incomplete list of events for the selected client device. This occurs when the DBMS stores a very large amount of events. You can increase the number of displayed events by doing either of the following:

• Removing unnecessary events.
• Reducing the storage term for unnecessary events.

To see a full list of events logged on the Administration Server for the device, use Reports.

Creating administration groups

Immediately after Open Single Management Platform installation, the hierarchy of administration groups contains only one administration group called Managed devices. When creating a hierarchy of administration groups, you can add devices and virtual machines to the Managed devices group, and add nested groups (see the figure below).

Viewing administration groups hierarchy

To create an administration group:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. In the administration group structure, select the administration group that is to include the new administration group.
3. Click the Add button.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click the Add button.

A new administration group with the specified name appears in the hierarchy of administration groups.

To create a structure of administration groups:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. Click the Import button.

The New Administration Group Structure Wizard starts. Follow the instructions of the Wizard.

Device moving rules

We recommend that you automate the allocation of devices to administration groups through device moving rules. A device moving rule consists of three main parts: a name, an execution condition (logical expression with the device attributes), and a target administration group. A rule moves a device to the target administration group if the device attributes meet the rule execution condition.

All device moving rules have priorities. The Administration Server checks the device attributes as to whether they meet the execution condition of each rule, in ascending order of priority. If the device attributes meet the execution condition of a rule, the device is moved to the target group, so the rule processing is complete for this device. If the device attributes meet the conditions of multiple rules, the device is moved to the target group of the rule with the highest priority (that is, has the highest rank in the list of rules).

Device moving rules can be created implicitly. For example, in the properties of an installation package or a remote installation task, you can specify the administration group to which the device must be moved after Network Agent is installed on it. Also, device moving rules can be created explicitly by the administrator of Open Single Management Platform, in the Assets (Devices) → Moving rules section.

By default, a device moving rule is intended for one-time initial allocation of devices to administration groups. The rule moves devices from the unassigned devices group only once. If a device once was moved by this rule, the rule will never move it again, even if you return the device to the unassigned devices group manually. This is the recommended way of applying moving rules.

You can move devices that have already been allocated to some of the administration groups. To do this, in the properties of a rule, clear the Move only devices that do not belong to an administration group check box.

Applying moving rules to devices that have already been allocated to some of the administration groups, significantly increases the load on the Administration Server.

The Move only devices that do not belong to an administration group check box is locked in the properties of automatically created moving rules. Such rules are created when you add the Install application remotely task or create a stand-alone installation package.

You can create a moving rule that would affect a single device repeatedly.

We strongly recommend that you avoid moving a single device from one group to another repeatedly (for example, in order to apply a special policy to that device, run a special group task, or update the device through a specific distribution point).

Such scenarios are not supported, because they increase the load on Administration Server and network traffic to an extreme degree. These scenarios also conflict with the operating principles of Open Single Management Platform (particularly in the area of access rights, events, and reports). Another solution must be found, for example, through the use of policy profiles, tasks for device selections, assignment of Network Agents according to the standard scenario.

Creating device moving rules

Expand all | Collapse all

You can set up device moving rules, that is, rules that automatically allocate devices to administration groups.

To create a moving rule:

1. In the main menu, go to Assets (Devices) → Moving rules.
2. Click Add.
3. In the window that opens, specify the following information on the General tab:
   • Rule name

     Enter a name for the new rule.

     If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is added to the name, for example: (1).

   • Administration group

     Select the administration group into which the devices are to be moved automatically.

   • Active rule

     If this option is enabled, the rule is enabled and starts working after it is saved.

     If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.

   • Move only devices that do not belong to an administration group

     If this option is enabled, only unassigned devices will be moved to the selected group.

     If this option is disabled, devices that already belong to other administration groups, as well as unassigned devices, will be moved to the selected group.

   • Apply rule

     You can select one of the following options:

     • Run once for each device

       The rule is applied once for each device that matches your criteria.

     • Run once for each device, then at every Network Agent reinstallation

       The rule is applied once for each device that matches your criteria, then only when Network Agent is reinstalled on these devices.

     • Apply rule continuously

       The rule is applied according to the schedule which the Administration Server sets up automatically (usually every several hours).

4. On the Rule conditions tab, specify at least one criterion by which the devices are moved to an administration group.
5. Click Save.

The moving rule is created. It is displayed in the list of moving rules.

The higher the position is on the list, the higher the priority of the rule. To increase or decrease the priority of a moving rule, move the rule up or down in the list, respectively, by using the mouse.

If the Apply rule continuously option is selected, the moving rule is applied regardless of the priority settings. Such rules are applied according to the schedule that the Administration Server sets up automatically.

If the device attributes meet the conditions of multiple rules, the device is moved to the target group of the rule with the highest priority (that is, has the highest rank in the list of rules).

Copying device moving rules

Expand all | Collapse all

You can copy moving rules, for example, if you want to have several identical rules for different target administration groups.

To copy an existing a moving rule:

1. Do one of the following:
   • In the main menu, go to Assets (Devices) → Moving rules.
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Moving rules.

   The list of moving rules is displayed.

2. Select the check box next to the rule you want to copy.
3. Click Copy.
4. In the window that opens, change the following information on the General tab—or make no changes if you only want to copy the rule without changing its settings:
   • Rule name

     Enter a name for the new rule.

     If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is added to the name, for example: (1).

   • Administration group

     Select the administration group into which the devices are to be moved automatically.

   • Active rule

     If this option is enabled, the rule is enabled and starts working after it is saved.

     If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.

   • Move only devices that do not belong to an administration group

     If this option is enabled, only unassigned devices will be moved to the selected group.

     If this option is disabled, devices that already belong to other administration groups, as well as unassigned devices, will be moved to the selected group.

   • Apply rule

     You can select one of the following options:

     • Run once for each device

       The rule is applied once for each device that matches your criteria.

     • Run once for each device, then at every Network Agent reinstallation

       The rule is applied once for each device that matches your criteria, then only when Network Agent is reinstalled on these devices.

     • Apply rule continuously

       The rule is applied according to the schedule which the Administration Server sets up automatically (usually every several hours).

5. On the Rule conditions tab, specify at least one criterion for the devices that you want to be moved automatically.
6. Click Save.

The new moving rule is created. It is displayed in the list of moving rules.

Conditions for a device moving rule

Expand all | Collapse all

When you create or copy a rule to move client devices to administration groups, on the Rule conditions tab you set conditions for moving the devices. To determine which devices to move, you can use the following criteria:

• Tags assigned to client devices.
• Network parameters. For example, you can move devices with IP addresses from a specified range.
• Managed applications installed on client devices, for instance, Network Agent or Administration Server.
• Virtual machines, which are the client devices.

Below, you can find the description on how to specify this information in a device moving rule.

If you specify several conditions in the rule, the AND logical operator works and all the conditions apply at the same time. If you do not select any options or keep some fields blank, such conditions do not apply.

Tags tab

On this tab, you can configure a device moving rule based on device tags that were previously added to the descriptions of client devices. To do this, select the required tags. Also, you can enable the following options:

• Apply to devices without the specified tags

  If this option is enabled, all devices with the specified tags are excluded from a device moving rule. If this option is disabled, the device moving rule applies to devices with all the selected tags.

  By default, this option is disabled.

• Apply if at least one specified tag matches

  If this option is enabled, a device moving rule applies to client devices with at least one of the selected tags. If this option is disabled, the device moving rule applies to devices with all the selected tags.

  By default, this option is disabled.

Network tab

On this tab, you can specify the network data of devices that a device moving rule considers:

• DNS name of the device

  DNS domain name of the client device that you want to move. Fill this field if your network includes a DNS server.

  If case sensitive collation is set for the database that you use for Open Single Management Platform, keep case when you specify a device DNS name. Otherwise, the device moving rule will not work.

• DNS domain

  A device moving rule applies to all devices included in the specified main DNS suffix. Fill this field if your network includes a DNS server.

• IP range

  If this option is enabled, you can enter the initial and final IP addresses of the IP range in which the relevant devices must be included.

  By default, this option is disabled.

• IP address for connection to Administration Server

  If this option is enabled, you can set the IP addresses by which client devices are connected to Administration Server. To do this, specify the IP range that includes all necessary IP addresses.

  By default, this option is disabled.

• Connection profile changed

  Select one of the following values:

  • Yes. A device moving rule only applies to client devices with a changed connection profile.
  • No. The device moving rule only applies to the client devices whose connection profile has not changed.
  • No value is selected. The condition does not apply.
• Managed by a different Administration Server

  Select one of the following values:

  • Yes. A device moving rule only applies to client devices managed by other Administration Servers. These Servers are different from the Server on which you configure the device moving rule.
  • No. The device moving rule only applies to client devices managed by the current Administration Server.
  • No value is selected. The condition does not apply.

Applications tab

On this tab, you can configure a device moving rule based on the managed applications and operating systems installed on client devices:

• Network Agent is installed

  Select one of the following values:

  • Yes. A device moving rule only applies to client devices with Network Agent installed.
  • No. The device moving rule only applies to client devices on which Network Agent is not installed.
  • No value is selected. The condition does not apply.
• Applications

  Specify what managed applications should be installed on client devices, so a device moving rule applies to these devices. For example, you can select Kaspersky Security Center 15 Network Agent or Kaspersky Security Center 15 Administration Server.

  If you do not select any managed application, the condition does not apply.

• Operating system version

  You can cull client devices based on the operating system version. For this purpose, specify operating systems that should be installed on the client devices. As a result, a device moving rule applies to the client devices with the selected operating systems.

  If you do not enable this option, the condition does not apply. By default, the option is disabled.

• Operating system bit size

  You can cull client devices by the operating system bit sizes. In the Operating system bit size field, you can select one of the following values:

  • Unknown
  • x86
  • AMD64
  • IA64

  To check the operating system bit size of the client devices:

  1. In the main menu, go to the Assets (Devices) → Managed devices section.
  2. Click the Columns settings button () on the right.
  3. Select the Operating system bit size option, and then click the Save button.

     After that, the operating system bit size is displayed for every managed device.

• Operating system service pack version

  In this field, you can specify the package version of the operating system (in the X.Y format), which will determine how the moving rule is applied to the device. By default, no version value is specified.

• User certificate

  Select one of the following values:

  • Installed. A device moving rule only applies to mobile devices with a mobile certificate.
  • Not installed. The device moving rule only applies to mobile devices without a mobile certificate.
  • No value is selected. The condition does not apply.
• Operating system build

  This setting is applicable to Windows operating systems only.

  You can specify whether the selected operating system must have an equal, earlier, or later build number. You can also configure a device moving rule for all build numbers except the specified one.

• Operating system release number

  This setting is applicable to Windows operating systems only.

  You can specify whether the selected operating system must have an equal, earlier, or later release number. You can also configure a device moving rule for all release numbers except the specified one.

Virtual machines tab

On this tab, you can configure a device moving rule according to whether client devices are virtual machines or part of a virtual desktop infrastructure (VDI):

• This is a virtual machine

  In the drop-down list, you can select one of the following:

  • N/A. The condition does not apply.
  • No. Move devices that are not virtual machines.
  • Yes. Move devices that are virtual machines.

• Virtual machine type
• Part of Virtual Desktop Infrastructure

  In the drop-down list, you can select one of the following:

  • N/A. The condition does not apply.
  • No. Move devices that are not part of VDI.
  • Yes. Move devices that are part of VDI.

Domain controller tab

On this tab, you can specify that it is necessary to move devices included in the domain organizational unit. You can also move devices from all child organizational units of the specified domain organizational unit:

• Device is included in the following organizational unit

  If this option is enabled, a device moving rule applies to devices from the domain controller organizational unit specified in the list under the option.

  By default, this option is disabled.

• Include child organizational units

  If this option is enabled, the selection includes devices from all child organizational units of the specified domain controller organizational unit.

  By default, this option is disabled.

• Move devices from child units to corresponding subgroups
• Create subgroups corresponding to containers of newly detected devices
• Delete subgroups that are not present in the domain
• Device is included in the following domain security group

  If this option is enabled, a device moving rule applies to devices from the domain security group specified in the list under the option.

  By default, this option is disabled.

Adding devices to an administration group manually

You can move devices to administration groups automatically by creating device moving rules or manually by moving devices from one administration group to another or by adding devices to a selected administration group. This section describes how to manually add devices to an administration group.

To add manually one or more devices to a selected administration group:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click the Current path: <current path> link above the list.
3. In the window that opens, select the administration group to which you want to add the devices.
4. Click the Add devices button.

   The Move devices wizard starts.

5. Make a list of the devices that you want to add to the administration group.

   You can add only devices for which information has already been added to the Administration Server database either upon connection of the device or after device discovery.

   Select how you want to add devices to the list:

   • Click the Add devices button, and then specify the devices in one of the following ways:
     • Select devices from the list of devices detected by the Administration Server.
     • Specify a device IP address or an IP range.
     • Specify a device DNS name.

       The device name field must not contain space characters, backspace characters, or the following prohibited characters: , \ / * ' " ; : & ` ~ ! @ # $ ^ ( ) = + [ ] { } | < > %

   • Click the Import devices from file button to import a list of devices from a .txt file. Each device address or name must be specified on a separate line.

     The file must not contain space characters, backspace characters, or the following prohibited characters: , \ / * ' " ; : & ` ~ ! @ # $ ^ ( ) = + [ ] { } | < > %

6. View the list of devices to be added to the administration group. You can edit the list by adding or removing devices.
7. After making sure that the list is correct, click the Next button.

The wizard processes the device list and displays the result. The successfully processed devices are added to the administration group and are displayed in the list of devices under names generated by Administration Server.

Moving devices or clusters to an administration group manually

You can move devices from one administration group to another, or from the group of unassigned devices to an administration group.

You can also move clusters or server arrays from one administration group to another. When you move a cluster or server array to another group, all of its nodes move with it, because a cluster and any of its nodes always belong to the same administration group. When you select a single cluster node on the Assets (Devices) tab, the Move to group button becomes unavailable.

To move one or several devices or clusters to a selected administration group:

1. Open the administration group from which you want to move the devices. To do this, perform one of the following:
   • To open an administration group, in the main menu, go to Assets (Devices) → Managed devices, click the path link in the Current path field, and select an administration group in the left-side pane that opens.
   • To open the Unassigned devices group, in the main menu, go to Discovery & deployment → Unassigned devices.
2. If the administration group contains clusters or server arrays, the Managed devices section is divided into two tabs—the Assets (Devices) tab and the Clusters and server arrays tab. Open the tab for the object that you want to move.
3. Select the check boxes next to the devices or clusters that you want to move to a different group.
4. Click the Move to group button.
5. In the hierarchy of administration groups, select the check box next to the administration group to which you want to move the selected devices or clusters.
6. Click the Move button.

The selected devices or clusters are moved to the selected administration group.

About clusters and server arrays

Open Single Management Platform supports cluster technology. If Network Agent sends information to Administration Server confirming that an application installed on a client device is part of a server array, this client device becomes a cluster node.

If an administration group contains clusters or server arrays, the Managed devices page displays two tabs—one for individual devices, and one for clusters and server arrays. After the managed devices are detected as cluster nodes, the cluster is added as an individual object to the Clusters and server arrays tab.

The cluster or server array nodes are listed on the Devices tab, along with other managed devices. You can view properties of the nodes as individual devices and perform other operations, but you cannot delete a cluster node or move it to another administration group separately from its cluster. You can only delete or move an entire cluster.

You can perform the following operations with clusters or server arrays:

• View properties
• Move the cluster or server array to another administration group

  When you move a cluster or server array to another group, all of its nodes move with it, because a cluster and any of its nodes always belong to the same administration group.

• Delete

  It is reasonable to delete a cluster or server array only when the cluster or server array does not exist in the organization network any longer. If a cluster is still visible on your network and Network Agent and the Kaspersky security application are still installed on the cluster nodes, Open Single Management Platform returns the deleted cluster and its nodes back to the list of managed devices automatically.

Properties of a cluster or server array

Expand all | Collapse all

To view the settings of a cluster or server array:

1. In the main menu, go to Assets (Devices) → Managed devices → Clusters and server arrays.

   The list of clusters and server arrays is displayed.

2. Click the name of the required cluster or server array.

The properties window of the selected cluster or server array is displayed.

General

The General section displays general information about the cluster or server array. Information is provided on the basis of data received during the last synchronization of the cluster nodes with the Administration Server:

• Name
• Description
• Windows domain

  Windows domain or workgroup, which contains the cluster or server array.

• NetBIOS name

  Windows network name of the cluster or server array.

• DNS name

  Name of the DNS domain of the cluster or server array.

Tasks

In the Tasks tab, you can manage the tasks assigned to the cluster or server array: view the list of existing tasks; create new ones; remove, start, and stop tasks; modify task settings; and view execution results. The listed tasks relate to the Kaspersky security application installed on the cluster nodes. Open Single Management Platform receives the task list and the task status details from the cluster nodes. If a connection is not established, the status is not displayed.

Nodes

This tab displays a list of nodes included into the cluster or server array. You can click a node name to view the device properties window.

Kaspersky application

The properties window may also contain additional tabs with the information and settings related to the Kaspersky security application installed on the cluster nodes.

Adjustment of distribution points and connection gateways

A structure of administration groups in Open Single Management Platform performs the following functions:

• Sets the scope of policies

  There is an alternate way of applying relevant settings on devices, by using policy profiles.

• Sets the scope of group tasks

  There is an approach to defining the scope of group tasks that is not based on a hierarchy of administration groups: use of tasks for device selections and tasks for specific devices.

• Sets access rights to devices, virtual Administration Servers, and secondary Administration Servers
• Assigns distribution points

When building the structure of administration groups, you must take into account the topology of the organization's network for the optimum assignment of distribution points. The optimum distribution of distribution points allows you to save traffic on the organization's network.

Depending on the organizational schema and network topology, the following standard configurations can be applied to the structure of administration groups:

• Single office
• Multiple small remote offices

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

Standard configuration of distribution points: Single office

In a standard "single-office" configuration, all devices are on the organization's network so they can "see" each other. The organization's network may consist of a few separate parts (networks or network segments) linked by narrow channels.

The following methods of building the structure of administration groups are possible:

• Building the structure of administration groups taking into account the network topology. The structure of administration groups may not reflect the network topology with absolute precision. A match between the separate parts of the network and certain administration groups would be enough. You can use automatic assignment of distribution points or assign them manually.
• Building the structure of administration groups, without taking the network topology into account. In this case, you must disable automatic assignment of distribution points, and then assign one or several devices to act as distribution points for a root administration group in each of the separate parts of the network, for example, for the Managed devices group. All distribution points will be at the same level and will feature the same scope spanning all devices on the organization's network. In this case, each Network Agent will connect to the distribution point that has the shortest route. The route to a distribution point can be traced with the tracert utility.

Standard configuration of distribution points: Multiple small remote offices

This standard configuration provides for a number of small remote offices, which may communicate with the head office over the internet. Each remote office is located behind the NAT, that is, connection from one remote office to another is not possible because offices are isolated from one another.

The configuration must be reflected in the structure of administration groups: a separate administration group must be created for each remote office (groups Office 1 and Office 2 in the figure below).

Remote offices are included in the administration group structure

One or multiple distribution points must be assigned to each administration group that correspond to an office. Distribution points must be devices at the remote office that have a sufficient amount of free disk space. Devices deployed in the Office 1 group, for example, will access distribution points assigned to the Office 1 administration group.

If some users move between offices physically, with their laptops, you must select two or more devices (in addition to the existing distribution points) in each remote office and assign them to act as distribution points for a top-level administration group (Root group for offices in the figure above).

Example: A laptop is deployed in the Office 1 administration group and then is moved physically to the office that corresponds to the Office 2 administration group. After the laptop is moved, Network Agent attempts to access the distribution points assigned to the Office 1 group, but those distribution points are unavailable. Then, Network Agent starts attempting to access the distribution points that have been assigned to the Root group for offices. Because remote offices are isolated from one another, attempts to access distribution points assigned to the Root group for offices administration group will only be successful when Network Agent attempts to access distribution points in the Office 2 group. That is, the laptop will remain in the administration group that corresponds to the initial office, but the laptop will use the distribution point of the office where it is physically located at the moment.

Calculating the number and configuration of distribution points

The more client devices a network contains, the more distribution points it requires. We recommend that you not disable automatic assignment of distribution points. When automatic assignment of distribution points is enabled, Administration Server assigns distribution points if the number of client devices is quite large and defines their configuration.

Using exclusively assigned distribution points

If you plan to use certain specific devices as distribution points (that is, exclusively assigned servers), you can opt out of using automatic assignment of distribution points. In this case, make sure that the devices that you intend to make distribution points have sufficient volume of free disk space, are not shut down regularly, and have Sleep mode disabled.

Number of exclusively assigned distribution points on a network that contains a single network segment, based on the number of networked devices

Number of exclusively assigned distribution points on a network that contains multiple network segments, based on the number of networked devices

Using standard client devices (workstations) as distribution points

If you plan to use standard client devices (that is, workstations) as distribution points, we recommend that you assign distribution points as shown in the tables below in order to avoid excessive load on the communication channels and on Administration Server:

Number of workstations functioning as distribution points on a network that contains a single network segment, based on the number of networked devices

Number of workstations functioning as distribution points on a network that contains multiple network segments, based on the number of networked devices

If a distribution point is shut down (or not available for some other reason), the managed devices in its scope can access the Administration Server for updates.

Assigning distribution points automatically

We recommend that you assign distribution points automatically. In this case, Open Single Management Platform will select on its own which devices must be assigned distribution points.

To assign distribution points automatically:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Select the Automatically assign distribution points option.

   If automatic assignment of devices as distribution points is enabled, you cannot configure distribution points manually or edit the list of distribution points.

4. Click the Save button.

Administration Server assigns and configures distribution points automatically.

Assigning distribution points manually

Expand all | Collapse all

Open Single Management Platform allows you to manually assign devices to act as distribution points.

We recommend that you assign distribution points automatically. In this case, Open Single Management Platform will select on its own which devices must be assigned distribution points. However, if you have to opt out of assigning distribution points automatically for any reason (for example, if you want to use exclusively assigned servers), you can assign distribution points manually after you calculate their number and configuration.

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

To manually assign a device to act as distribution point:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Select the Manually assign distribution points option.
4. Click the Assign button.
5. Select the device that you want to make a distribution point.

   When selecting a device, keep in mind the operation features of distribution points and the requirements set for the device that acts as distribution point.

6. Select the administration group that you want to include in the scope of the selected distribution point.
7. Click the OK button.

   The distribution point that you have added will be displayed in the list of distribution points, in the Distribution points section.

8. Click the newly added distribution point in the list to open its properties window.
9. Configure the distribution point in the properties window:
   • The General section contains the settings of interaction between the distribution point and client devices.
     • SSL port

       The number of the SSL port for encrypted connection between client devices and the distribution point using SSL.

       By default, port 13000 is used.

     • Use multicast

       If this option is enabled, IP multicasting will be used for automatic distribution of installation packages to client devices within the group.

       IP multicasting decreases the time required to install an application from an installation package to a group of client devices, but increases the installation time when you install an application to a single client device.

     • IP multicast address

       IP address that will be used for multicasting. You can define an IP address in the range of 224.0.0.0 – 239.255.255.255

       By default, Open Single Management Platform automatically assigns a unique IP multicast address within the given range.

     • IP multicast port number

       Number of the port for IP multicasting.

       By default, the port number is 15001. If the device with Administration Server installed is specified as the distribution point, port 13001 is used for SSL connection by default.

     • Distribution point address for remote devices

       The IPv4 address through which remote devices connect to the distribution point.

     • Deploy updates

       Updates are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy updates, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of update downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Deploy installation packages

       Installation packages are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy installation packages, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of installation package downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Run push server

       In Open Single Management Platform, a distribution point can work as a push server for the devices managed through the mobile protocol and for the devices managed by Network Agent. For example, a push server must be enabled if you want to be able to force synchronization of KasperskyOS devices with Administration Server. A push server has the same scope of managed devices as the distribution point on which the push server is enabled. If you have several distribution points assigned for the same administration group, you can enable push server on each of the distribution points. In this case, Administration Server balances the load between the distribution points.

     • Push server port

       The port number for the push server. You can specify the number of any unoccupied port.

   • In the Scope section, specify administration groups to which the distribution point will distribute updates.
   • In the Source of updates section, you can select a source of updates for the distribution point:
     • Source of updates

       Select a source of updates for the distribution point:

       • To allow the distribution point to receive updates from the Administration Server, select Retrieve from Administration Server.
       • To allow the distribution point to receive updates by using a task, select Use update download task, and then specify a Download updates to the repositories of distribution points task:
         • If such a task already exists on the device, select the task in the list.
         • If no such task yet exists on the device, click the Create task link to create a task. The New task wizard starts. Follow the instructions of the wizard.

     • Download diff files

       This option enables the downloading diff files feature.

       By default, this option is enabled.

   • In the Internet connection settings subsection, you can specify the internet access settings:
     • Use proxy server

       If this check box is selected, in the entry fields you can configure the proxy server connection.

       By default, this check box is cleared.

     • Proxy server address

       Address of the proxy server.

     • Port number

       Port number that is used for connection.

     • Bypass proxy server for local addresses

       If this option is enabled, no proxy server is used to connect to devices on the local network.

       By default, this option is disabled.

     • Proxy server authentication

       If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.

       By default, this check box is cleared.

     • User name

       User account under which connection to the proxy server is established.

     • Password

       Password of the account under which the task will be run.

   • In the KSN Proxy section, you can configure the application to use the distribution point to forward KSN requests from the managed devices:
     • Enable KSN Proxy on the distribution point side

       The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.

       The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky.

       By default, this option is disabled. Enabling this option takes effect only if the Use Administration Server as a proxy server and I agree to use Kaspersky Security Network options are enabled in the Administration Server properties window.

       You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.

     • Forward KSN requests to Administration Server

       The distribution point forwards KSN requests from the managed devices to the Administration Server.

       By default, this option is enabled.

     • Access KSN Cloud/KPSN directly over the internet

       The distribution point forwards KSN requests from managed devices to the KSN Cloud or KPSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or KPSN.

     • Ignore proxy server settings when connecting to KPSN

       Enable this option, if you have the proxy server settings configured in the distribution point properties or in the Network Agent policy, but your network architecture requires that you use KPSN directly. Otherwise, requests from the managed applications cannot reach KPSN.

       This option is available if you select the Access KSN Cloud/KPSN directly over the internet option.

     • Port

       The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.

     • Use UDP port

       If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled.

     • UDP port

       The number of the UDP port that the managed devices will use to connect to KSN proxy server. The default UDP port to connect to the KSN proxy server is 15111.

   • In the Connection gateway section, you can configure the distribution point to act as a gateway for connection between Network Agent instances and Administration Server:
     • Connection gateway

       If a direct connection between Administration Server and Network Agents cannot be established due to organization of your network, you can use the distribution point to act as the connection gateway between Administration Server and Network Agents.

       Enable this option if you need the distribution point to act as a connection gateway between Network Agents and Administration Server. By default, this option is disabled.

     • Establish connection to gateway from Administration Server (if gateway is in DMZ)

       If Administration Server is located outside the demilitarized zone (DMZ), on local area network, Network Agents installed on remote devices cannot connect to Administration Server. You can use a distribution point as the connection gateway with reverse connectivity (Administration Server establishes a connection to distribution point).

       Enable this option if you need to connect Administration Server to the connection gateway in DMZ.

     • Open local port for Kaspersky Security Center Web Console

       Enable this option if you need the connection gateway in DMZ to open a port for Web Console that is in DMZ or on the internet. Specify the port number that will be used for the connection from Web Console to the distribution point. The default port number is 13299.

       This option is available if you enable the Establish connection to gateway from Administration Server (if gateway is in DMZ) option.

     When connecting mobile devices to Administration Server via the distribution point that acts as a connection gateway, you can enable the following options:

     • Open port for mobile devices (SSL authentication of the Administration Server only)

       Enable this option if you need the connection gateway to open a port for mobile devices and specify the port number that mobile devices will use for connection to distribution point. The default port number is 13292. The mobile device will check the Administration Server certificate. When establishing the connection, only Administration Server is authenticated.

     • Open port for mobile devices (two-way SSL authentication)

       Enable this option if you need connection gateway to open a port that will be used for two-way authentication of Administration Server and mobile devices. Mobile device will check the Administration Server certificate, and Administration Server will check the mobile device certificate. Specify the following parameters:

       • Port number that mobile devices will use for connection to the distribution point. The default port number is 13293.
       • DNS domain names of the connection gateway that will be used by mobile devices. Separate domain names with commas. The specified domain names will be included in the distribution point certificate. If the domain names used by mobile devices do not match the common name in the distribution point certificate, mobile devices do not connect to the distribution point.

         The default DNS domain name is the FQDN name of the connection gateway.

     In both cases, the certificates are checked during the TLS session establishment on distribution point only. The certificates are not forwarded to be checked by the Administration Server. After a TLS session with the mobile device is established, the distribution point uses the Administration Server certificate to create a tunnel for synchronization between the mobile device and Administration Server. If you open the port for two-way SSL authentication, the only way to distribute the mobile device certificate is via an installation package.

   • Configure domain controller polling by the distribution point.
     • Domain controller polling

       You can enable device discovery for domain controllers.

       If you select the Enable domain controller polling option, you can select domain controllers for polling and also specify the polling schedule for them.

       If you use a Linux distribution point, in the Poll specified domains section, click Add, and then specify the address and user credentials of the domain controller.

       If you use a Windows distribution point, you can select one of the following options:

       • Poll current domain
       • Poll entire domain forest
       • Poll specified domains
   • Configure the polling of IP ranges by the distribution point.
     • IP ranges polling

       You can enable device discovery for IPv4 ranges and IPv6 networks.

       If you enable the Enable range polling option, you can add scanned ranges and set the schedule for them. You can add IP ranges to the list of scanned ranges.

       If you enable the Use Zeroconf to poll IPv6 networks option, the distribution point automatically polls the IPv6 network by using zero-configuration networking (also referred to as Zeroconf). In this case, the specified IP ranges are ignored because the distribution point polls the whole network. The Use Zeroconf to poll IPv6 networks option is available if the distribution point runs Linux. To use Zeroconf IPv6 polling, you must install the avahi-browse utility on the distribution point.

   • In the Advanced section, specify the folder that the distribution point must use to store distributed data.
     • Use default folder

       If you select this option, the application uses the Network Agent installation folder on the distribution point.

     • Use specified folder

       If you select this option, in the field below, you can specify the path to the folder. It can be a local folder on the distribution point, or it can be a folder on any device on the corporate network.

       The user account used on the distribution point to run Network Agent must have read/write access to the specified folder.

10. Click the OK button.

The selected devices act as distribution points.

Modifying the list of distribution points for an administration group

You can view the list of distribution points assigned to a specific administration group and modify the list by adding or removing distribution points.

To view and modify the list of distribution points assigned to an administration group:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. In the Current path field above the list of managed devices, click the path link.
3. In the left-side pane that opens, select an administration group for which you want to view the assigned distribution points.

   This enables the Distribution points menu item.

4. In the main menu, go to Assets (Devices) → Distribution points.
5. To add new distribution points for the administration group, click the Assign button.
6. To remove the assigned distribution points, select devices from the list and click the Unassign button.

Depending on your modifications, the new distribution points are added to the list or existing distribution points are removed from the list.

Enabling a push server

In Open Single Management Platform, a distribution point can work as a push server for the devices managed through the mobile protocol and for the devices managed by Network Agent. For example, a push server must be enabled if you want to be able to force synchronization of KasperskyOS devices with Administration Server. A push server has the same scope of managed devices as the distribution point on which the push server is enabled. If you have several distribution points assigned for the same administration group, you can enable push server on each of the distribution points. In this case, Administration Server balances the load between the distribution points.

You might want to use distribution points as push servers to make sure that there is continuous connectivity between a managed device and the Administration Server. Continuous connectivity is needed for some operations, such as running and stopping local tasks, receiving statistics for a managed application, or creating a tunnel. If you use a distribution point as a push server, you do not have to use the Do not disconnect from the Administration Server option on managed devices or send packets to the UDP port of the Network Agent.

A push server supports the load of up to 50,000 simultaneous connections.

To enable push server on a distribution point:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Click the name of the distribution point on which you want to enable the push server.

   The distribution point properties window opens.

4. On the General section, enable the Run push server option.
5. In the Push server port field, type the port number. You can specify number of any unoccupied port.
6. In the Address for remote hosts field, specify the IP address or the name of the distribution point device.
7. Click the OK button.

The push server is enabled on the selected distribution point.

About device statuses

Open Single Management Platform assigns a status to each managed device. The particular status depends on whether the conditions defined by the user are met. In some cases, when assigning a status to a device, Open Single Management Platform takes into consideration the device's visibility flag on the network (see the table below). If Open Single Management Platform does not find a device on the network within two hours, the visibility flag of the device is set to Not Visible.

The statuses are the following:

• Critical or Critical/Visible
• Warning or Warning/Visible
• OK or OK/Visible

The table below lists the default conditions that must be met to assign the Critical or Warning status to a device, with all possible values.

Conditions for assigning a status to a device

Open Single Management Platform allows you to set up automatic switching of the status of a device in an administration group when specified conditions are met. When the specified conditions are met, the client device is assigned one of the following statuses: Critical or Warning. When the specified conditions are not met, the client device is assigned the OK status.

Different statuses may correspond to different values of one condition. For example, by default, if the Databases are outdated condition has the More than 3 days value, the client device is assigned the Warning status; if the value is More than 7 days, the Critical status is assigned.

If you upgrade Open Single Management Platform from the previous version, the values of the Databases are outdated condition for assigning the status to Critical or Warning do not change.

When Open Single Management Platform assigns a status to a device, for some conditions (see the Condition description column) the visibility flag is taken into consideration. For example, if a managed device was assigned the Critical status because the Databases are outdated condition was met, and later the visibility flag was set for the device, then the device is assigned the OK status.

Configuring the switching of device statuses

You can change conditions to assign the Critical or Warning status to a device.

To enable changing the device status to Critical:

1. Open the properties window in one of the following ways:
   • In the Policies folder, in the context menu of an Administration Server policy, select Properties.
   • Select Properties in the context menu of an administration group.
2. In the Properties window that opens, in the Sections pane, select Device status.
3. In the right pane, in the Set to Critical if these are specified section, select the check box next to a condition in the list.

   You can change only settings that are not locked in the parent policy.

4. Set the required value for the selected condition.

   You can set values for some, but not all, conditions.

5. Click OK.

When specified conditions are met, the managed device is assigned the Critical status.

To enable changing the device status to Warning:

1. Open the properties window in one of the following ways:
   • In the Policies folder, in the context menu of the Administration Server policy, select Properties.
   • Select Properties in the context menu of the administration group.
2. In the Properties window that opens, in the Sections pane select Device status.
3. In the right pane, in the Set to Warning if these are specified section, select the check box next to a condition in the list.

   You can change only settings that are not locked in the parent policy.

4. Set the required value for the selected condition.

   You can set values for some, but not all, conditions.

5. Click OK.

When specified conditions are met, the managed device is assigned the Warning status.

Device selections

Device selections are a tool for filtering devices according to specific conditions. You can use device selections to manage several devices: for example, to view a report about only these devices or to move all of these devices to another group.

Open Single Management Platform provides a broad range of predefined selections (for example, Devices with Critical status, Protection is disabled, Active threats are detected). Predefined selections cannot be deleted. You can also create and configure additional user-defined selections.

In user-defined selections, you can set the search scope and select all devices, managed devices, or unassigned devices. Search parameters are specified in the conditions. In the device selection you can create several conditions with different search parameters. For example, you can create two conditions and specify different IP ranges in each of them. If several conditions are specified, a selection displays the devices that meet any of the conditions. By contrast, search parameters within a condition are superimposed. If both an IP range and the name of an installed application are specified in a condition, only those devices will be displayed where both the application is installed and the IP address belongs to the specified range.

Viewing the device list from a device selection

Open Single Management Platform allows you to view the list of devices from a device selection.

To view the device list from the device selection:

1. In the main menu, go to the Assets (Devices) → Device selections or Discovery & deployment → Device selections section.
2. In the selection list, click the name of the device selection.

   The page displays a table with information about the devices included in the device selection.

3. You can group and filter the data of the device table as follows:
   • Click the settings icon (), and then select the columns to be displayed in the table.
   • Click the filter icon (), and then specify and apply the filter criterion in the invoked menu.

     The filtered table of devices is displayed.

You can select one or several devices in the device selection and click the New task button to create a task that will be applied to these devices.

To move the selected devices of the device selection to another administration group, click the Move to group button, and then select the target administration group.

Creating a device selection

To create a device selection:

1. In the main menu, go to Assets (Devices) → Device selections.

   A page with a list of device selections is displayed.

2. Click the Add button.

   The Device selection settings window opens.

3. Enter the name of the new selection.
4. Specify the group that contains the devices to be included in the device selection:
   • Find any devices—Searching for devices that meet the selection criteria and included in the Managed Devices or Unassigned devices group.
   • Find managed devices—Searching for devices that meet the selection criteria and included in the Managed Devices group.
   • Find unassigned devices—Searching for devices that meet the selection criteria and included in the Unassigned devices group.

   You can enable the Include data from secondary Administration Servers check box to enable searching for devices that meet the selection criteria and managed by secondary Administration Servers.

5. Click the Add button.
6. In the window that opens, specify conditions that must be met for including devices in this selection, and then click the OK button.
7. Click the Save button.

The device selection is created and added to the list of device selections.

Configuring a device selection

Expand all | Collapse all

To configure a device selection:

1. In the main menu, go to Assets (Devices) → Device selections.

   A page with a list of device selections is displayed.

2. Select the relevant user-defined device selection, and click the Properties button.

   The Device selection settings window opens.

3. On the General tab, click the New condition link.
4. Specify conditions that must be met for including devices in this selection.
5. Click the Save button.

The settings are applied and saved.

Below are descriptions of the conditions for assigning devices to a selection. Conditions are combined by using the OR logical operator: the selection will contain devices that comply with at least one of the listed conditions.

General

In the General section, you can change the name of the selection condition and specify whether that condition must be inverted:

Invert selection condition

Network infrastructure

In the Network subsection, you can specify the criteria that will be used to include devices in the selection according to their network data:

• Device name

  Windows network name (NetBIOS name) of the device, or the IPv4 or IPv6 address.

• Domain

  Displays all devices included in the specified workgroup.

• Administration group

  Displays devices included in the specified administration group.

• Description

  Text in the device properties window: in the Description field of the General section.

  To describe text in the Description field, you can use the following characters:

  • Within a word:
    • *. Replaces any string with any number of characters.

    Example:

    To describe words such as Server or Server's, you can enter Server*.

    • ?. Replaces any single character.

    Example:

    To describe phrases such as SUSE Linux Enterprise Server 12 or SUSE Linux Enterprise Server 15, you can enter SUSE Linux Enterprise Server 1?.

    Asterisk (*) or question mark (?) cannot be used as the first character in the query.

  • To find several words:
    • Space. Displays all the devices whose descriptions contain any of the listed words.

    Example:

    To find a phrase that contains Secondary or Virtual words, you can include Secondary Virtual line in your query.

    • +. When a plus sign precedes a word, all search results will contain this word.

    Example:

    To find a phrase that contains both Secondary and Virtual, enter the +Secondary+Virtual query.

    • -. When a minus sign precedes a word, no search results will contain this word.

    Example:

    To find a phrase that contains Secondary and does not contain Virtual, enter the +Secondary-Virtual query.

    • "<some text>". Text enclosed in quotation marks must be present in the text.

    Example:

    To find a phrase that contains Secondary Server word combination, you can enter "Secondary Server" in the query.

• IP range

  If this option is enabled, you can enter the initial and final IP addresses of the IP range in which the relevant devices must be included.

  By default, this option is disabled.

• Managed by a different Administration Server

  Select one of the following values:

  • Yes. A device moving rule only applies to client devices managed by other Administration Servers. These Servers are different from the Server on which you configure the device moving rule.
  • No. The device moving rule only applies to client devices managed by the current Administration Server.
  • No value is selected. The condition does not apply.

In the Domain controller subsection, you can configure criteria for including devices into a selection based on domain membership:

• Device is in a domain organizational unit

  If this option is enabled, the selection includes devices from the domain organizational unit specified in the entry field.

  By default, this option is disabled.

• This device is a member of the domain security group

  If this option is enabled, the selection includes devices from the domain security group specified in the entry field.

  By default, this option is disabled.

In the Network activity subsection, you can specify the criteria that will be used to include devices in the selection according to their network activity:

• Acts as a distribution point

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection includes devices that act as distribution points.
  • No. Devices that act as distribution points are not included in the selection.
  • No value is selected. The criterion will not be applied.
• Do not disconnect from the Administration Server

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Enabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is selected.
  • Disabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is cleared.
  • No value is selected. The criterion will not be applied.
• Connection profile switched

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection will include devices that connected to the Administration Server after the connection profile was switched.
  • No. The selection will not include devices that connected to the Administration Server after the connection profile was switched.
  • No value is selected. The criterion will not be applied.
• Last connected to Administration Server

  You can use this check box to set a search criterion for devices according to the time they last connected to the Administration Server.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last connection was established between Network Agent installed on the client device and the Administration Server. The selection will include devices that fall within the specified interval.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• New devices detected by network poll

  Searches for new devices that have been detected by network polling over the last few days.

  If this option is enabled, the selection only includes new devices that have been detected by device discovery over the number of days specified in the Detection period (days) field.

  If this option is disabled, the selection includes all devices that have been detected by device discovery.

  By default, this option is disabled.

• Device is visible

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The application includes in the selection devices that are currently visible in the network.
  • No. The application includes in the selection devices that are currently invisible in the network.
  • No value is selected. The criterion will not be applied.

Device statuses

In the Managed device status subsection, you can configure criteria for including devices into a selection based on the description of the devices status from a managed application:

• Device status

  Drop-down list in which you can select one of the device statuses: OK, Critical, or Warning.

• Real-time protection status

  Drop-down list, in which you can select the real-time protection status. Devices with the specified real-time protection status are included in the selection.

• Device status description

  In this field, you can select the check boxes next to conditions that, if met, assign one of the following statuses to the device: OK, Critical, or Warning.

In the Status of components in managed applications subsection, you can configure criteria for including devices in a selection according to the statuses of components in managed applications:

• Data Leakage Prevention status

  Search for devices by the status of Data Leakage Prevention (Unknown, Stopped, Starting, Paused, Running, Failed).

• Collaboration servers protection status

  Search for devices by the status of server collaboration protection (Unknown, Stopped, Starting, Paused, Running, Failed).

• Anti-virus protection status of mail servers

  Search for devices by the status of Mail Server protection (Unknown, Stopped, Starting, Paused, Running, Failed).

• Endpoint Sensor status

  Search for devices by the status of the Endpoint Sensor component (Unknown, Stopped, Starting, Paused, Running, Failed).

In the Status-affecting problems in managed applications subsection, you can specify the criteria that will be used to include devices in the selection according to the list of possible problems detected by a managed application. If at least one problem that you select exists on a device, the device will be included in the selection. When you select a problem listed for several applications, you have the option to select this problem in all of the lists automatically.

You can select check boxes for descriptions of statuses from the managed application; upon receipt of these statuses, the devices will be included in the selection. When you select a status listed for several applications, you have the option to select this status in all of the lists automatically.

System details

In the Operating system section, you can specify the criteria that will be used to include devices in the selection according to their operating system type.

• Platform type

  If the check box is selected, you can select an operating system from the list. Devices with the specified operating systems installed are included in the search results.

• Operating system service pack version

  In this field, you can specify the package version of the operating system (in the X.Y format), which will determine how the moving rule is applied to the device. By default, no version value is specified.

• Operating system bit size

  In the drop-down list, you can select the architecture for the operating system, which will determine how the moving rule is applied to the device (Unknown, x86, AMD64, or IA64). By default, no option is selected in the list so that the operating system's architecture is not defined.

• Operating system build

  This setting is applicable to Windows operating systems only.

  The build number of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later build number. You can also configure searching for all build numbers except the specified one.

• Operating system release number

  This setting is applicable to Windows operating systems only.

  The release identifier (ID) of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later release ID. You can also configure searching for all release ID numbers except the specified one.

In the Virtual machines section, you can set up the criteria to include devices in the selection according to whether these are virtual machines or part of virtual desktop infrastructure (VDI):

• This is a virtual machine

  In the drop-down list, you can select the following options:

  • Undefined.
  • No. Find devices that are not virtual machines.
  • Yes. Find devices that are virtual machines.
• Virtual machine type

  In the drop-down list, you can select the virtual machine manufacturer.

  This drop-down list is available if the Yes or Not important value is selected in the This is a virtual machine drop-down list.

• Part of Virtual Desktop Infrastructure

  In the drop-down list, you can select the following options:

  • Undefined.
  • No. Find devices that are not part of Virtual Desktop Infrastructure.
  • Yes. Find devices that are part of the Virtual Desktop Infrastructure (VDI).

In the Hardware registry subsection, you can configure criteria for including devices into a selection based on their installed hardware:

Ensure that the lshw utility is installed on Linux devices from which you want to fetch hardware details. Hardware details fetched from virtual machines may be incomplete depending on the hypervisor used.

• Device

  In the drop-down list, you can select a unit type. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Vendor

  In the drop-down list, you can select the name of a unit manufacturer. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Device name

  The device with the specified name is included in the selection.

• Description

  Description of the device or hardware unit. Devices with the description specified in this field are included in the selection.

  A device's description in any format can be entered in the properties window of that device. The field supports the full-text search.

• Device vendor

  Name of the device manufacturer. Devices produced by the manufacturer specified in this field are included in the selection.

  You can enter the manufacturer's name in the properties window of a device.

• Serial number

  All hardware units with the serial number specified in this field will be included in the selection.

• Inventory number

  Equipment with the inventory number specified in this field will be included in the selection.

• User

  All hardware units of the user specified in this field will be included in the selection.

• Location

  Location of the device or hardware unit (for example, at the HQ or a branch office). Computers or other devices that are deployed at the location specified in this field will be included in the selection.

  You can describe the location of a device in any format in the properties window of that device.

• CPU clock rate, in MHz, from

  The minimum clock rate of a CPU. Devices with a CPU that matches the clock rate range specified in the entry fields (inclusive) will be included in the selection.

• CPU clock rate, in MHz, to

  The maximum clock rate of a CPU. Devices with a CPU that matches the clock rate range specified in the entry fields (inclusive) will be included in the selection.

• Number of virtual CPU cores, from

  The minimum number of virtual CPU cores. Devices with a CPU that matches the range of the virtual cores number specified in the entry fields (inclusive) will be included in the selection.

• Number of virtual CPU cores, to

  The maximum number of virtual CPU cores. Devices with a CPU that matches the range of the virtual cores number specified in the entry fields (inclusive) will be included in the selection.

• Hard drive volume, in GB, from

  The minimum volume of the hard drive on the device. Devices with a hard drive that matches the volume range specified in the entry fields (inclusive) will be included in the selection.

• Hard drive volume, in GB, to

  The maximum volume of the hard drive on the device. Devices with a hard drive that matches the volume range specified in the entry fields (inclusive) will be included in the selection.

• RAM size, in MB, from

  The minimum size of the device RAM. Devices with RAM that matches the size range specified in the entry fields (inclusive) will be included in the selection.

• RAM size, in MB, to

  The maximum size of the device RAM. Devices with RAM that matches the size range specified in the entry fields (inclusive) will be included in the selection.

Third-party software details

In the Applications registry subsection, you can set up the criteria to search for devices according to applications installed on them:

• Application name

  Drop-down list in which you can select an application. Devices on which the specified application is installed, are included in the selection.

• Application version

  Entry field in which you can specify the version of selected application.

• Vendor

  Drop-down list in which you can select the manufacturer of an application installed on the device.

• Application status

  A drop-down list in which you can select the status of an application (Installed, Not installed). Devices on which the specified application is installed or not installed, depending on the selected status, will be included in the selection.

• Find by update

  If this option is enabled, search will be performed using the details of updates for applications installed on the relevant devices. After you select the check box, the Application name, Application version, and Application status fields change to Update name, Update version, and Status respectively.

  By default, this option is disabled.

• Name of incompatible security application

  Drop-down list in which you can select third-party security applications. During the search, devices on which the specified application is installed, are included in the selection.

• Application tag

  In the drop-down list, you can select the application tag. All devices that have installed applications with the selected tag in the description are included in the device selection.

• Apply to devices without the specified tags

  If this option is enabled, the selection includes devices with descriptions that contain none of the selected tags.

  If this option is disabled, the criterion is not applied.

  By default, this option is disabled.

In the Vulnerabilities and updates subsection, you can specify the criteria that will be used to include devices in the selection according to their Windows Update source:

WUA is switched to Administration Server

Details of Kaspersky applications

In the Kaspersky applications subsection, you can configure criteria for including devices in a selection based on the selected managed application:

• Application name

  In the drop-down list, you can set a criterion for including devices in a selection when search is performed by the name of a Kaspersky application.

  The list provides only the names of applications with management plug-ins installed on the administrator's workstation.

  If no application is selected, the criterion will not be applied.

• Application version

  In the entry field, you can set a criterion for including devices in a selection when search is performed by the version number of a Kaspersky application.

  If no version number is specified, the criterion will not be applied.

• Critical update name

  In the entry field, you can set a criterion for including devices in a selection when search is performed by application name or by update package number.

  If the field is left blank, the criterion will not be applied.

• Application status

  A drop-down list in which you can select the status of an application (Installed, Not installed). Devices on which the specified application is installed or not installed, depending on the selected status, will be included in the selection.

• Select the period of the last update of modules

  You can use this option to set a criterion for searching devices by time of the last update of modules of applications installed on those devices.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last update of modules of applications installed on those devices was performed.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• Device is managed through Administration Server

  In the drop-down list, you can include in the selection the devices managed through Open Single Management Platform:

  • Yes. The application includes in the selection devices managed through Open Single Management Platform.
  • No. The application includes devices in the selection if they are not managed through Open Single Management Platform.
  • No value is selected. The criterion will not be applied.
• Security application is installed

  In the drop-down list, you can include in the selection all devices with the security application installed:

  • Yes. The application includes in the selection all devices with the security application installed.
  • No. The application includes in the selection all devices with no security application installed.
  • No value is selected. The criterion will not be applied.

In the Anti-virus protection subsection, you can set up the criteria for including devices in a selection based on their protection status:

• Databases released

  If this option is selected, you can search for client devices by anti-virus database release date. In the entry fields you can set the time interval, on the basis of which the search is performed.

  By default, this option is disabled.

• Database records count

  If this option is enabled, you can search for client devices by number of database records. In the entry fields you can set the lower and upper threshold values for anti-virus database records.

  By default, this option is disabled.

• Last scanned

  If this check option is enabled, you can search for client devices by time of the last malware scan. In the entry fields you can specify the time period within which the last malware scan was performed.

  By default, this option is disabled.

• Threats detected

  If this option is enabled, you can search for client devices by number of viruses detected. In the entry fields you can set the lower and upper threshold values for the number of viruses found.

  By default, this option is disabled.

In the Encryption subsection, you can configure the criterion for including devices in a selection based on the selected encryption algorithm:

Encryption algorithm

The Application components subsection contains the list of components of those applications that have corresponding management plug-ins installed in OSMP Console.

In the Application components subsection, you can specify criteria for including devices in a selection according to the statuses and version numbers of the components that refer to the application that you select:

• Status

  Search for devices according to the component status sent by an application to the Administration Server. You can select one of the following statuses: N/A, Stopped, Paused, Starting, Running, Failed, Not installed, Not supported by license. If the selected component of the application installed on a managed device has the specified status, the device is included in the device selection.

  Statuses sent by applications:

  • Stopped—The component is disabled and not working at the moment.
  • Paused—The component is suspended, for example, after the user has paused protection in the managed application.
  • Starting—The component is currently in the process of initialization.
  • Running—The component is enabled and working properly.
  • Failed—An error has occurred during the component operation.
  • Not installed—The user did not select the component for installation when configuring custom installation of the application.
  • Not supported by license—The license does not cover the selected component.

  Unlike other statuses, the N/A status is not sent by applications. This option shows that the applications have no information about the selected component status. For example, this can happen when the selected component does not belong to any of the applications installed on the device, or when the device is turned off.

• Version

  Search for devices according to the version number of the component that you select in the list. You can type a version number, for example 3.4.1.0, and then specify whether the selected component must have an equal, earlier, or later version. You can also configure searching for all versions except the specified one.

Tags

In the Tags section, you can configure criteria for including devices into a selection based on key words (tags) that were previously added to the descriptions of managed devices:

Apply if at least one specified tag matches

To add tags to the criterion, click the Add button, and select tags by clicking the Tag entry field. Specify whether to include or exclude the devices with the selected tags in the device selection.

• Must be included

  If this option is selected, the search results will display the devices whose descriptions contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

  By default, this option is selected.

• Must be excluded

  If this option is selected, the search results will display the devices whose descriptions do not contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

Users

In the Users section, you can set up the criteria to include devices in the selection according to the accounts of users who have logged in to the operating system.

• Last user who logged in to the system

  If this option is enabled, you can select the user account for configuring the criterion. The search results include devices on which the selected user performed the last login to the system.

• User who logged in to the system at least once

  If this option is enabled, click the Browse button to specify a user account. The search results include devices on which the specified user logged in to the system at least once.

Exporting the device list from a device selection

Open Single Management Platform allows you to save information about devices from a device selection and export it as a CSV or a TXT file.

To export the device list from the device selection:

1. Open the table with the devices from the device selection.
2. Use one of the following ways to select the devices that you want to export:
   • To select particular devices, select the check boxes next to them.
   • To select all devices from the current table page, select the check box in the device table header, and then select the Select all on current page check box.
   • To select all devices from the table, select the check box in the device table header, and then select the Select all check box.
3. Click the Export to CSV or Export to TXT button. All information about the selected devices included in the table will be exported.

Note that if you applied a filter criterion to the device table, only the filtered data from the displayed columns will be exported.

Removing devices from administration groups in a selection

When working with a device selection, you can remove devices from administration groups right in this selection, without switching to the administration groups from which these devices must be removed.

To remove devices from administration groups:

1. In the main menu, go to Assets (Devices) → Device selections or Discovery & deployment → Device selections.
2. In the selection list, click the name of the device selection.

   The page displays a table with information about the devices included in the device selection.

3. Select the devices that you want to remove, and then click Delete.

   The selected devices are removed from their respective administration groups.

Device tags

This section describes device tags, and provides instructions for creating and modifying them as well as for tagging devices manually or automatically.

Device tags

Open Single Management Platform allows you to tag devices. A tag is the string value that can be used for grouping, describing, or finding devices. Tags assigned to devices can be used for creating selections, for finding devices, and for distributing devices among administration groups.

You can tag devices manually or automatically. If you want to tag an individual device, you can use manual tagging. Auto-tagging is performed by Open Single Management Platform in one of the following ways:

• In accordance with the specified tagging rules.
• By an application.

We do not recommend that you use different ways of tagging to assign the same tag. For example, if the tag is assigned by the rule, it is not recommended to manually assign this tag to devices.

If the tags are assigned by rules, devices are tagged automatically when the specified rules are met. An individual rule corresponds to each tag. Rules are applied to the network properties of the device, operating system, applications installed on the device, and other device properties. For example, you can set up a rule that will assign the [CentOS] tag to all devices running CentOS operating system. Then, you can use this tag when creating a device selection; this will help you sort all CentOS devices and assign them a task.

A tag is automatically removed from a device in the following cases:

• When the device stops meeting conditions of the rule that assigns the tag.
• When the rule that assigns the tag is disabled or deleted.

The list of tags and the list of rules on each Administration Server are independent of all other Administration Servers, including a primary Administration Server or subordinate virtual Administration Servers. A rule is applied only to devices from the same Administration Server on which the rule is created.

Creating a device tag

To create a device tag:

1. In the main menu, go to Assets (Devices) → Tags → Device tags.
2. Click Add.

   A new tag window opens.

3. In the Tag field, enter the tag name.
4. Click Save to save the changes.

The new tag appears in the list of device tags.

Renaming a device tag

To rename a device tag:

1. In the main menu, go to Assets (Devices) → Tags → Device tags.
2. Click the name of the tag that you want to rename.

   A tag properties window opens.

3. In the Tag field, change the tag name.
4. Click Save to save the changes.

The updated tag appears in the list of device tags.

Deleting a device tag

You can delete only manually assigned tags.

To delete a manually assigned device tag:

1. In the main menu, go to Assets (Devices) → Tags → Device tags.

   The list of tags is displayed.

2. Select the device tag that you want to delete.
3. Click the Delete button.
4. In the window that opens, click Yes.

The device tag is deleted. The deleted tag is automatically removed from all of the devices to which it was assigned.

When you delete a tag assigned to the device by an auto-tagging rule, the rule is not deleted, and the tag will be assigned to a new device when the device first meets the rule conditions. If you delete an auto-tagging rule, the tag specified in the rule conditions will be removed from all devices to which it was assigned but will not be deleted from the list of tags. If necessary, you can manually delete the tag from the list.

The deleted tag is not removed automatically from the device if this tag is assigned to the device by an application or Network Agent. To remove the tag from your device, use the klscflag utility.

Viewing devices to which a tag is assigned

To view devices to which a tag is assigned:

1. In the main menu, go to Assets (Devices) → Tags → Device tags.
2. Click the View devices link next to the tag for which you want to view assigned devices.

The list of devices that appears shows only those devices to which the tag is assigned.

To return to the list of device tags, click the Back button of your browser.

Viewing tags assigned to a device

To view tags assigned to a device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.

The list of tags assigned to the selected device is displayed. In the Tag assigned column you can view how the tag was assigned.

You can assign another tag to the device or remove an already assigned tag. You can also view all device tags that exist on the Administration Server.

Tagging a device manually

To assign a tag to a device manually:

1. View tags assigned to the device to which you want to assign another tag.
2. Click Add.
3. In the window that opens, do one of the following:
   • To create and assign a new tag, select Create new tag, and then specify the name of the new tag.
   • To select an existing tag, select Assign existing tag, and then select the necessary tag in the drop-down list.
4. Click OK to apply the changes.
5. Click Save to save the changes.

The selected tag is assigned to the device.

Removing an assigned tag from a device

To remove a tag from a device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.
4. Select the check box next to the tag that you want to remove.
5. At the top of the list, click the Unassign tag? button.
6. In the window that opens, click Yes.

The tag is removed from the device.

The unassigned device tag is not deleted. If you want, you can delete it manually.

You cannot manually remove tags assigned to the device by applications or Network Agent. To remove these tags, use the klscflag utility.

Viewing rules for tagging devices automatically

To view rules for tagging devices automatically,

Do any of the following:

• In the main menu, go to Assets (Devices) → Tags → Auto-tagging rules.
• In the main menu, go to Assets (Devices) → Tags → Device tags, and then click the Set up auto-tagging rules link.
• View tags assigned to a device and then click the Settings button.

The list of rules for auto-tagging devices appears.

Editing a rule for tagging devices automatically

To edit a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Click the name of the rule that you want to edit.

   A rule settings window opens.

3. Edit the general properties of the rule:
   1. In the Rule name field, change the rule name.

      The name cannot be more than 256 characters long.

   2. Do any of the following:
      • Enable the rule by switching the toggle button to Rule enabled.
      • Disable the rule by switching the toggle button to Rule disabled.
4. Do any of the following:
   • If you want to add a new condition, click the Add button, and specify the settings of the new condition in the window that opens.
   • If you want to edit an existing condition, click the name of the condition that you want to edit, and then edit the condition settings.
   • If you want to delete a condition, select the check box next to the name of the condition that you want to delete, and then click Delete.
5. Click OK in the conditions settings window.
6. Click Save to save the changes.

The edited rule is shown in the list.

Creating a rule for tagging devices automatically

To create a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Click Add.

   A new rule settings window opens.

3. Configure the general properties of the rule:
   1. In the Rule name field, enter the rule name.

      The name cannot be more than 256 characters long.

   2. Do one of the following:
      • Enable the rule by switching the toggle button to Rule enabled.
      • Disable the rule by switching the toggle button to Rule disabled.
   3. In the Tag field, enter the new device tag name or select one of the existing device tags from the list.

      The name cannot be more than 256 characters long.

4. In the conditions section, click the Add button to add a new condition.

   A new condition settings window open.

5. Enter the condition name.

   The name cannot be more than 256 characters long. The name must be unique within a rule.

6. Set up the triggering of the rule according to the following conditions. You can select multiple conditions.
   • Network—Network properties of the device, such as DNS name of the device or device inclusion in an IP subnet.

     If case sensitive collation is set for the database that you use for Open Single Management Platform, keep case when you specify a device DNS name. Otherwise, the auto-tagging rule will not work.

   • Applications—Presence of Network Agent on the device, operating system type, version, and architecture.
   • Virtual machines—Device belongs to a specific type of virtual machine.
   • Applications registry—Presence of applications of different vendors on the device.
7. Click OK to save the changes.

   If necessary, you can set multiple conditions for a single rule. In this case, the tag will be assigned to a device if it meets at least one condition.

8. Click Save to save the changes.

The newly created rule is enforced on devices managed by the selected Administration Server. If the settings of a device meet the rule conditions, the device is assigned the tag.

Later, the rule is applied in the following cases:

• Automatically and periodically, depending on the server workload
• After you edit the rule
• When you run the rule manually
• After Administration Server detects a change in the settings of a device that meets the rule conditions or the settings of a group that contains such a device

You can create multiple tagging rules. A single device can be assigned multiple tags if you have created multiple tagging rules and if the respective conditions of these rules are met simultaneously. You can view the list of all assigned tags in the device properties.

Running rules for auto-tagging devices

When a rule is run, the tag specified in properties of this rule is assigned to devices that meet conditions specified in properties of the same rule. You can run only active rules.

To run rules for auto-tagging devices:

1. View rules for tagging devices automatically.
2. Select check boxes next to active rules that you want to run.
3. Click the Run rule button.

The selected rules are run.

Deleting a rule for tagging devices automatically

To delete a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Select the check box next to the rule that you want to delete.
3. Click Delete.
4. In the window that opens, click Delete again.

The selected rule is deleted. The tag that was specified in properties of this rule is unassigned from all of the devices that it was assigned to.

The unassigned device tag is not deleted. If you want, you can delete it manually.

Data encryption and protection

Data encryption reduces the risk of unintentional leakage of sensitive and corporate data if your laptop or hard drive is stolen or lost. Also, data encryption allows you to prevent access by unauthorized users and applications.

You can use the data encryption feature if your network includes Windows-based managed devices with Kaspersky Endpoint Security for Windows installed. In this case, on devices running a Windows operating system, you can manage the following types of encryption:

• BitLocker Drive Encryption
• Kaspersky Disk Encryption

By using these components of Kaspersky Endpoint Security for Windows, you can, for example, enable or disable encryption, view the list of encrypted drives, or generate and view reports about encryption.

To configure encryption, define the Kaspersky Endpoint Security for Windows policy in Open Single Management Platform. Kaspersky Endpoint Security for Windows performs encryption and decryption according to the active policy. For detailed instructions on how to configure rules and for a description of encryption features, see the Kaspersky Endpoint Security for Windows Help.

Encryption management for a hierarchy of Administration Servers is currently not available in the Web Console. Use the primary Administration Server to manage encrypted devices.

You can show or hide some of the interface elements related to the encryption management feature by using the user interface settings.

Viewing the list of encrypted drives

In Open Single Management Platform, you can view details about encrypted drives and devices that are encrypted at the drive level. After the information on a drive is decrypted, the drive is automatically removed from the list.

To view the list of encrypted drives,

In the main menu, go to Operations → Data encryption and protection → Encrypted drives.

If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data encryption and protection option to display the section.

You can export the list of encrypted drives to a CSV or TXT file. To do this, click the Export to CSV or Export to TXT button.

Viewing the list of encryption events

When running data encryption or decryption tasks on devices, Kaspersky Endpoint Security for Windows sends Open Single Management Platform information about events of the following types:

• Cannot encrypt or decrypt a file, or create an encrypted archive, due to a lack of free disk space.
• Cannot encrypt or decrypt a file, or create an encrypted archive, due to license issues.
• Cannot encrypt or decrypt a file, or create an encrypted archive, due to missing access rights.
• The application has been prohibited from accessing an encrypted file.
• Unknown errors.

To view a list of events that occurred during data encryption on devices,

In the main menu, go to Operations → Data encryption and protection → Encryption events.

If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data encryption and protection option to display the section.

You can export the list of encrypted drives to a CSV or TXT file. To do this, click the Export to CSV or Export to TXT button.

Alternatively, you can examine the list of encryption events for every managed device.

To view the encryption events for a managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click on the name of a managed device.
3. On the General tab, go to the Protection section.
4. Click the View data encryption errors link.

Creating and viewing encryption reports

You can generate the following reports:

• Report on encryption status of managed devices. This report provides details about the data encryption of various managed devices. For example, the report shows the number of devices to which the policy with configured encryption rules applies. Also, you can find out, for instance, how many devices need to be rebooted. The report also contains information about the encryption technology and algorithm for every device.
• Report on encryption status of mass storage devices. This report contains similar information as the report on the encryption status of managed devices, but it provides data only for mass storage devices and removable drives.
• Report on rights to access encrypted drives. This report shows which user accounts have access to encrypted drives.
• Report on file encryption errors. This report contains information about errors that occurred when the data encryption or decryption tasks were run on devices.
• Report on blockage of access to encrypted files. This report contains information about blocking application access to encrypted files. This report is helpful if an unauthorized user or application tries to access encrypted files or drives.

You can generate any report in the Monitoring & reporting → Reports section. Alternatively, in the Operations → Data encryption and protection section, you can generate the following encryption reports:

• Report on encryption status of mass storage devices
• Report on rights to access encrypted drives
• Report on file encryption errors

To generate an encryption report in the Data encryption and protection section:

1. Make sure that you enabled the Show data encryption and protection option in the Interface options.
2. In the main menu, go to Operations → Data encryption and protection.
3. Open one of the following sections:
   • Encrypted drives generates the report on encryption status of mass storage devices or the report on rights to access encrypted drives.
   • Encryption events generates the report on file encryption errors.
4. Click the name of the report that you want to generate.

The report generation starts.

Granting access to an encrypted drive in offline mode

A user can request access to an encrypted device, for example, when Kaspersky Endpoint Security for Windows is not installed on the managed device. After you receive the request, you can create an access key file and send it to the user. All of the use cases and detailed instructions are provided in the Kaspersky Endpoint Security for Windows Help.

To grant access to an encrypted drive in offline mode:

1. Get a request access file from a user (a file with the FDERTC extension). Follow the instructions in the Kaspersky Endpoint Security for Windows Help to generate the file in Kaspersky Endpoint Security for Windows.
2. In the main menu, go to Operations → Data encryption and protection → Encrypted drives.

   A list of encrypted drives appears.

3. Select the drive to which the user requested access.
4. Click the Grant access to the device in offline mode button.
5. In the window that opens, select the Kaspersky Endpoint Security for Windows plug-in.
6. Follow the instructions provided in the Kaspersky Endpoint Security for Windows Help (see the instructions for OSMP Console at the end of the section).

After that, the user applies the received file to access the encrypted drive and read data stored on the drive.

Changing the Administration Server for client devices

Expand all | Collapse all

You can change the Administration Server to a different one for specific client devices. For this purpose, use the Change Administration Server task.

To change the Administration Server that manages client devices to a different Server:

1. Connect to the Administration Server that manages the devices.
2. Create the Administration Server change task.

   The New task wizard starts. Follow the instructions of the wizard. In the New task window of the New task wizard, select the Kaspersky Security Center 15 application and the Change Administration Server task type. After that, specify the devices for which you want to change the Administration Server:

   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

     If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

   • Specify device addresses manually or import addresses from a list

     You can specify DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

3. Run the created task.

After the task is complete, the client devices for which it was created are put under the management of the Administration Server specified in the task settings.

If the Administration Server supports encryption and data protection and you are creating a Change Administration Server task, a warning is displayed. The warning states that if any encrypted data is stored on devices, after the new Server begins managing the devices, users will be able to access only the encrypted data with which they previously worked. In other cases, no access to encrypted data is provided. For detailed descriptions of scenarios in which access to encrypted data is not provided, refer to the Kaspersky Endpoint Security for Windows Help.

Viewing and configuring the actions when devices show inactivity

Expand all | Collapse all

If client devices within a group are inactive, you can get notifications about it. You can also automatically delete such devices.

To view or configure the actions when the devices in the group show inactivity:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. Click the name of the required administration group.

   The administration group properties window opens.

3. In the properties window, go to the Settings tab.
4. In the Inheritance section, enable or disable the following options:
   • Inherit from parent group

     The settings in this section will be inherited from the parent group in which the client device is included. If this option is enabled, the settings under Device activity on the network are locked from any changes.

     This option is available only if the administration group has a parent group.

     By default, this option is enabled.

   • Force inheritance of settings in child groups

     The setting values will be distributed to child groups but in the properties of the child groups these settings are locked.

     By default, this option is disabled.

5. In the Device activity section, enable or disable the following options:
   • Notify the administrator if the device has been inactive for longer than (days)

     If this option is enabled, the administrator receives notifications about inactive devices. You can specify the time interval after which the Device has remained inactive on the network in a long time event is created. The default time interval is 7 days.

     By default, this option is enabled.

   • Remove the device from the group if it has been inactive for longer than (days)

     If this option is enabled, you can specify the time interval after which the device is automatically removed from the group. The default time interval is 60 days.

     By default, this option is enabled.

6. Click Save.

Your changes are saved and applied.