The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Preparing Kaspersky Security Center Web Console and Cloud Console for deployment

This section provides instructions on preparing Kaspersky Security Center Web Console and Cloud Console for deployment.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Administration Server for connection of mobile devices

To connect mobile devices to the Administration Server, you must define the connection settings before installing the app on devices.

• If you are using Kaspersky Security Center Web Console, configure its properties as described below.
• If you are using Kaspersky Security Center Cloud Console, the connection settings are defined during the initial configuration of Kaspersky Security Center Cloud Console. For more information, please refer to Kaspersky Security Center Cloud Console Help.

To define Kaspersky Security Center Web Console properties for a mobile device connection:

1. In the main window of Kaspersky Security Center Web Console, click Settings ().

   The Administration Server properties window opens.

2. Configure the Administration Server ports that will be used by mobile devices:
   1. Select the Additional ports section.
   2. Enable the Open port for mobile devices toggle button.
   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices toggle button is off or an incorrect connection port is specified, mobile devices will not be able to connect to the Administration Server.

   4. In the Port for mobile device activation field, specify the port to be used by mobile devices to connect to the Administration Server for activation of the mobile app.

      Port 17100 is used by default.

      If you specify an incorrect connection port, the users of mobile devices will not be able to activate the mobile app by using the Administration Server.

3. If necessary, edit the certificate that will be used by mobile devices to connect to the Administration Server.

   By default, Administration Server uses the certificate that was created during Administration Server installation. If you want, replace the certificate issued through the Administration Server with another certificate or reissue the certificate issued through the Administration Server.

   To edit the certificate:

   1. Select the Certificates section.
   2. Define the required settings.

      For detailed information about the certificates, please refer to Kaspersky Security Center Help.

4. Click the Save button to save the changes you have made to the settings and exit the Administration Server properties window.

After you configure the mobile device connection settings, you can install the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app on mobile devices and connect them to the Administration Server by using the specified settings.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host
2. Configure the connection gateway on Kaspersky Security Center Administration Server

This article contains an overview of the scenario. For detailed instructions, please refer to the Kaspersky Security Center documentation.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway and click Properties.
   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.
   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on Administration Server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

Group policies are used to perform centralized configuration of the Kaspersky Endpoint Security for Android and Kaspersky Security for iOS apps installed on the users' mobile devices.

To apply a policy to a group of devices, you are advised to create a separate group for these devices in Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices by using a group policy.

To create an administration group:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Devices > Hierarchy of groups.
2. In the administration group structure, select the administration group that is to include the new administration group.
3. Click the Add button.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click the Add button.

A new administration group with the specified name appears in the hierarchy of administration groups.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a rule for automatically allocating a device to administration groups

When the Kaspersky Endpoint Security for Android app or the Kaspersky Security for iOS app is installed on mobile devices, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console or Cloud Console. In order to manage newly connected devices, you can move them to an administration group manually or create a rule for allocating them automatically to administration groups.

To create a rule for automatic allocation of mobile devices to administration groups:

1. In the main window of Kaspersky Security Center Web Console or Cloud Console, select Discovery & deployment > Deployment & assignment > Moving rules.
2. In the New rule window that opens, click the Add button.
3. In the Rule name field, specify the rule name.
4. In the Administration group field, select the administration group to which mobile devices will be allocated after the app has been installed on them.
5. In the Apply rule section, select Run once for each device.
6. Select the Move only devices not added to an administration group check box to prevent the moving of the mobile devices that are allocated to other administration groups when applying the rule.
7. Select the Enable rule check box, to apply the rule immediately after creating it.

   You can enable the rule at any time later by using the toggle button on the Moving rules page.

8. Select Rule conditions > Applications and do the following:
   1. Enable the Operating system version toggle button.
   2. In the list of operating systems that opens, select Android or iOS.

   The rule will be applied to the corresponding devices. You must specify at least one condition to create a rule.

9. Click Save to create the rule.

The newly created rule is displayed on the Moving rules page. According to the rule, Kaspersky Security Center will allocate all newly connected devices to the selected administration group.

For detailed information on administration groups management and actions with unassigned devices:

• If you use Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help.
• If you use Kaspersky Security Center Cloud Console, please refer to Kaspersky Security Center Cloud Console Help.