The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Preparing the Administration Console for deployment of the integrated solution

This section provides instructions on preparing the Administration Console for deployment of the integrated solution.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring Administration Server settings for connection of mobile devices

In order for mobile devices to be able to connect to the Administration Server, before installing the Kaspersky Endpoint Security mobile app configure the mobile device connection settings in the Administration Server properties.

To configure Administration Server settings for connecting mobile devices:

1. In the context menu of the Administration Server, select Properties.

   The Administration Server settings window opens.

2. Select Server connection settings → Additional ports.
3. Select the Open port for mobile devices check box.
4. In the Port for mobile devices field, specify the port through which mobile devices will connect to the Administration Server.

   Port 13292 is used by default. If the Open port for mobile devices check box is cleared or the wrong connection port is specified, mobile devices will not be able to connect to the Administration Server.

5. In the Port to activate mobile clients field, specify the port to be used by mobile devices to connect to the Administration Server for activation of the Kaspersky Endpoint Security for Android app. Port 17100 is used by default.
6. Click OK.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host
2. Configure the connection gateway on Kaspersky Security Center Administration Server

This article contains an overview of the scenario. For detailed instructions, please refer to the Kaspersky Security Center documentation.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway and click Properties.
   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.
   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on Administration Server.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Displaying the Mobile Device Management folder in the Administration Console

By displaying the Mobile Device Management folder in the Administration Console, you can view the list of mobile devices managed by the Administration Server, configure the mobile device management settings, and install certificates on mobile devices of users.

To enable the display of the Mobile Device Management folder in the Administration Console:

1. In the context menu of the Administration Server, select View → Configuring interface.
2. In the window that opens, select the Display Mobile Device Management check box.
3. Click OK.

The Mobile Device Management folder is displayed in the Administration Console tree after the Administration Console is restarted.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating an administration group

To perform centralized configuration of the Kaspersky Endpoint Security for Android app installed on the users' mobile devices, the group policies must be applied to the devices.

To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed devices prior to installing mobile apps on user devices.

After creating an administration group, it is recommended to configure the option to automatically allocate devices on which you want to install the apps to this group. Then configure settings that are common to all devices using a group policy.

To create administration group, follow the steps below:

1. In the console tree, select the Managed devices folder.
2. In the workspace of the Managed devices folder or subfolder, select the Devices tab.
3. Click the New group  button.

   This opens the window in which you can create a new group.

4. In the Group name window type the group name and click OK.

A new administration group folder with the specified name appears in the console tree. For more detailed information on use of administration groups, see Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a rule for device automatic allocating to administration groups

You can centrally administer the settings of Kaspersky Endpoint Security for Android app installed on users' mobile devices only if the devices belong to a previously created administration group for which a group policy has been configured.

If the rule to automatically allocate mobile devices detected on the network to the administration group is not configured, during the first synchronization of the device with the Administration Server, the device is automatically sent to the Administration Console in the Advanced → Device discovery → Domains → KES10 folder (KES10 is used by default). A group policy does not apply to this device.

To create the rule for automatic allocating of mobile devices to administration group, follow the steps below:

1. In the console tree, select the Unassigned devices folder.
2. From the context menu of the Unassigned devices folder, select Properties.

   The Properties: Unassigned devices window appears.

3. In the Move devices section, click Add to start the process of creating a rule for automatically allocating devices to an administration group.

   The New rule window appears.

4. Type the rule name.
5. Specify the administration group to which mobile devices should be allocated after the Kaspersky Endpoint Security for Android mobile app has been installed on them. To do so, click Browse to the right of the Group to move devices to field and select the group in the window that appears.
6. In the Rule application section, select Run once for each device.
7. Select the Move only devices not added to administration groups check box to prevent allocating to the selected group the mobile devices that were allocated to other administration groups when applying the rule.
8. Select the Enable rule check box, so that the rule can be applied to newly detected devices.
9. Open the Apps section and do the following:
   1. Select the Operating system version check box.
   2. Select one or several types of operating systems of the devices to be allocated to the specified group: Android or iOS.
10. Click OK.

The newly created rule is displayed in the list of device allocation rules in the Move devices section in the properties window of the Unassigned devices folder.

According to the rule, Kaspersky Security Center allocates all devices that meet the specified requirements from the Unassigned devices folder to the selected group. The mobile devices which were earlier allocated to the Unassigned devices folder can also be allocated to the required administration group of the Managed devices folder manually. For more detailed information on administration groups management and actions with undistributed devices, see Kaspersky Security Center Help.

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Creating a mobile certificate

You have to create a mobile certificate in Administration Console for the purpose of identifying the user of a mobile device.

To create a mobile certificate:

1. In the console tree, select the Mobile Device Management → Certificates folder.
2. In the workspace of the Certificates folder, click the Add certificate button to start the Certificate Installation Wizard.
3. In the Certificate type window of the Wizard, select the Mobile certificate option.
4. In the User selection window of the Wizard, specify the users for whom you want to create a mobile certificate.
5. In the Certificate source window of the Wizard, select the method by which the mobile certificate is created.
   • To create a mobile certificate automatically using Administration Server tools, select Issue certificate through Administration Server tools.
   • To assign a previously created certificate to a user, select the Specify certificate file option. Click the Specify button to open the Certificate window and specify the certificate file in it.

     Clear the Publish certificate check box if you do not want to specify the type of mobile device and the method of notifying the user about certificate creation.

6. In the Method of user notification window of the Wizard, configure the settings of mobile device user notification about certificate creation using a text message or via email.
7. In the Generating the certificate window of the Wizard, click Done to finish the Certificate Installation Wizard.

As a result, the Certificate Installation Wizard creates a mobile certificate that the user can install on the mobile device. To get the certificate, start synchronization of the mobile device with the Administration Server. For more information about creating certificates and configuring rules for issuing them, refer to Kaspersky Security Center help.