Getting started

This section is intended for specialists who install the Kaspersky Secure Mobility Management solution, as well as for specialists who provide technical support to organizations that use Kaspersky Secure Mobility Management.

Solution architecture

Kaspersky Secure Mobility Management includes the following components:

• Kaspersky Endpoint Security for Android mobile app

  The Kaspersky Endpoint Security for Android app protects mobile devices against web threats, viruses, and other apps that pose threats.

• Kaspersky Security for iOS mobile app

  The Kaspersky Security for iOS app protects mobile devices against phishing and web threats and lets you detect jailbreaking on devices.

• Kaspersky Mobile Devices Protection and Management plug-in

  The Kaspersky Mobile Devices Protection and Management plug-in lets you manage devices running Android and iOS in Kaspersky Security Center Web Console.

• iOS MDM Server

  iOS MDM Server lets you connect iOS devices to the Administration Server and manage iOS devices.

• iOS MDM Server settings plug-in

  The iOS MDM Server settings plug-in lets you configure iOS MDM Server settings.

Deployment scenarios

The deployment of Kaspersky Secure Mobility Management in Kaspersky Security Center Web Console consists of the following steps:

1. Deploying Kaspersky Security Center Linux and Kaspersky Security Center Web Console
2. Deploying mobile management plug-ins
3. Configuring Administration Server settings for connecting mobile devices
4. Deploying an iOS device management system
5. Deploying an Android device management system
6. Managing mobile devices in Kaspersky Security Center Web Console

Deploying a mobile device management solution in Kaspersky Security Center Web Console

To connect and manage mobile devices using Kaspersky Security Center Web Console, you must deploy a mobile device management solution. This section describes the recommended actions when getting started with Kaspersky Secure Mobility Management.

Deploying Kaspersky Security Center Linux and Kaspersky Security Center Web Console

Select a Linux device that you intend to use as the administrator's workstation, ensure that the device meets the software and hardware requirements, and then install Kaspersky Security Center and Kaspersky Security Center Web Console on the device.

For instructions on installing Kaspersky Security Center Linux, refer to the Kaspersky Security Center Help.

For instructions on installing Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

Deploying mobile management plug-ins

To use the Kaspersky Secure Mobility Management solution and connect mobile devices, you must add and install the following mobile management plug-ins:

• Kaspersky Mobile Devices Protection and Management
  • on_prem_ksm_policies_<version>.zip

    Archive that contains the files required for the installation of the Kaspersky Mobile Devices Protection and Management plug-in:

    • plugin.zip

      Archive that contains the Kaspersky Mobile Devices Protection and Management plug-in.

    • signature.txt

      File that contains the signature for the Kaspersky Mobile Devices Protection and Management plug-in.

• iOS MDM Server settings
  • on_prem_iosmdm_<version>.zip

    Archive that contains the files required for the installation of the iOS MDM Server settings plug-in:

    • plugin.zip

      Archive that contains the iOS MDM Server settings plug-in.

    • signature.txt

      File that contains the signature for the iOS MDM Server settings plug-in.

To install a management plug-in:

1. In the main window of Kaspersky Security Center Web Console, select Settings > Web plug-ins.
2. In the window that opens, click Add.

   The list of available plug-ins is displayed.

3. In the list of available plug-ins, select the plug-in you want to install by clicking on its name.

   A plug-in description page is displayed.

4. On the plug-in description page, click Install plug-in.
5. When the installation is complete, click OK.

The management plug-in is downloaded with the default configuration and displayed in the list of management plug-ins.

You can add plug-ins and update downloaded plug-ins from a file. You can download management plug-ins and web management plug-ins from the Kaspersky Customer Service webpage.

To load or update a plug-in from a file:

1. In the main window of Kaspersky Security Center Web Console, select Settings > Web plug-ins.
2. In the window that opens:
   • Click Add from file to load a plug-in from a file.
   • Click Update from file to load an update of a plug-in from a file.
3. Specify the file and signature of the file.
4. Load the specified files.

The management plug-in is loaded from the file and displayed in the list of management plug-ins.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

Configuring Administration Server settings for connecting mobile devices

Before connecting mobile devices to Kaspersky Security Center Web Console, you must define the connection settings in the Administration Server properties.

To configure Administration Server settings for connecting mobile devices:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.
2. In the Administration Server properties window that opens, configure the Administration Server port that will be used by mobile devices:
   1. In the General tab, select the Additional ports section.
   2. Enable the Open port for mobile devices toggle button.

      If this option is enabled, the port for mobile devices will be open on the Administration Server.

   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices toggle button is off or an incorrect connection port is specified, mobile devices will not be able to connect to the Administration Server.

3. If necessary, edit the certificate that will be used by mobile devices to connect to the Administration Server.

   By default, Administration Server uses the certificate created after the port for mobile devices is opened. You can reissue or replace the certificate issued through the Administration Server with another certificate.

   To edit the certificate:

   1. In the General tab, select the Certificates section.
   2. Define the required settings.

      For more details on working with certificates in Kaspersky Security Center Linux, refer to the Kaspersky Security Center Help.

4. Click Save to save the changes you have made and exit the Administration Server properties window.

The mobile device connection settings are configured.

Scenario: Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Web Console

This scenario describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Stages

The configuration proceeds in the following steps:

1. Installing Network Agent in the connection gateway role on a host

   First, you need to install Network Agent on the selected host device acting in the gateway connection role.

   For information about generating a Network Agent installation package, refer to the Kaspersky Security Center Help.

   You can install Network Agent in interactive mode by specifying installation parameters step by step. Alternatively, you can use an answer file—a text file that contains a custom set of installation parameters: variables and their respective values. Using this answer file allows you to run an installation in silent mode, that is, without user participation. For information on installing Network Agent in silent mode, refer to the Kaspersky Security Center Help.

2. Configuring the connection gateway on Kaspersky Security Center Administration Server

   Once you have installed Network Agent in the connection gateway role, you must connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server.

   You must create a new group under the Managed Devices group and add the device acting as a connection gateway to the group that you have created. For information on manually adding devices to groups in Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

   After that, assign the device as a distribution point and configure the distribution point to act as a connection gateway in the Connection gateway section of the distribution point properties. Then enable the Open port for mobile devices (SSL authentication of the Administration Server only) and Open port for mobile devices (two-way SSL authentication) options and specify ports and DNS domain names of the distribution point to connect mobile devices.

Results

The connection gateway will be configured. You will be able to add new mobile devices by specifying the connection gateway address.

Adding installation packages to Administration Server repository

For further deployment of mobile management systems, you need to add the following installation packages to the Administration Server repository:

• Network Agent Linux installation package (for later installation of Network Agent on a workstation).
• iOS MDM Server installation package (for later installation of iOS MDM Server to connect and manage iOS devices).
• Kaspersky Endpoint Security for Android installation package (for later installation of Kaspersky Endpoint Security for Android on devices).

For instructions on adding installation packages to the Administration Server repository, refer to the Kaspersky Security Center Help.

Adding a license key to the Administration Server repository

To connect mobile devices to Kaspersky Security Center Web Console and manage them, you must add a license key that supports the Mobile Device Management solution to the Administration Server repository.

The license under which the solution is used determines a scope of basic or advanced settings you can configure. With a license that does not provide the extended Kaspersky Secure Mobility Management functionality, only basic device protection settings are available in the Kaspersky Mobile Devices Protection and Management plug-in. For detailed information on licenses, refer to the About the license section.

To add a license key to the Administration Server repository:

• In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.

  In the Administration Server properties window that opens:

  1. In the General tab, select the License keys section.
  2. In the Current license block of settings, click Select and specify the KEY file you want to add.

     The license you choose must support the Mobile Management solution.

  3. Click Save.

The license key is added to the Administration Server repository.

To view the list of the license keys added to the Administration Server repository:

In the main window of Kaspersky Security Center Web Console, select Operations > Kaspersky licenses.

The displayed list contains the key files and activation codes added to the Administration Server repository.

To view the detailed information about a license key:

1. In the main window of Kaspersky Security Center Web Console, select Operations > Kaspersky licenses.
2. Click the name of the required license key.

   In the license key properties window that opens, on the General tab, you can view the detailed information about the selected license key.

Installing Network Agent Linux

Network Agent Linux is a Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications that are installed on a workstation or server.

To deploy an iOS device management system, you must install Network Agent on a workstation on which iOS MDM Server will later be deployed. After Network Agent is installed, you will be able to configure and install iOS MDM Server on it to subsequently connect and manage iOS devices.

For the instructions on installing Network Agent Linux, refer to the Kaspersky Security Center Help.

Configuring Kaspersky Security Center Linux Web Server settings

Kaspersky Security Center Linux Web Server (Web Server) is a component of Kaspersky Security Center Linux installed together with the Administration Server. Web Server is designed for network transmission of stand-alone installation packages, device management profiles, and files from a shared folder.

Installation packages that have been created are published on Web Server automatically and then removed after the first download. The administrator can send a new link to the user in any convenient way, such as by email.

For detailed information, refer to the Kaspersky Security Center Help.

To connect mobile devices, make sure the Web Server FQDN is specified correctly in the Administration Server properties:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.
2. In the Administration Server properties window that opens, on the General tab, select the Web Server section.
3. In the Web Server FQDN field, check if the specified FQDN (a fully qualified domain name) is publicly resolvable by DNS servers.

Deploying an iOS device management system

Kaspersky Secure Mobility Management lets you manage mobile devices running iOS. This section describes the deployment of an iOS device management system.

About iOS device operating modes

The device operating mode depends on the owner of the mobile device (personal or corporate) and corporate security requirements. You can choose the operating mode that is most suitable for your company and use several modes at the same time.

The following device operating modes are available for iOS devices:

• Basic protection
• Basic control
• Supervised

Basic protection

Basic protection is the device operating mode for personal or corporate iOS devices. This operating mode lets you protect against web threats and detect jailbreaking on devices using the Kaspersky Security for iOS app.

Basic control

Basic control is the device operating mode for personal iOS devices. This operating mode lets you protect and perform basic management of devices.

The user is allowed to use a personal Apple ID, work with any apps, and store personal data on the device. You can configure policy settings to control user's access to corporate resources and manage other security requirements.

To manage iOS devices in the basic control operating mode, you must have an installed and configured iOS MDM Server.

Supervised

Supervised is the device operating mode for corporate iOS devices. This operating mode provides a wider range of settings to define through the policy than devices in other operating modes, for example:

• Send additional commands to manage Bluetooth settings, update operating system, locate device or sound alarm in Lost Mode.
• Manage advanced restrictions:
  • Network restrictions (prohibit modifying Personal Hotspot settings, prohibit creating VPN configurations, force Wi-Fi on and allow connection to specified Wi-Fi networks on, prohibit modifying Bluetooth settings).
  • App restrictions (for example, prohibit installation of apps from Apple Configurator and iTunes).
  • Prohibit access to USB devices in Files and disable access to USB devices when the device is locked.
• Configure advanced App Control settings (for example, create custom lists of allowed and forbidden apps).
• Configure Web Control settings.
• Configure an HTTP proxy server to monitor internet traffic on a device within the corporate network.

To manage iOS devices in the supervised operating mode, you must have an installed and configured iOS MDM Server and devices switched to the supervised status in Apple Configurator. For detailed information on working with Apple Configurator, refer to the Apple Technical Support website.

About device management profiles

A device management profile is a profile that contains the settings for connecting mobile devices running iOS to Kaspersky Security Center. After installation of device management profile and device synchronization with iOS MDM Server, the device becomes a managed device (iOS MDM device). iOS MDM devices are managed through the Apple Push Notification service (APNs).

Using a device management profile, you can do the following:

• Remotely configure the settings of iOS devices using policies.
• Send commands to iOS MDM devices.
• Remotely install Kaspersky apps and third-party apps.

The deployment of a device management profile is carried out via Kaspersky Security Center Web Console using the Mobile device connection wizard. The user installs the device management profile after receiving an email with the details for connecting the mobile device to Kaspersky Security Center. No additional preparations for the profile are required.

Before installing a device management profile, you must deploy an iOS device management system.

Deploying Kaspersky Security for iOS

This section contains a general overview of the Kaspersky Security for iOS app and the activation process.

For detailed information on Kaspersky Security for iOS features and how to install, update, or remove the app, refer to the Using the Kaspersky Security for iOS app section.

About Kaspersky Security for iOS

The Kaspersky Security for iOS app ensures protection of mobile devices against phishing and web threats.

The Kaspersky Security for iOS app offers the following key features:

• Web Protection. This component blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal the user's confidential data (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection uses the Kaspersky Security Network cloud service to scan websites before they are opened. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. You can configure this component in Kaspersky Security Center Web Console by defining the corresponding policy settings.
• Jailbreak detection. When Kaspersky Security for iOS detects a jailbreak, it displays a critical message and informs you about the issue.

Activating Kaspersky Security for iOS

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Security for iOS app is fully functional, the Kaspersky Security Center license purchased by the organization must support the Mobile Device Management functionality.

For detailed information about licensing options, refer to the About the license section.

The Kaspersky Security for iOS app is activated on a mobile device by providing valid license information to the app. License information is delivered to the device together with the policy settings as soon as the device is synchronized with Kaspersky Security Center.

If activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to limited functionality mode. In this mode, most of the app components are not operational. When switched to limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Accordingly, if activation of the app has not been completed within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the mobile app on their devices manually.

To activate the mobile app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Click the License button.
4. In the window that opens, use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   If a key file is selected from the Kaspersky Security Center key storage and sent to the device, Kaspersky Security for iOS will be not able to process it, because Kaspersky Security for iOS does not support this activation method. To activate Kaspersky Security for iOS, you must add an activation code to Kaspersky Security Center.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the Replace with selected key if the key on devices is different check box.

5. Click Save to save the changes you have made.

The app is activated after the next device synchronization with the Administration Server.

The user can also contact the administrator for an activation code and enter it manually.

Deploying a management system using the iOS MDM protocol

iOS devices with basic control and supervised operating modes are managed using the iOS MDM protocol. To deploy a mobile management system using the iOS MDM protocol and connect iOS devices to Kaspersky Security Center, follow these steps:

1. Deploy iOS MDM Server
2. Receive an APNs certificate
3. Install the APNs certificate on iOS MDM Server
4. Connect iOS devices to Kaspersky Security Center

Deploying iOS MDM Server

iOS MDM Server is a component of Kaspersky Secure Mobility Management which allows iOS MDM devices to connect to Kaspersky Security Center and facilitates management of these devices through Apple Push Notifications (APNs) by installing dedicated device management profiles on them.

iOS MDM Server receives inbound connections from mobile devices through its TLS port (by default, port 443), which is managed by Kaspersky Security Center using Network Agent. Network Agent is installed locally on a device with an iOS MDM Server deployed.

The number of copies of iOS MDM Server to be installed can be selected either based on available hardware or on the total number of mobile devices covered.

Please keep in mind that the recommended maximum number of mobile devices to be managed through iOS MDM Server is 50,000. In order to reduce the load, the entire pool of devices can be distributed among several servers that have iOS MDM Server installed.

Configuring an iOS MDM Server installation package

Before you install iOS MDM Server, you need to configure the iOS MDM Server installation package properties.

The iOS MDM Server installation package is an archive that contains the files required for the installation of the iOS MDM Server depending on the package manager and architecture: kliosmdm-<architecture>-<version>-<package manager>_<language>.tar.gz

To configure an iOS MDM Server installation package:

1. In the main window of Kaspersky Security Center We Console, select Operations > Repositories > Installation packages.
2. In the window that opens, click the iOS MDM Server installation package you want to configure.

   The installation package properties window opens.

3. In the Settings tab, specify the iOS MDM Server properties.
   1. In the Connection settings group of settings, configure the following properties:

      It is recommended to use the default values.

      • iOS MDM external connection port. In this field, specify an external port for connecting mobile devices to the iOS MDM service.

        External port 5223 is used by mobile devices for communication with the APNs server. Make sure that port 5223 is open in the Firewall for connecting with the address range 17.0.0.0/8.

        Port 443 is used for connecting to iOS MDM Server by default. If port 443 is already in use by another service or application, it can be replaced with, for example, port 9443.

        Port 2197 is used by iOS MDM Server to send notifications to the APNs server. APNs servers run in load-balancing mode. Mobile devices do not always connect to the same IP addresses to receive notifications. The 17.0.0.0/8 address range is reserved for Apple, and it is therefore recommended to specify this entire range as an allowed range in Firewall settings.

      • Network Agent connection port. In this field, specify a port for connecting the iOS MDM service to Network Agent. The default port number is 9799.
      • iOS MDM local connection port. In this field, specify a local port for connecting Network Agent to the iOS MDM service. The default port number is 9899.
   2. In the iOS MDM Server address group of settings, specify the address of the workstation on which iOS MDM Server is to be installed. This address will be used for connecting managed mobile devices to the iOS MDM service. The workstation must be available for connection of iOS MDM devices.

      Choose one of the following options:

      • Use FQDN device name. The fully qualified domain name (FQDN) of the device will be used.
      • Use specified address. Specify the specific address of the device manually.

        Do not add the URL scheme and the port number in the address string. These values will be added automatically.

4. Click Save.

The iOS MDM Server installation package properties are configured. Now you can install iOS MDM Server with the specified settings.

Installing iOS MDM Server using a remote installation task

Kaspersky Security Center Web Console lets you install iOS MDM Server remotely using a remote installation task. This task is created and assigned to up to 1000 devices through a corresponding wizard. The wizard will help install iOS MDM Server in an administration group, on devices with specific IP addresses, or on a selection of managed devices.

Please note that you will not be able to specify the iOS MDM Server settings during the installation. The settings are configured in the iOS MDM Server installation package properties.

Before installing iOS MDM Server on a device, make sure the Kaspersky Mobile Devices Protection and Management and iOS MDM Server settings plug-ins are installed.

To install iOS MDM Server using a remote installation task:

1. Install Network Agent on a workstation on which iOS MDM Server will be deployed.
2. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
3. Click Install.

   The New task wizard starts. Proceed through the wizard using the Next button.

4. In the New task settings window that opens:
   1. In the Task name field, specify a custom name for the task, if necessary (The default name is "Install iOS MDM Server").
   2. In the Devices to which the task will be assigned group of settings, choose Specify device addresses manually or import addresses from a list. You can specify DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
5. At the Task scope step:
   1. Click Add devices.
   2. In the window that opens, in the drop-down list, choose the Select networked devices detected by Administration Server option.
   3. Select devices or a device selection.
   4. Click Add.

   After you add the devices, they are displayed in the table.

6. At the Installation packages step, specify the following settings:
   1. In the Select installation package field, select the configured iOS MDM Server installation package.
   2. In the Select Network Agent field, select the installed Network Agent.
   3. In the Force installation package download group of settings, select the Using Network Agent check box to distribute the files that are required for iOS MDM Server installation via Network Agent.
   4. In the Maximum number of concurrent downloads field, specify the maximum allowed number of devices to which Administration Server can simultaneously transmit the files.
   5. In the Maximum number of installation attempts field, specify the maximum number of times the installer will be allowed to run.
   6. Specify the additional settings:
      • Click the Do not re-install application if it is already installed check box. The application will not be re-installed if it has already been installed on the device.
      • Click the Verify operating system type before downloading check box. Before transmitting the files to devices, Kaspersky Security Center checks if the installation utility settings are applicable to the operating system of the device. If the settings are not applicable, Kaspersky Security Center does not transmit the files and does not attempt to install the application. For example, to install some application to devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.
7. At the next step of the wizard, you will be prompted to select the action that will be performed if installation process prompts to restart the operating system. Select the Do not restart the device option or skip this step, as it does not apply to Linux operating system.
8. At the Select accounts to access devices step, choose the No account required (Network Agent installed) option. If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running. If Network Agent has not been installed on devices, this option is unavailable.
9. At the Finish task creation step, click the Finish button to create the task and close the wizard.

iOS MDM Server is installed using a remote installation task.

Local installation of iOS MDM Server on a device via an installation package

Kaspersky Security Center Web Console lets you install iOS MDM Server on a local device using an installation package, that is, without interactively inputting the installation settings.

Before installing iOS MDM Server on a device, make sure the Kaspersky Mobile Devices Protection and Management and iOS MDM Server settings plug-ins are installed.

To install and configure iOS MDM Server on a local device manually:

1. Install iOS MDM Server:
   1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
   2. Depending on your operating system, run one of the following commands to launch the installation file:
      1. For Debian:

         apt install /<path>/kliosmdm_<version_number>_amd64.deb

      2. For Red Hat Enterprise Linux:

         yum install /<path>/kliosmdm_<version_number>.x86_64.rpm -y

         iOS MDM Server is installed. The installer offers to start the setup procedure by executing the postinstall.pl script.

2. Configure iOS MDM Server using one of the methods:
   1. Configuration with the postinstall settings specified by the interactive step-by-step wizard:
      1. Run the following command:

         /opt/kaspersky/iosmdm/lib/bin/setup/postinstall.pl

   2. Configuration with the key arguments specified as postinstall settings:
      1. Run the following command:

         opt/kaspersky/bin/postinstall.pl -- <params>

         where <params> is one of the settings specified in the iOS MDM Server installation settings table below.

The names and possible values for the settings that can be configured when installing iOS MDM Server are listed in the table. You can specify these settings in any convenient order.

iOS MDM Server installation settings

To install and configure iOS MDM Server in silent mode automatically using an answer file:

An answer file is a text file that contains a custom set of installation settings (variables and their corresponding values).

1. Create an answer file (in TXT format) in the directory where the installation will be performed: /tmp/answers.txt.
2. Specify the required values in the answer file:
   • EULA_ACCEPTED=1

     Acceptance of the terms of the End User License Agreement.

   • KLIOSMDM_AUTOINSTALL=1

     Using a TXT answer file with iOS MDM Server installation settings.

   • EXTERNALSERVERPORT=443

     Port for connecting a device to iOS MDM Server.

   • CONNECTORPORT=9799

     Local port for connecting the iOS MDM service to Network Agent.

   • LOCALSERVERPORT=9899

     Local port for connecting Network Agent to the iOS MDM service.

   • EXTERNAL_SERVER_URL=example.fqdn.com

     External address of the device on which iOS MDM Server is to be installed.

3. Set the value of the KLAUTOANSWERS environment variable by entering the full name of the answer file (including the path), for example: export KLAUTOANSWERS=/tmp/answers.txt.
4. Launch the iOS MDM Server installation.

iOS MDM Server is installed and configured in silent mode automatically using an answer file.

Updating iOS MDM Server using a remote installation task or locally

Kaspersky Security Center Web Console lets you update iOS MDM Server using a remote installation task or locally on a device.

Please note that you will not be able to specify the iOS MDM Server settings during the update. The settings are configured in the iOS MDM Server installation package properties.

To update iOS MDM Server using a remote installation task:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
2. Click Update.

   The New task wizard starts. Proceed through the wizard using the Next button.

3. In the New task settings window that opens:
   1. In the Task name field, specify a custom name for the task, if necessary (The default name is Update iOS MDM Server).
   2. In the Devices to which the task will be assigned group of settings, the device on which iOS MDM Server is installed will be displayed.
4. At the Installation packages step, specify the following settings:
   1. In the Select installation package field, select the configured iOS MDM Server installation package.
   2. In the Force installation package download group of settings, select the Using Network Agent check box to distribute the files that are required to update iOS MDM Server via Network Agent.
   3. In the Maximum number of concurrent downloads field, specify the maximum allowed number of client devices to which Administration Server can simultaneously transmit the files.
   4. In the Maximum number of installation attempts field, specify the maximum number of times the installer will be allowed to run.
   5. Specify the additional settings:
      • Click the Do not re-install application if it is already installed check box. The application will not be re-installed if it has already been installed on this device.
      • Click the Verify operating system type before downloading check box. Before transmitting the files to devices, Kaspersky Security Center checks if the installation utility settings are applicable to the operating system of the device. If the settings are not applicable, Kaspersky Security Center does not transmit the files and does not attempt to install the application. For example, to install some application on devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.
5. At the next step of the wizard, you will be asked to select the action that will be performed if the application installation prompts you to restart the operating system. Select the Do not restart the device option or skip this step, as it does not apply to the Linux operating system.
6. At the Select accounts to access devices step, choose the No account required (Network Agent installed) option. If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running. If Network Agent has not been installed on devices, this option is unavailable.
7. At the Finish task creation step, click the Finish button to create the task and close the wizard.

iOS MDM Server is updated using the remote installation task.

To update iOS MDM Server locally, follow the steps described for Local installation of iOS MDM Server on a device via installation package using the newer version of the installation package.

Deleting iOS MDM Server using a remote uninstallation task

Kaspersky Security Center Web Console lets you delete iOS MDM Server remotely using a remote uninstallation task.

Before deleting iOS MDM Server, make sure the iOS MDM Server installation package has been created and added to the Administration Server repository (Operations > Repositories > Installation packages).

To delete iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
2. Select the iOS MDM Server that you want to uninstall, and then click Delete.

   The New task wizard starts. Follow the wizard steps as described in the Kaspersky Security Center Help.

Viewing the list of installed iOS MDM Servers and configuring their settings

Kaspersky Security Center Web Console lets you view the list of installed iOS MDM Servers and access their settings.

To view the installed iOS MDM Servers:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
2. In the list of installed iOS MDM Servers that opens:
   1. To install iOS MDM Server, click Install.
   2. To update iOS MDM Server, click Update.
   3. To delete iOS MDM Server, click Delete.
   4. To view or configure the iOS MDM Server settings, do one of the following:
      • Select the check box next to the iOS MDM Server whose settings you want view or configure, and then click Modify settings.

        The Application settings tab of the iOS MDM Server settings window opens.

      • Click the name of the iOS MDM Server whose settings you want view or configure.

        In the iOS MDM Server settings window that opens, navigate to the Application settings tab.

To view or configure the iOS MDM Server settings:

1. Navigate to the Application settings tab of the iOS MDM Server settings window using the instructions above.
   1. In the General section, you can view the general iOS MDM Server properties.
      • Name. The iOS MDM Server custom name.
      • Version. The version of the installed iOS MDM Server.
      • Modified. The date and time of the latest iOS MDM Server update or modification.
      • Host name. The name of the device on which iOS MDM Server is installed.
      • Host path. The path to iOS MDM Server on the device on which it is installed.

        You cannot modify the settings in this section.

   2. In the APNs proxy server section, you can specify the following settings for Apple Push Notification Service (APNs):
      • Address. APNs proxy server address.
      • Port. APNs proxy server port.
      • User name. APNs proxy user name.
      • Password. APNs proxy password.

        If you intend to access APNs from the iOS MDM service through a proxy server, the Use proxy server to connect to APNs option must be enabled.

        For detailed information on APNs proxy server, refer to the Configuring access to Apple Push Notification service section.

   3. In the Certificates section, you can manage the certificates required for the operation of iOS MDM Server.
      • Apple Push Notification service (APNs) certificate. The APNs certificate is signed by Apple and lets you use Apple Push Notification. Through Apple Push Notification, an iOS MDM Server can manage iOS devices. For detailed information on the APNs certificate, refer to the Receiving or renewing an APNs certificate section.
      • iOS MDM Server certificate. The iOS MDM Server certificate is used to establish the connection and verify trust between iOS devices and iOS MDM Server.
      • iOS MDM Server reserve certificate. The iOS MDM Server reserve certificate ensures seamless switching of iOS devices after the main iOS MDM Server certificate expires. For detailed information on the iOS MDM Server reserve certificate, refer to the Configuring a reserve iOS MDM Server certificate section.
      • iOS MDM Server root certificate. The iOS MDM Server root certificate is used to issue client certificates to authenticate on iOS MDM Server.
   4. In the Connection settings section, you can view and configure the settings for mobile device connection to iOS MDM Server.
      • In the Synchronization block of settings, you can enable or disable the synchronization of managed devices with iOS MDM Server and specify the Synchronization period (min).
      • In the Local access point block of settings, you can specify the Network Agent connection port (a port for connecting iOS devices to Network Agent) and iOS MDM local connection port (a local port for connecting Network Agent to the iOS MDM service). For detailed information on these values, refer to the Configuring an iOS MDM Server installation package section.
      • In the External access point block of settings, you can specify the iOS MDM external connection port (external port for connecting mobile devices to the iOS MDM service).
      • In the iOS MDM installation profile block of settings, you can configure the installation profile properties. You can specify Profile name (a mandatory field), Company, and Profile description.

        Please note that the settings in this section are applied to newly connected iOS MDM devices or to previously connected iOS MDM devices when their mobile certificates are renewed.

      • In the Configuration profiles section, you can view and manage configuration profiles, which are used to centrally define the settings of managed iOS devices and restrict the features of these devices. For detailed information on managing configuration profiles, refer to the Adding a configuration profile, Installing a configuration profile on a device, and Removing a configuration profile from a device sections.

Configuring an iOS MDM Server certificate

The iOS MDM server certificate is used to establish a connection and verify trust between the iOS MDM device and iOS MDM Server.

The iOS MDM Server certificate is issued by Kaspersky Security Center automatically upon the initial deployment of iOS MDM Server and installed on a device where iOS MDM Server is deployed. If you want to use a certificate issued by your certification authority, you need to specify a custom certificate file that will be used as an iOS MDM Server certificate.

If you specify a custom iOS MDM Server certificate, the Issue button for the iOS MDM Server reserve certificate will become unavailable. You need to specify the reserve certificate manually by clicking Install.

To specify a custom iOS MDM Server certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Certificates tab.
   1. In the iOS MDM Server certificate block of settings, click Install.
   2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

      Make sure the certificate you install complies with the following security requirements:

      • Common Name (CN) is specified;
      • a correct Subject Alternative Name (SAN) of DNS is specified and matches the iOS MDM Server connection address;
      • a correct certificate publisher is specified;
      • a correct certificate expiration date is specified;
      • the certificate chain is complete;
      • Extended Key Usage (EKU) is XKU_SSL_SERVER (1.3.6.1.5.5.7.3.1 serverAuth);
      • the root certificate is the same as the root certificate of the current certificate;
      • the RSA key size in the certificate chain is at least 2048 bits;
      • the RSA key size of the root certificate is at least 4096 bits;
      • the hash algorithm in the certificate chain is from the SHA-2 family.
   3. In the Installing certificate window that opens, enter the certificate password, and then click Install.
   4. Click Save.

Your custom certificate is specified as the iOS MDM Server certificate. The certificate details are displayed in the iOS MDM Server certificate block of settings.

Configuring a reserve iOS MDM Server certificate

The iOS MDM Server functionality lets you issue a reserve certificate. This certificate is intended for use in device management profiles to ensure seamless switching of managed iOS devices after the iOS MDM Server certificate expires.

If your iOS MDM Server uses a default certificate issued by Kaspersky, you can issue a reserve certificate (or specify your own custom certificate as a reserve one) before the iOS MDM Server certificate expires. By default, the reserve certificate is automatically issued 60 days before the iOS MDM Server certificate expires. The reserve iOS MDM Server certificate becomes the main certificate immediately after the iOS MDM Server certificate expires. The public key is distributed to all managed devices through configuration profiles, so you do not have to transmit it manually.

Please note that the reserve iOS MDM Server certificate is not issued automatically if you use an iOS MDM Server custom certificate. If you use a custom certificate, we recommend that you specify a reserve certificate when installing iOS MDM Server or no later than 30 days before the expiration of the existing iOS MDM Server certificate.

If the certificate expires and no reserve has been specified, the connection between iOS MDM Server and iOS MDM devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall device management profiles on each of the managed devices.

To issue a reserve iOS MDM Server certificate or specify a custom reserve certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Certificates tab.
4. In the iOS MDM Server reserve certificate block of settings, do one of the following:
   • If you plan to continue using a self-signed certificate (the one issued by Kaspersky):
     1. Click Issue.

        If you have a custom iOS MDM Server certificate specified, the Issue button for the iOS MDM Server reserve certificate will be unavailable. You need to specify the reserve certificate manually by clicking Install.

     2. In the Apply iOS MDM Server reserve certificate window that opens, select one of the two options for the date when the reserve certificate should be applied:
        • If you want to apply the reserve certificate when the current certificate expires, select the After the current certificate expires option.
        • If you want to apply the reserve certificate before the current certificate expires, select the After specified period (days) option. In the entry field next to this option, specify the duration of the period after which the reserve certificate must replace the current certificate.

        The validity period of the reserve certificate that you specify cannot exceed the validity period of the current iOS MDM Server certificate.

     3. Click OK.

     The self-signed reserve iOS MDM Server certificate is issued and specified as the reserve iOS MDM Server certificate.

     Please note that when you specify the date when the reserve certificate should be applied, the certificate will be issued before you save the changes in the Certificates section. If you want to issue a new reserve certificate, open the iOS MDM Server settings again, remove the previously issued reserve certificate by clicking Delete, and issue a new reserve certificate by following the instructions above.

   • If you plan to use a custom certificate issued by your certification authority:
     1. Click Install.
     2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

        Make sure the certificate you install complies with the following security requirements:

        • a correct Subject Alternative Name (SAN) of DNS is specified and matches the iOS MDM Server connection address;
        • a correct certificate publisher is specified;
        • a correct certificate expiration date is specified;
        • the certificate chain is complete;
        • Extended Key Usage (EKU) is XKU_SSL_SERVER (1.3.6.1.5.5.7.3.1 serverAuth);
        • the root certificate is the same as the root certificate of the current certificate;
        • the RSA key size in the certificate chain is at least 2048 bits;
        • the RSA key size of the root certificate is at least 4096 bits;
        • the hash algorithm in the certificate chain is from the SHA-2 family.
     3. In the Installing certificate window that opens, enter the certificate password, and then click Install.
     4. Click Save.

     Your custom certificate is specified as the reserve iOS MDM Server certificate.

     Please note that when you specify the date when the reserve certificate should be applied, the certificate will be issued before you save the changes in the Certificates section. If you want to issue a new reserve certificate, open the iOS MDM Server settings again, remove the previously issued reserve certificate by clicking Delete, and issue a new reserve certificate by following the instructions above.

You have a specified reserve iOS MDM Server certificate. The reserve certificate details are displayed in the iOS MDM Server reserve certificate block of settings.

Receiving or renewing an APNs certificate

To ensure proper functioning of the iOS MDM service and timely responses of mobile devices to the administrator's commands, you need to specify an Apple Push Notification service certificate (APNs certificate) in the iOS MDM Server settings.

If you already have an APNs certificate, please consider renewing it instead of receiving a new one. When you replace the existing APNs certificate with a newly created one, Administration Server can no longer manage the previously connected iOS MDM devices.

To issue or renew an APNs certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Certificates tab.
4. In the Apple Push Notification service (APNs) certificate block of settings, click Issue or renew.

   The APNs certificate wizard opens. Click Start and then proceed through the wizard using the Back and Next buttons.

   When the Certificate Signing Request (CSR) is created at the first step of the wizard, its private key is stored in the RAM of your device. Accordingly, all the steps of the wizard must be completed without interruption within a single session.

Step 1. Create a Certificate Signing Request (CSR)

To create a CSR:

1. Specify the required information for generating a request file: Common Name (CN), Organization Name (O), Organization Unit Name (OU), City (L), Region (S), Country (C).
2. Click Save.

   After you save the changes, a CSR file will be generated, and the private key of the certificate will be saved in the device memory.

Step 2. Sign the CSR file

At this step, send the CSR file that you received in the previous step of the wizard to Kaspersky for signing:

1. Click Go to Kaspersky CompanyAccount.
2. Send the created CSR file to Kaspersky to be signed.

   Please note that you will be able to sign the CSR file only after you upload a key that lets you use the Mobile Device Management solution.

3. After your request is successfully processed, you will receive a CSR file signed by Kaspersky.
4. Save the received file.

Step 3. Receive the APNs certificate public key

At this step, do one of the following if you want to issue a new certificate or renew an existing one:

To issue a new certificate:

1. Click Go to Apple portal.
2. Log in to the Apple portal with a corporate Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

3. Upload a signed CSR file.

   The file will be used to generate the public key of the APNs certificate.

4. After your CSR is processed by Apple, you will receive the public key of the APNs certificate.

   Save the received file.

To renew a certificate:

1. Click Go to Apple portal.
2. Log in to the Apple portal with a corporate Apple ID.

   We recommend that you avoid using a personal Apple ID. Create a dedicated Apple ID to make it your corporate ID. After you have created an Apple ID, link it with the organization's mailbox, not a mailbox of an employee.

3. Specify the certificate you want to renew.
4. Upload a signed CSR file.

   The file will be used to generate the public key of the APNs certificate.

5. After your CSR is processed by Apple, you will receive the public key of the APNs certificate.

   Save the received file.

Step 4. Specify the APNs certificate public key

At this step, upload the public key file received from Apple in the previous step of the wizard:

1. Click Select.
2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

Step 5. Specify the APNs certificate private key password

At this step, enter the certificate name and private key password:

1. In the Certificate name field, specify a custom name for the certificate.
2. In the Private key password field, specify the private key password for the certificate.

   This password will be used to install the APNs certificate on iOS MDM Server.

3. In the Confirm password, enter the password again.

Step 6. Complete the CSR

At this step, the APNs certificate is generated and ready to be installed on iOS MDM Server.

1. To complete the CSR, click Download APNs certificate to save the created certificate.
2. Click Done to exit the wizard.

The private and public keys of the certificate are combined, and the APNs certificate is saved in PEM format.

Now you can install the generated APNs certificate on iOS MDM Server.

Installing an APNs certificate on iOS MDM Server

After the APNs certificate is received, you can install it on iOS MDM Server.

To install the APNs certificate on iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Certificates tab.
4. In the Apple Push Notification service (APNs) certificate block of settings:
   1. Click Install.
   2. In the File Explorer window that opens, specify a certificate file in PEM format, and then click Open.

      Make sure the certificate you install complies with the following security requirements:

      • Common Name (CN) is specified;
      • a correct APNs topic is specified;
      • a correct certificate publisher is specified;
      • a correct certificate expiration date is specified.
   3. In the Installing certificate window that opens, enter the private key password specified when receiving the APNs certificate, and then click Install.

The APNs certificate will be installed on iOS MDM Server. The certificate details will be displayed in the Apple Push Notification service (APNs) certificate block of settings.

Configuring access to Apple Push Notification service

To ensure proper functioning of the iOS MDM service and timely responses from mobile devices to the administrator's commands, you need to specify an Apple Push Notification Service certificate (APNs certificate) in the iOS MDM Server settings.

When interacting with Apple Push Notification service (APNs), the iOS MDM service connects to the external address api.push.apple.com through port 2197 (outbound). Therefore, the iOS MDM service requires access to port TCP 2197 for the range of addresses 17.0.0.0/8. From the iOS device, this interaction requires access to port TCP 5223 for the range of addresses 17.0.0.0/8.

If you intend to access APNs from the iOS MDM service through a proxy server, you must enable the use of a proxy server for connecting to APNs.

To enable the use of a proxy server to connect to APNs:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the APNs proxy server tab.
4. In the window that opens, enable the Use proxy server to connect to APNs toggle switch.
5. Configure the following settings:
   1. In the Address field, specify the APNs proxy server address.
   2. In the Port field, specify the APNs proxy server port.
   3. In the User name field, specify the APNs proxy user name.
   4. In the Password field, specify the APNs proxy password.
6. Click Save.

Proxy server is now used to connect to APNs.

iOS MDM Server events

Kaspersky Security Center Web Console lets you view the events related to iOS MDM Server. The events have different severity levels: Information, Warning, Critical, Functional failure.

For each event that can be generated by iOS MDM Server, you can specify notification settings and storage settings on the Event configuration tab of the iOS MDM Server settings. If you want to configure notification settings for all events at once, configure general notification settings in the Administration Server properties. For detailed information on notifications, refer to the Kaspersky Security Center Help.

To view iOS MDM Server events:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose events you want to view.
2. In the iOS MDM Server settings window, select Application settings.
3. Select the Events tab.

The iOS MDM Server events are displayed.

For detailed information on viewing events in Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

The table below shows the events of iOS MDM Server that have the Information severity level.

iOS MDM Server information events

The table below shows the events of iOS MDM Server that have the Warning severity level.

iOS MDM Server warning events

The table below shows the events of iOS MDM Server that have the Functional failure severity level.

iOS MDM Server functional failure events

Obtaining iOS MDM Server diagnostic data

When creating a request to Kaspersky Technical Support, you may be asked to create and attach a trace file. Trace files are used by Technical Support for diagnostic purposes. They contain all steps of application command execution written in the file, which allows to detect the step on which an error occurs.

We recommend that you obtain the traces of iOS MDM Server together with the traces of Network Agent, as they contain the iOS MDM Server connector details.

There are several tracing levels for iOS MDM Server:

• 0 - CRITICAL
• 1 - ERROR
• 2 - MESSAGE
• 3 - DEBUG

Ask a support engineer which tracing level to set. If the Technical Support engineer has not specified the trace level, we recommend obtaining level 2 traces.

To enable the iOS MDM Server tracing and create trace files:

1. Open the iOS MSM Server settings file /var/opt/kaspersky/iosmdm/settings.ini.
2. Specify the values required to enable tracing. We recommend that you specify the following default values:
   • LogCommEnabled=1

     Enabling or disabling the tracing of the iOS MDM Server and connector communication library.

   • LogSettingsEnabled=1

     Enabling or disabling the tracing of the iOS MDM Server and connector settings library.

   • LogCommVerboseLevel=2

     The tracing level of the iOS MDM Server and connector communication library.

   • LogSettingsVerboseLevel=2

     The tracing level of the iOS MDM Server and connector settings library.

   • LogVerboseLevel=2

     The tracing level of iOS MDM Server.

   • LogFolder=/var/opt/kaspersky/iosmdm

     The directory for writing trace files.

3. Restart the iOS MDM Server and Network Agent services by running the following commands:

   systemctl restart klnagent

   systemctl restart kliosmdm

The iOS MDM Server tracing is enabled. Trace files are created in the directory that you specified as the LogFolder value: klcon_comm.log, klcon_settings.log, klsrv.log, klsrv_comm.log, klsrv_settings.log.

To disable the iOS MDM Server tracing:

1. Open the iOS MSM Server settings file /var/opt/kaspersky/iosmdm/settings.ini.
2. Modify the file by deleting the strings that have been created to enable tracing:
   • LogCommEnabled=1
   • LogSettingsEnabled=1
   • LogCommVerboseLevel=2
   • LogSettingsVerboseLevel=2
   • LogVerboseLevel=2
   • LogFolder=/var/opt/kaspersky/iosmdm
3. Restart the iOS MDM Server and Network Agent services by running the following commands:

   systemctl restart klnagent

   systemctl restart kliosmdm

The iOS MDM Server tracing is disabled.

Deploying an Android device management system

Kaspersky Secure Mobility Management lets you manage mobile devices running Android. This section describes the deployment of an Android device management system.

About Android device operating modes

The device operating mode depends on the owner of mobile device (personal or corporate) and corporate security requirements. You can choose the operating mode that is most suitable for your company and use several modes at the same time.

The following device operating modes are available for Android devices:

• Personal device
• Device with corporate container
• Corporate device

Personal device

Personal device is the device operating mode for personal Android devices. This operating mode lets you protect and perform basic management of devices.

Device with corporate container

Device with corporate container is the device operating mode for personal Android devices with an Android Work Profile, which provides an isolated corporate environment on a device.

This operating mode lets you manage apps and user accounts in a safe environment on a device without restricting the use of personal data by the user. When a Work Profile is created on the user's mobile device, the following corporate apps are automatically installed in the container (if applicable): Google Play Market, Google Chrome, Downloads, Kaspersky Endpoint Security for Android, and others. Corporate apps installed in the Work Profile and their notifications are marked with a blue briefcase icon. Apps installed in the work profile appear in the common list of apps.

Corporate device

Corporate device is the device operating mode for company-owned Android devices. This operating mode lets you have full control over the entire device and configure an extended set of security settings and features:

• Restrictions on Android features
• Management of Google Chrome settings
• Silent installation of required apps and removal of blocked apps in App Control
• Kiosk mode
• Management of Exchange ActiveSync
• NDES and SCEP integration

Using Firebase Cloud Messaging

To ensure timely delivery of commands to Android devices, Kaspersky Security Center uses the mechanism of push notifications. Push notifications are exchanged between Android devices and Administration Server through Firebase Cloud Messaging (hereinafter referred to as FCM). In Kaspersky Security Center Web Console, you can specify the Firebase Cloud Messaging settings to connect Android devices to the service.

To retrieve the settings of Firebase Cloud Messaging, you must have a Google account.

To enable the use of FCM:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. Open the 3-dot menu () and select Forced Android device synchronization.
3. In the Firebase project number field, specify the FCM Sender ID.
4. In the Private key field, select the private key file.

At the next synchronization with Administration Server, Android devices will be connected to Firebase Cloud Messaging.

When you switch to a different Firebase project, you need to wait 10 minutes for FCM to resume.

FCM service runs in the following address ranges:

• From the Android device's side, access is required to ports 443 (HTTPS), 5228 (HTTPS), 5229 (HTTPS), and 5230 (HTTPS) of the following addresses:
  • google.com
  • fcm.googleapis.com
  • android.apis.google.com
  • All of the IP addresses listed in Google's ASN of 15169
• From the Administration Server side, access is required to port 443 (HTTPS) of the following addresses:
  • fcm.googleapis.com
  • All of the IP addresses listed in Google's ASN of 15169

If the proxy server settings have been specified in the Administration Server properties in Web Console, they will be used for interaction with FCM.

Configuring FCM: getting the Sender ID and private key file

To configure FCM:

1. Register on the Google portal.
2. Go to the Firebase console.
3. Do one of the following:
   • To create a new project, click Create a project and follow the instructions on the screen.
   • Open an existing project.
4. Click the gear icon and choose Project settings.

   The Project settings window opens.

5. Select the Cloud Messaging tab.
6. Retrieve the relevant Sender ID from the Sender ID field in the Firebase Cloud Messaging API (V1) section.
7. Select the Service accounts tab and click Generate new private key.
8. In the window that opens, click Generate key to generate and download a private key file.

Firebase Cloud Messaging is now configured.

Deploying Kaspersky Endpoint Security for Android

This section contains a general overview of Kaspersky Endpoint Security for Android and the methods of installing, updating, and removing the app.

For detailed information on Kaspersky Endpoint Security for Android, refer to the Using the Kaspersky Endpoint Security for Android app section.

About the Kaspersky Endpoint Security for Android app

The Kaspersky Endpoint Security for Android app ensures the protection of mobile devices against web threats, viruses, and other programs that pose threats.

The Kaspersky Endpoint Security for Android includes the following features:

• Anti-Malware. This component detects and neutralizes threats on the device by using the anti-malware databases and the Kaspersky Security Network cloud service. Anti-Malware includes the following components:
  • Protection. It detects threats in open files, scans new apps, and prevents device infection in real time.
  • Scan. It is started on demand for the entire file system, only for installed apps, or only for a selected file or folder.
  • Update. It lets you download new anti-malware databases for the app.
• Anti-Theft. This component protects the information on the device against unauthorized access in case the device is lost or stolen. This component lets you send the following commands to the device:
  • Locate device. Get the coordinates of the device's location.
  • Sound alarm. Make the device sound a loud alarm.
  • Wipe corporate data. Erase corporate data to protect sensitive company information.
• Web Protection and Web Control. Web Protection blocks malicious websites designed to spread malicious code. Web Protection also blocks fake (phishing) websites designed to steal the user's confidential data (for example, passwords for online banking or e-money systems) and access the user's financial info. Web Protection uses the Kaspersky Security Network cloud service to scan websites before they open. After scanning, Web Protection allows trustworthy websites to load and blocks malicious websites. Web Control allows website filtering by categories defined in the Kaspersky Security Network cloud service. This lets the administrator restrict user access to certain categories of web pages (for example, Gambling, lotteries, sweepstakes or Internet communication).
• App Control. This component lets you install recommended and required apps to an Android device as well as remove blocked apps that violate corporate security requirements.
• Compliance Control. This component lets you check managed devices for compliance with corporate security requirements and impose restrictions on certain functions of non-compliant devices.

You can configure the components of the Kaspersky Endpoint Security for Android app in Kaspersky Security Center Web Console by defining the corresponding policy settings.

On personal devices and devices with a corporate container running Android 15, users can create their own private space. Kaspersky Endpoint Security for Android cannot scan apps, photos, and other files stored in a private space. Web Protection, Web Control, and App Control do not work for apps installed in a private space. Installation of Kaspersky Endpoint Security for Android in a private space is not supported.

Installing Kaspersky Endpoint Security for Android

Expand all | Collapse all

There are several methods to deploy the Kaspersky Endpoint Security for Android app. You can use the most suitable installation scenario for your company or combine several installation scenarios.

The installation methods include the following:

• Installation via Kaspersky Security Center using one of the installation sources:
  • Kaspersky website (for corporate device operating mode only)

    Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated from the Kaspersky website or using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

  • Installation package (for all operating modes)

    The Kaspersky Endpoint Security for Android installation package will be downloaded from the Kaspersky Security Center server and updated via Kaspersky Security Center using policy settings. You can choose this method if mobile devices in your company have no access to the internet.

    For this installation source, before connecting mobile devices, create the Kaspersky Endpoint Security for Android installation package.

• Manual installation

Creating the Kaspersky Endpoint Security for Android installation package

The Kaspersky Endpoint Security for Android app can be deployed using the installation package.

You can use this installation method if mobile devices in your company have no access to the internet.

For this installation method, you need to create a Kaspersky Endpoint Security for Android installation package before connecting Android devices to Kaspersky Security Center. The installation package will be downloaded from Kaspersky Security Center and updated via Kaspersky Security Center using policy settings.

The Kaspersky Endpoint Security for Android installation package is an archive that contains the files required for installing the Kaspersky Endpoint Security for Android app:

• installer.ini

  Configuration file that contains Administration Server connection settings.

• KES10_<version>.apk

  Android package file of the Kaspersky Endpoint Security for Android app.

• kesa.kpd

  Application description file.

• eula/

  Folder with End User License Agreements in different languages in TXT format.

• kpd.loc/

  INI files specifying paths to End User License Agreements.

To create the Kaspersky Endpoint Security for Android installation package:

1. In the main window of Kaspersky Security Center Web Console, select Operations > Repositories > Installation packages.
2. In the list of installation packages that opens, click Add. The New package wizard starts. Follow the instructions of the wizard as described in the Kaspersky Security Center Help to create an installation package from a file or create a stand-alone installation package.

To configure the Kaspersky Endpoint Security for Android installation package:

1. In the main window of Kaspersky Security Center Web Console, select Operations > Repositories > Installation packages.
2. In the list of installation packages that opens, click the Kaspersky Endpoint Security for Android installation package you want to configure.
3. In the installation package properties window, select the Settings tab.
   1. In the Connection to the Administration Server group of settings, configure the following values:
      • Server address. Specify the address of the server to which the Android devices will connect.
      • SSL port for devices synchronization. Specify the number of the port opened on the Administration Server for connecting mobile devices. Port 13292 is used by default.
   2. For stand-alone installation packages, in the Subgroup name field of the Subgroup in Unassigned devices group of settings, specify the name of the group to which Android devices will be added after the first synchronization with the Administration Server. KES10 is used by default.
   3. In the Actions during installation on device group of settings, click the Prompt user for email address check box if you want Kaspersky Endpoint Security for Android to ask users to provide their corporate email address when the app is started for the first time.

      User email address is used to form the name of the mobile device when it is added to the administration group.

4. Click Save.

The Kaspersky Endpoint Security for Android installation package is configured.

Manual installation of Kaspersky Endpoint Security for Android

You can manually install Kaspersky Endpoint Security for Android from the Kaspersky website, HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

Installing the app

To install the app from an app store, follow the standard installation procedure for the Android platform.

To install Kaspersky Endpoint Security for Android from the Kaspersky website:

1. Go to the Kaspersky website.
2. Find Kaspersky Security for Mobile on the website.
3. Tap Show Downloads.
4. Select a version of the app and tap Download.
5. Open the downloaded APK file and follow the instructions on the screen.

   You may need to allow your browser to install apps from sources other than Google Play in the Apps → Special app access → Install unknown apps section in device settings. The location of these settings may differ on devices from different vendors.

The app will be installed on the device.

Configuring the app

After installing Kaspersky Endpoint Security for Android, you must manually configure the app. The configuration procedure depends on whether the administrator sent you a server address or a link for downloading the app.

To configure Kaspersky Endpoint Security for Android using a link for downloading the app:

1. Open Kaspersky Endpoint Security for Android.
2. Read the End User License Agreement. If you accept the End User License agreement, select the corresponding check box and tap Continue.
3. Tap Continue and grant the app the required permissions.
4. In the Server field, specify the link that you received from the administrator.
5. Tap Continue.

Kaspersky Endpoint Security for Android is configured.

To configure Kaspersky Endpoint Security for Android using a server address:

1. Open Kaspersky Endpoint Security for Android.
2. Read the End User License Agreement. If you accept the End User License agreement, select the corresponding check box and tap Continue.
3. Tap Continue and grant the app the required permissions.
4. In the Server field, specify the Administration Server address provided by the administrator.
5. Tap Continue.
6. Tap Enable to enable the app as the device administrator.
7. Tap Allow and grant the app the required permissions.

Kaspersky Endpoint Security for Android is configured.

Internet access must be enabled on the mobile device for synchronization with the Administration Server.

Installing Kaspersky Endpoint Security for Android on corporate devices in a closed network

When deploying Kaspersky Endpoint Security for Android in corporate device operating mode via QR code on devices with pre-installed Google Mobile Services (GMS), their Wi-Fi connectivity to certain Google endpoints is checked. If a Wi-Fi network has no access to the internet, the connectivity check fails and the deployment finishes with an error.

To avoid the connectivity check, you can deploy the Kaspersky Endpoint Security for Android app on corporate devices in a closed network by using a Proxy Auto-Configuration (PAC) file.

To use a PAC file to deploy the Kaspersky Endpoint Security for Android app:

1. Create a PAC file (for example, proxy.pac) with the following contents:

   function FindProxyForURL(url, host) {
   return "DIRECT";
   }

2. Publish the created PAC file on a resource that will be available in the closed network (for example, on an IIS Web server).

   Save a link to the PAC file (for example, https://intranet.mycompany.com/files/proxy.pac).

3. Make sure the APK file of the Kaspersky Endpoint Security for Android app being deployed is available within the closed network. To do this, use one of the methods below:
   • Download the app installation package from the Kaspersky Security Center server. If the server is accessible, the installation packages will be available there.
   • Download the APK installation file from the Kaspersky website and upload it to the closed network.

     Choose the general version of the app as the source.

4. Send the app installation link and QR code to the user by following the instructions of Mobile device connection wizard.

   On the Operating systems step of the wizard, in the Installation settings section, you will be asked to specify the network for downloading the Kaspersky Endpoint Security for Android app. At this step, configure the use of the previously created PAC file for network connection by linking it to the Wi-Fi network settings on a device. To do this, use one of the methods below:

   • In the Installation network settings section, choose Prompt the user to select a Wi-Fi network on device. While deploying the app, the user will need to specify the link to the PAC file (step 2) in the network settings when choosing a Wi-Fi network on the device. After the connection is established, the user will be able to continue the device setup and activate the app by following the instructions of the app's Initial Configuration Wizard.
   • In the Installation network settings section, choose Only use the specified Wi-Fi network (Android 9 or later), click the Select network button, and then insert the link to the previously created PAC file (step 2) in the PAC file URL field.

   If the APK installation file has been downloaded from the Kaspersky website (step 3), you need to replace the link in the QR code with the address of the closed network link.

   When deploying the app via an installation package downloaded from Kaspersky Security Center, after the device is reset to factory settings and the QR code is scanned, a Blocked by Play Protect message may appear on the device. The issue is caused by the installation package's signing certificate being different from the one specified in Google Play. The user should continue the installation by choosing Install anyway. If OK is selected, the installation process will be interrupted and the device will be reset to factory settings.

The Kaspersky Endpoint Security for Android app is installed on a device in corporate device operating mode in a closed network.

Permissions for Kaspersky Endpoint Security for Android

For all features of apps, Kaspersky Endpoint Security for Android prompts the user for the required permissions. Kaspersky Endpoint Security for Android prompts for the mandatory permissions while the Setup Wizard is completed, as well as after installation and prior to using individual features of apps. It is impossible to install Kaspersky Endpoint Security for Android without providing the mandatory permissions.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts in the device settings. If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

On devices running Android 11 or later or Android 6-10 with Google Play services, you must disable the Remove permissions if app isn't used system setting. Otherwise, after the app is not used for a few months, the system automatically resets the permissions that the user granted to the app.

Permissions requested by Kaspersky Endpoint Security for Android

Starting and stopping Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android launches when the operating system starts up and protects the mobile device during the entire session. The user can stop the app by disabling all Kaspersky Endpoint Security for Android components. You can use policies to configure user permissions to manage app components.

On certain devices (for example, HUAWEI, Meizu, and Xiaomi), you must manually add Kaspersky Endpoint Security for Android to the list of apps that are started when the operating system starts (Security → Permissions → Autorun). If the app is not added to the list, Kaspersky Endpoint Security for Android stops performing all of its functions after the mobile device is restarted.

You must also disable Battery Saver mode for Kaspersky Endpoint Security for Android. This is necessary for the app to run in the background, for example, when running a scheduled malware scan or synchronizing the device with Kaspersky Security Center. This issue is due to the specific features of the embedded software of these devices.

Activating Kaspersky Endpoint Security for Android

In Kaspersky Security Center, the license can cover various groups of features. To ensure that the Kaspersky Endpoint Security for Android app is fully functional, the Kaspersky Security Center license purchased by the organization must support the Mobile Device Management functionality.

For detailed information about licensing options, refer to the About the license section.

Activating the Kaspersky Endpoint Security for Android app on a mobile device is performed by providing valid license information to the app. License information is delivered to the device together with the policy settings as soon as the device is synchronized with Kaspersky Security Center.

If activation of the mobile app is not completed within 30 days from the time of installation on the mobile device, the app is automatically switched to limited functionality mode. In this mode, most of the app components are not operational. When switched to limited functionality mode, the app stops performing automatic synchronization with Kaspersky Security Center. Accordingly, if the app is not activated within 30 days after the installation, the user must synchronize the device with Kaspersky Security Center manually.

If Kaspersky Security Center is not deployed in your organization or is not accessible to mobile devices, users can activate the mobile app on their devices manually.

To activate the mobile app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Click the License button.
4. In the window that opens, use the drop-down list to select the required license key from the key storage of the Administration Server.

   The details of the license key are displayed in the fields below.

   You can replace the existing activation key on the mobile device if it is different from the one selected in the drop-down list above. To do so, select the Replace with selected key if the key on devices is different check box.

5. Click Save to save the changes you have made.

The app is activated after the next device synchronization with Kaspersky Security Center.

Updating Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be updated in the following ways:

• Using the Kaspersky website. The mobile device user downloads the new version of the app from the Kaspersky website and installs it on the device.
• Using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps. The mobile device user downloads the new version of the app from an app store and installs it on the device following the standard update procedure for the Android platform.

  To update the app using the Samsung Galaxy Store, the device user must have a Samsung account.

• Using Kaspersky Security Center. You can remotely update the version of the app on the device using Kaspersky Security Center.

You can select the app update method that is most suitable for your organization. You can use only one update method.

Updating the app from the Kaspersky website

To update the app from the Kaspersky website:

1. Go to the Kaspersky website.
2. Find Kaspersky Security for Mobile on the website.
3. Tap Show Downloads.
4. Select a version of the app and tap Download.
5. Open the downloaded APK file and follow the instructions on the screen.

Kaspersky Endpoint Security for Android is updated.

After downloading the app, Kaspersky Endpoint Security for Android checks the Terms and Conditions of the End User License Agreement (EULA). If the terms of the EULA have been updated, the app sends a request to the Kaspersky Security Center. If the administrator accepts the EULA in Web Console, Kaspersky Endpoint Security for Android skips the acceptance step during installation of the app.

Updating the app through Kaspersky Security Center

Kaspersky Endpoint Security for Android can be updated using Kaspersky Security Center after a group policy is applied. In the group policy settings, you can select the standalone installation package of the version of Kaspersky Endpoint Security for Android that meets the corporate security requirements.

You can update through Kaspersky Security Center if Kaspersky Endpoint Security for Android was installed using an installation package in Kaspersky Security Center or using a standalone installation package. If the app was installed from Google Play, you cannot update the app through Kaspersky Security Center.

To update Kaspersky Endpoint Security for Android using a standalone installation package, installation of apps from unknown sources must be allowed on the user's mobile device. For details about installing apps without Google Play, please refer to the Android Help.

To update the version of the app:

1. Add a new Kaspersky Endpoint Security for Android installation package.
2. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
3. In the policy properties window, select Application settings.
4. Select Android and go to the KES for Android settings section.
5. On the App update card, click Settings.

   The App update window opens.

6. Enable the settings using the App update toggle switch.
7. Click Select.

   The Select installation package window opens.

8. In the list of Kaspersky Endpoint Security for Android standalone installation packages, select the package whose version meets the corporate security requirements.

   Kaspersky Endpoint Security for Android cannot be downgraded to an older version of the application.

9. Click Select.
10. Click OK.
11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. The mobile device user is prompted to install the new version of the app. After the user confirms installation, the new app version is installed on the mobile device.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

Removing Kaspersky Endpoint Security for Android

Kaspersky Endpoint Security for Android can be removed in the following ways:

1. App removal by the user

   The user removes Kaspersky Endpoint Security for Android manually using the app interface. In order for users to be able to remove the app, the app removal should be allowed in the Configure access to app settings card of the KES for Android settings section in the policy settings.

2. App removal by the administrator (corporate devices only)

   The administrator removes the app remotely using the Kaspersky Security Center Web Console. The app can be removed from an individual device or from several devices at once.

Permitting users to remove Kaspersky Endpoint Security for Android

To protect the app from removal on devices running Android 7 or later, Kaspersky Endpoint Security for Android must be set as an Accessibility feature. When the Initial Configuration Wizard is running, Kaspersky Endpoint Security for Android prompts the user to grant the application all required permissions. The user can skip these steps or disable these permissions in the device settings at a later time. If this is the case, the app is not protected from removal.

To allow removal of the app in a group policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the KES for Android settings section.
4. On the Configure access to app settings card, click Settings.

   The Configure access to app settings window opens.

5. Select the Allow removing the app from device check box.
6. Click OK.
7. Click Save to save the changes you have made.

As a result, users will be allowed to remove the app from mobile devices after synchronization with the Administration Server. The app removal button becomes available in the Kaspersky Endpoint Security for Android settings.

To remove the app from a device:

1. In the main window of Kaspersky Endpoint Security for Android, select Settings → App settings → Additional → Remove app.

   On corporate devices, Kaspersky Endpoint Security for Android can be removed only by the administrator.

2. Confirm removal of Kaspersky Endpoint Security for Android.

Kaspersky Endpoint Security for Android will be removed from the device.

Removal of Kaspersky Endpoint Security for Android by the user

On corporate devices, Kaspersky Endpoint Security for Android can be removed only by the administrator.

To independently remove Kaspersky Endpoint Security for Android from a mobile device, the user must do the following:

1. In the main window of Kaspersky Endpoint Security for Android, select Settings → App settings → Additional → Remove app.

   If the Remove app button is missing, this means that the administrator enabled protection against removal of Kaspersky Endpoint Security for Android or the device operates in corporate device mode.

2. Confirm the removal of Kaspersky Endpoint Security for Android.

Kaspersky Endpoint Security for Android will be removed from the device.

Remote removal of Kaspersky Endpoint Security for Android on corporate devices

You can remove the Kaspersky Endpoint Security for Android app from corporate devices remotely by sending a Reset to factory settings command.

Executing the Reset to factory settings command wipes all data from the device and rolls back device settings to their factory values. This app removal method is recommended by Android Enterprise to guarantee that data is removed from a corporate device.

To remove the app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of devices that opens, select a device that you want to send a command to.

   You can select multiple devices.

3. Click Send command.
4. In the Send command window that opens, in the Command field, select the Reset to factory settings command.
5. Click Send.

   You can view and cancel commands in the Command history.

   The command is sent to the devices you selected. Kaspersky Endpoint Security for Android is removed from these devices.

6. In the list of devices, select the device, and then click Delete.

   The device is removed from the list of managed devices in Kaspersky Security Center Web Console.

   If the device is not removed from Kaspersky Security Center Web Console, there can be problems with further installation of Kaspersky apps on this device.

Managing mobile devices in Kaspersky Security Center Web Console

To perform centralized configuration of mobile devices, you must configure policies. A policy is a set of security settings for managing mobile devices of specified operating systems and device operating modes within an administration group and for managing the mobile apps installed on devices.

This section describes how to create administration groups, configure policies for mobile devices, and connect mobile devices to Kaspersky Security Center in order to subsequently manage them.

Creating administration groups

To apply a policy to a group of devices, you are advised to create a separate group for these devices prior to installing mobile management apps.

An administration group is a logical set of managed devices combined on the basis of a specific trait for the purpose of managing the grouped devices as a single unit within Kaspersky Security Center.

All managed devices within an administration group are configured to do the following:

• Use the same settings, which you can specify in policies.
• Use a common operating mode for all applications through the creation of group tasks with specified settings. Examples of group tasks include creating and installing a common installation package, updating the application databases and modules, scanning the device on demand, and enabling real-time protection.

A managed device can belong to only one administration group.

You can create hierarchies that have any degree of nesting for Administration Servers and groups. A single hierarchy level can include secondary and virtual Administration Servers, groups, and managed devices. You can also move devices from one group to another.

Immediately after Kaspersky Security Center is installed, the hierarchy of administration groups contains only one administration group called Managed devices. When creating a hierarchy of administration groups, you can add devices to the Managed devices group, and add nested groups.

To create an administration group:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) > Hierarchy of groups.
2. In the administration group structure, select the administration group that the new administration group will belong to.
3. Click Add.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click Add.

A new administration group with the specified name appears in the hierarchy of administration groups.

To automatically create a structure of administration groups:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) > Hierarchy of groups.
2. Click Import.

The New administration group structure wizard starts. Follow the instructions of the wizard.

After creating an administration group, we recommend configuring the option to automatically assign devices on which you want to install apps to this group. Then configure the settings that are common to all devices using a specific policy.

Configuring policies

This section describes how to manage policies in Kaspersky Security Center Web Console.

Creating a policy

Kaspersky Security Center Web Console lets you create policies to configure the security settings of a group of Android, iOS, and Aurora mobile devices. The values of security settings configured in policies are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings.

You can create policies using the Mobile policy wizard.

To create a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, click Current path to select the administration group for which you want to create a policy.

   By default, the new policy is applied to the Managed devices group.

3. Click Add to start the Mobile policy wizard.
4. In the Select application window, select the Kaspersky Mobile Devices Protection and Management option, and then click Next.

   The Mobile policy wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Step 1. License

At this step, choose a license.

The license you choose determines the security settings that you can configure in a policy. By default, the license that supports the Kaspersky Secure Mobility Management functionality is pre-selected. You can choose a different license manually.

Step 2. Operating systems and device operating modes

At this step, choose the operating systems the policy will apply to and specify the device operating modes.

• Android
  • Personal device (basic protection and management of a personal Android device).
  • Device with corporate container (isolated corporate environment on an Android device).
  • Corporate device (an extended set of settings for managing a corporate Android device).

    For detailed information, refer to the About Android device operating modes section.

• iOS
  • Basic protection (protection against web threats and jailbreak detection on iOS devices).
  • Basic control (basic management of a personal iOS device).
  • Supervised (an extended set of settings for managing an iOS device).

    For detailed information, refer to the About iOS device operating modes section.

    To connect and manage iOS devices in basic control and supervised operating modes, you must have an iOS MDM Server installed in the selected administration group. For detailed information on installing iOS MDM Server, refer to the Deploying iOS MDM Server section.

• Aurora
  • Protection (protection of Aurora devices against threats).

    To connect Aurora devices, you need to have Kaspersky Endpoint Security for Aurora pre-installed on the devices that will connect.

In the New policy window:

1. In the Name field, type the name of the new policy. If you specify the name of an existing policy, it will have (1) added at the end automatically.
2. In the Policy status block of settings, select the status of the policy:
   • Active. The wizard saves the created policy on the Administration Server. At the next synchronization of mobile devices with the Administration Server, the policy will be used on devices as an active policy.
   • Inactive. The wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to an active state.

     Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.

3. On the General tab of the Settings inheritance block of settings, select the inheritance options:
   • Inherit settings from parent policy

     If you enable this option in a child policy and an administrator locks some settings in the parent policy, then you cannot change these settings in the child policy.

     If you disable this option in a child policy, then you can change all the settings in the child policy, even if some settings are locked in the parent policy.

   • Force inheritance of settings in child policies

     If you enable this option in a parent policy, this enables the Inherit settings from parent policy option for each child policy. In this case, you cannot disable this option for any child policy. All the settings that are locked in the parent policy are forcibly inherited in the child groups and you cannot change these settings in the child groups.

   By default, the Inherit settings from parent policy option is enabled and the Force inheritance of settings in child policies option is disabled.

   Inheritance of policy settings works only if either identical device operating modes are selected for the parent and child policy or device operating modes selected for the child policy provide more security settings. For example, a child policy for Android devices with a corporate container can inherit settings from a parent policy for personal devices but cannot inherit settings from a parent policy for corporate devices.
   If you create a child policy that is incompatible with the parent policy, you must delete it and create a new child policy to manage devices.

4. Click Save.

The new policy for mobile devices is created.

Modifying a policy

Kaspersky Security Center Web Console lets you modify policies.

To modify a policy:

1. Open the policy properties window by doing one of the following:
   • In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of policies that opens, click the name of the policy that you want to modify.
   • In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices. Click the mobile device that falls under the policy that you want to modify, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, navigate to the Application settings tab, and then define the policy settings.

   You can also configure general settings, settings inheritance, event logging and notifications, and policy profiles, and also view the revision history. For more information, please refer to the Kaspersky Security Center Help.

3. Click Save to save the changes you have made to the policy and exit the policy properties window.

The policy is modified. Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

Copying a policy

Kaspersky Security Center Web Console lets you create a copy of a policy.

To create a copy of a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy you want to copy, and then click Copy.
3. In the tree of administration groups that opens, select the target group where you want the policy to be created.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Copy.
5. Click OK to confirm the operation.

A copy of the policy will be created in the target group under the same name. The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) suffix is added to the name of the newly created or moved policy, for example: (1).

Moving a policy to another administration group

Kaspersky Security Center Web Console lets you move a policy to another administration group.

To move a policy to another administration group:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy that you want to move to another administration group, and then click Move.
3. In the tree of administration groups that opens, select the target group to which you want to move the policy.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.
5. Click OK to confirm the operation.

The result depends on the policy inheritance properties:

• If the policy is not inherited in the source group, it will be moved to the target group.
• If the policy is inherited in the source group, it will not be moved. Instead, a copy of the policy will be created in the target group.

The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) suffix is added to the name of the newly created or moved policy, for example: (1).

Viewing the list of policies

Kaspersky Security Center Web Console lets you view the list of created policies, their statuses, and properties.

To view the list of policies:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. The list of policies opens with brief information about the policies. On this page, you can create, modify, copy, move, and delete policies.

Viewing the policy distribution results

Kaspersky Security Center Web Console lets you view the distribution chart of a policy and the information about all devices that fall under that policy.

To view the results of distributing a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy whose distribution results you want to view, and then click Distribution.

The policy distribution results page opens. This page contains the policy summary, a policy distribution chart, and a table with information about all devices that fall under that policy. You can open the policy properties window by clicking the Configure policy button.

Managing revisions to policies

Kaspersky Security Center Web Console lets you view modifications made to a policy over a certain period, as well as save information about these modifications in a file.

To view a policy revision:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, click the policy whose revision you want to view, and then go to the Revision history section.
3. In the list of policy revisions, click the number of the revision that you want to view.

   If the size of the revision is more than 10 MB, you will not be able to view it using Kaspersky Security Center Web Console. You will be prompted to save the selected revision to a JSON file.
   
   If the size of the revision does not exceed 10 MB, a report in HTML format with the settings of the selected policy revision is displayed. The report is displayed in a pop-up window, so make sure pop-ups are allowed in your browser.

   To save a policy revision to a JSON file, in the list of policy revisions, select the revision that you want to save, and then click Save to file.

The revision is saved to a JSON file.

For detailed information on managing revisions to policies, refer to the Kaspersky Security Center Help.

Restricting permissions to configure policies

Kaspersky Security Center administrators can configure the access permissions of Web Console users for different functions of the Kaspersky Secure Mobility Management solution depending on the job duties of users.

In the Web Console interface, you can configure access rights on the Security and User roles tabs of the Administration Server properties window. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes.

For each functional area, the administrator can assign the following permissions:

• Allow editing. The Web Console user is allowed to change the policy settings in the properties window.
• Block editing. The Web Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface.

Configuring role-based access control

Kaspersky Security Center Web Console provides facilities for role-based access to the features of Kaspersky Secure Mobility Management.

You can configure access rights to application features for Kaspersky Secure Mobility Management in one of the following ways:

• By configuring the rights for each user or group of users individually.
• By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application. You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

For detailed information on configuring user access in Kaspersky Security Center, refer to the Kaspersky Security Center Help.

Some of the predefined user roles are not authorized to work with mobile devices. The predefined user roles which are available for the Kaspersky Secure Mobility Management features are listed in the table below.

Predefined user roles for Kaspersky Secure Mobility Management

For detailed information on predefined user roles, refer to the Kaspersky Security Center Help.

Access rights to Kaspersky Secure Mobility Management features

Mobile Device Management access rights

Configuring policy profiles

Sometimes it may be necessary to create and centrally modify several instances of a single policy for an administration group. These instances might differ by only one or two settings.

To help you avoid creating several instances of a single policy, Kaspersky Security Center Web Console lets you create policy profiles. Policy profiles are necessary if you want devices within a single administration group to run under different policy settings.

A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device. Activation of a profile modifies the settings of the "basic" policy that were initially active on the device. The modified settings take values that have been specified in the profile.

You can modify the specific conditions that must affect activation of the policy profile that you are creating. For mobile devices, you can modify the following conditions:

• Rules for specific device owner

  Profile activation on the device according to its owner.

  • Device owner
  • Device owner is included in an internal security group
• Rules for role assignment

  Profile activation on the device depending on the owner's role.

  • Activate policy profile by specific role of device owner
• Rules for tag usage

  Profile activation on the device depending on the tags assigned to the device.

  • Tag list
  • Apply to devices without the specified tags
• Rules for Active Directory usage

  Policy profile activation on the device based on the device allocation in an Active Directory organizational unit or the membership of that device (or the device owner) in an Active Directory security group. The configuration scope depends on the currently used policy.

  • Device owner's membership in an Active Directory security group
  • Device membership in Active Directory security group
  • Device allocation in Active Directory organizational unit

For detailed information on configuring activation rules, creating, deleting, or copying policy profiles, refer to the Kaspersky Security Center Help.

If you copy a policy profile to an incompatible policy (a policy in which the operating systems and device operating modes of this profile are not configured), such profile will not work properly.

Deleting a policy

Kaspersky Security Center Web Console lets you delete policies.

You can delete only policies that are not inherited in the current administration group. If a policy is inherited, you can only delete it in the higher-level group for which it was created.

To delete a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy that you want to delete, and then click Delete.
3. In the window that opens, click OK to confirm the operation.

The policy is deleted. Before the new policy is applied, mobile devices belonging to the administration group continue to work according to the settings specified in the policy that has been deleted.

Connecting mobile devices to Kaspersky Security Center Web Console

Expand all | Collapse all

To manage mobile devices and the mobile management apps installed on them, you must connect these devices to Kaspersky Security Center.

Before connecting, make sure the license that supports the Mobile Management solution is configured in the License keys section of the Administration Server properties.

To connect a mobile device to Kaspersky Security Center:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of mobile devices that opens, click Add.

   The Mobile device connection wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Welcome

On the welcome screen, you can read a summary of the Mobile device connection wizard steps.

Step 1. Policy

At this step, choose a policy for devices that will connect. Devices operate according to the security settings specified in the policy.

• Use an existing policy

  For this option, specify the administration group of the policy you want to choose. The policy name, operating systems and operating modes of the devices managed by this policy will be displayed.

  If necessary, click Go to policy to view the properties of the policy you have selected.

• Create a new policy

  For this option, click the Create policy button that appears. You will be redirected to the Mobile policy wizard. After a policy with the required properties is created, you can return to the Mobile device connection wizard.

Step 2. Operating systems

At this step, choose the operating systems of the devices that will connect. The policy settings determine the available operating systems: Android, iOS, or Aurora.

• Android

  After you select this operating system, the Kaspersky Endpoint Security for Android Installation settings will be displayed. To modify them, click Edit settings.

  1. Choose the Installation source for Kaspersky Endpoint Security for Android:
     • Kaspersky website

       Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated from the Kaspersky website or using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

       This installation source works for all operating modes.

     • Installation package

       The Kaspersky Endpoint Security for Android installation package will be downloaded from the Kaspersky Security Center server and updated via Kaspersky Security Center using policy settings. You can choose this method if mobile devices in your company have no access to the internet.

       For this installation source, before connecting mobile devices, create the Kaspersky Endpoint Security for Android installation package.

       This installation source works for all operating modes.

       • To choose an installation package, click Select installation package, and then select the installation package from the list that opens.
       • If there are no available installation packages, you will be offered to create one. Click Create installation package, and then follow the steps of the New package wizard as described in the Kaspersky Security Center Help to create an installation package from a file or create a stand-alone installation package. After the installation package is created, you can return to the Mobile device connection wizard.

       Automatic app updates through the store are not available with this installation method. You can update the app manually in the App update section of the policy settings.
       The latest installation package uploaded to Kaspersky Security Center is used to install the app on devices.

       For corporate devices, make sure the Allow using HTTP to download the app on corporate devices check box is selected to ensure Kaspersky Endpoint Security for Android is downloaded. Otherwise, the app will be downloaded via HTTPS only if the Kaspersky Security Center Web Server certificate was issued by a trusted certificate authority.

       For more information on the installation methods, refer to the Installing Kaspersky Endpoint Security for Android section.

  2. Choose Installation network for Kaspersky Endpoint Security for Android (corporate devices only):
     • Prompt the user to select a Wi-Fi network on device

       If you choose this option, the user will be prompted to connect to any available Wi-Fi network for downloading the app.

     • Only use the specified Wi-Fi network (Android 9 or later)

       To choose an installation network, click Select network.

       In the window that opens, specify the following settings:

       • Service set identifier (SSID)

         Specifies the name of a wireless network with an access point (SSID). The wireless network name should not be longer than 32 characters.

       • Hidden network

         Specifies whether the selected network broadcasts its SSID.

       • Network protection

         Specifies a wireless network security type. Possible values:

         • NONE

           If selected, the network is not protected.

         • WPA

           If selected, the network is protected using the WPA security protocol. This option requires entering a password to access the network.

         • WEP

           If selected, the network is protected using the WEP protocol. This option requires entering a password to access the network and applies only to devices running Android 9 or earlier.

       • Password

         Specifies the password for accessing a wireless network protected using a WPA or WEP protocol. The password will be sent to the user in a QR code.

         Do not send a password for a confidential Wi-Fi network that must not be publicly accessible. The password is sent to the user in unencrypted form along with other device configuration data.

       • Use proxy server

         Specifies the use of a proxy server. If this check box is selected, you need to provide the proxy server address and port. You can also specify a list of addresses for which the proxy will be bypassed.

       • Proxy server address

         Specifies the IP address or the symbol name (web address) of the proxy server. The maximum number of characters is 256.

       • Proxy server port

         Specifies the port number of the proxy server. The value should be in the interval between 0 and 65536.

       • PAC file URL

         A URL to a proxy auto-configuration (PAC) file for the Wi-Fi network.

       • Do not use proxy server for the following addresses

         Specifies the addresses for which the proxy server should not be used.

         You can enter the address in example.com format. If you enter example.com, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

       Do not use a password for a confidential Wi-Fi network that must not be publicly accessible. The unencrypted password is sent to the user in a QR code along with other device configuration data.

     • Try to use mobile network (Android 8 or later)

       If you choose this option, the device will try to use mobile data to download the app. If the device does not have a SIM card or the mobile network is not available, the user will be prompted to select any available Wi-Fi network.

  3. Click the Enable all system apps check box (corporate devices only) if you want system apps to remain active on the device. If necessary, they can be disabled later in the App Control section.
• iOS

  To connect and manage iOS devices in basic control and supervised operating modes, you must have an iOS MDM Server installed in the selected administration group. For detailed information on installing iOS MDM Server, refer to the Deploying iOS MDM Server section.

  The Kaspersky Security for iOS app will be installed on personal iOS devices in the basic protection operating mode.

  A device management profile will be installed on the devices operating in basic control and supervised operating modes.

  On devices running iOS 12.1 or later, you must manually confirm the installation of a device management profile on a mobile device. You must also grant the permission for remote management of the device.

• Aurora

  To connect Aurora devices, you need to have Kaspersky Endpoint Security for Aurora pre-installed on the devices that will connect.

Step 3. Accept agreements

At this step, choose who must accept the End User License Agreement (EULA) and Privacy Policy.

• Administrator

  The agreements are accepted by the administrator in the next step of the wizard. In this case, the app skips the acceptance step during the app installation.

• Users

  The agreements are accepted on mobile devices by users.

This step only applies to Android and iOS operating systems. If you are connecting Aurora devices, the agreements are only accepted by users on their mobile devices.

Please note that the administrator will be offered to accept the EULA only after the same version of the EULA is accepted by users on devices for the first time. After the connection and first synchronization of devices with Kaspersky Security Center, the administrator will be able to accept this version of EULA upon subsequent connection of devices.

The list of accepted agreements is available in the End User License Agreements section of the Administration Server properties.

Step 4. End User License Agreement and Privacy Policy

At this step, if Administrator is selected as the recipient of the agreements in the previous step of the wizard, you will be offered to read the Privacy Policy, EULA, and all the documents associated with it. You must accept the terms and conditions of the EULA and Privacy Policy before installation of the mobile device management apps.

Step 5. Users

At this step, choose one or more users of the devices that will connect. These users will receive the details for installing the app to connect their devices to Kaspersky Security Center. If a user is not in the list, you can add a new user account without exiting the wizard.

Due to technical limitations, you cannot select and send the connection details to more than 75 users within a single session of Mobile device connection wizard. We recommend that you divide the devices that will connect into groups of less than 75 devices and connect these groups sequentially within separate wizard sessions.

• To choose an existing user, select check boxes next to the corresponding user names.
• To add a new user, click Add user.
  1. Specify user credentials in the Credentials block of settings.
     • User name
     • Password

       The password must meet the following complexity requirements:

       • It must contain between 8 and 16 characters.
       • It must contain the characters from at least three of these groups: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;).
  2. If necessary, specify the optional details in the Optional information group of settings.
     • Full user name
     • Description
     • Email address
     • Phone number
  3. Click OK to save the changes.

     The new user will be added and displayed in the list of users.

• To modify user details, click Edit user.

  The fields you can modify depend on the user subtype - internal or domain.

Step 6. Send connection details

At this step, choose how to send the QR codes and links for installing the mobile management apps or device management profiles. You can choose one of the following options:

• Send a message to users' email addresses

  Choose this option to send the connection details by email to the selected users. To install the app or a device management profile, the user needs to scan the QR code using the camera of the mobile device or open the link to the installation package.

  These email addresses must be specified in the user account settings in Kaspersky Security Center.
  
  If you want to send the connection details to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Send a copy of the message to an alternate email address check box, and then specify the required email address.

• Show QR codes and links after completing the wizard

  Choose this option to scan the QR code with the camera of the mobile device or follow the link in the wizard.

Step 7. Confirm

At this step, check the mobile device connection details specified in the earlier steps, and then click Finish to confirm the operation.

Finish

On the Finish screen:

• If you chose the Send a message to users' email addresses option, the specified users will receive the emails with QR codes and links for connecting mobile devices to the Administration Server.
• If you chose the Show QR codes and links after completing the wizard option, the connection details will be available on the Finish screen. You can view the displayed details or click Download list to receive a file with summarized information.

Click Close to exit the wizard.

As soon as users install the mobile management apps, their devices are connected to the Administration Server and displayed on the Devices tab of Kaspersky Security Center Web Console.

You can now configure the settings for devices and mobile management apps using policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

Direct connection of Android devices to Kaspersky Security Center

Android devices can connect directly to port 13292 of the Administration Server.

Depending on the method used for authentication, two connection options are possible.

Connecting devices with a user certificate

When connecting a device with a user certificate, the device is associated with the user account to which the corresponding certificate has been assigned through the Administration Server tools.

In this case, two-way SSL authentication (mutual authentication) will be used. Both the Administration Server and the device will be authenticated with certificates.

Connecting devices without a user certificate

When connecting a device without a user certificate, the device is associated with none of the user's accounts on Administration Server. However, when the device receives any certificate, the device will be associated with the user to which the corresponding certificate has been assigned through the Administration Server tools.

When connecting that device to the Administration Server, one-way SSL authentication will be applied, which means that only Administration Server is authenticated with the certificate. After the device retrieves the user certificate, the type of authentication will change to two-way SSL authentication (2-way SSL authentication, mutual authentication).

Moving unassigned mobile devices to administration groups

When the mobile devices are connected to Kaspersky Security Center, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console. To manage newly connected devices, you can create a rule that automatically assigns them to administration groups or you can move them to an administration group manually.

To move an unassigned mobile device to an administration group:

1. In the main window of Kaspersky Security Center web console, select Discovery & deployment > Unassigned devices.
2. Select the device that you want to move to an administration group, and then click Move to group.
3. In the tree of administration groups that opens, select the target group to which you want to move the device.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.

The device is moved to the specified administration group and the corresponding policy is applied to it.

Actions on mobile devices to connect to Administration Server

Depending on the mode in which your device will operate, you may have to perform additional actions to protect your device and connect it to the Administration Server.

Install a mobile certificate

If you received a certificate password, you must use it to install the mobile certificate on your device.

To install the mobile certificate:

1. Remember or write down the password you received from your administrator by email.
2. Do one of the following:
   • On an Android device, enter the certificate password when prompted by Kaspersky Endpoint Security for Android.
   • On an iOS device, enter the certificate password during installation of the device management profile.

The mobile certificate will be installed on your device.

Pre-configure corporate Android devices

To connect a corporate Android device to the Administration Server, you must pre-configure the device depending on the operating system version and availability of a QR code scanner.

Configuring synchronization settings

To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Synchronization is performed using the HTTPS protocol. Mobile device synchronization with the Administration Server may be performed in the following ways:

• By schedule. You can configure the synchronization schedule in the policy settings. Modifications to policy settings, commands and tasks will be performed when the device synchronizes with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with Kaspersky Security Center automatically every 6 hours.

  Due to Doze limitations, when you select a short synchronization period, devices may synchronize with the Administration Server less frequently than expected.

  Using short synchronization periods decreases device battery life.

• Forced. Synchronization is performed using FCM (Firebase Cloud Messaging) push notifications. Forced synchronization is primarily intended for timely delivery of commands to a mobile device. This may be useful when a mobile device is in battery-saver mode, because in this case the app may perform tasks later than specified. If you want to use forced synchronization, make sure that the FCM settings are configured in Kaspersky Security Center.

To configure synchronization settings for Android devices:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the KES for Android settings section.
4. On the Scheduled synchronization card, click Settings.

   The Scheduled synchronization window opens.

5. Enable synchronization using the Scheduled synchronization toggle switch.
6. In the Synchronization period drop-down list, select the period of time between synchronizations of devices with Kaspersky Security Center.
7. To disable synchronization of devices with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.

   The device user can manually perform synchronization in the app settings (Settings → App settings → Synchronization → Synchronize).

8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. You can manually synchronize the mobile device using a special command.

To configure synchronization settings for iOS devices operating in basic protection mode:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the KS for iOS settings section.
4. On the Scheduled synchronization card, click Settings.

   The Scheduled synchronization window opens.

5. Enable synchronization using the Scheduled synchronization toggle switch.
6. In the Synchronization period drop-down list, select the period of time between synchronizations of devices with Kaspersky Security Center. The default value is 6 hours.
7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. You can manually synchronize the mobile device using a special command.

Managing certificates of mobile devices

Kaspersky Security Center Web Console lets you issue, renew, or delete mobile, mail, or VPN certificates of mobile devices.

This section contains information about how to manage mobile device certificates and configure their issuance rules.

Configuring certificate issuance rules

Kaspersky Security Center Web Console lets you configure how the certificates for mobile devices are issued, renewed, and protected.

To configure certificate issuance rules:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, click Issuance rules.
   • In the PKI settings section:
     1. In the Integration with PKI block of settings, enable the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch to issue certificates automatically following integration.

        Click Select device, and then specify a device with Network Agent installed that will connect to Microsoft CA.

        For detailed information on PKI, refer to the Integration with Public Key Infrastructure section.

     2. In the Domain account for transmitting requests to issue certificates block of settings, specify the PKI account name (the name of the user account to be used for PKI integration in the userPrincipalName@DNSDomainName format) and Password (the domain password for the account).
     3. Click Save to apply the changes.
   • In the Mobile certificates section, you can do the following:
     1. In the Validity block of settings, in the Certificate validity period (days) field, specify the certificate lifetime in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.
     2. In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 30.

        Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.

     3. In the Password protection block of settings, select the Prompt for password during certificate installation check box to prompt the user for a password when the certificate is installed on a mobile device. The password is used only once during the installation of the certificate on the mobile device. The password will be automatically generated by Administration Server and sent to the user by email. You can specify the password length in the Password length field.

        Password protection is only available for mobile certificates.

     4. Click Save to apply the changes.
   • In the Mail certificates and VPN certificates sections, if PKI integration is configured:
     1. In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires.

        Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.

     2. In the PKI settings block of settings, specify the Certificate template name in PKI (the certificate template that will be used to issue certificates to domain users).

        The Network Agent for Windows service installed on a device which connects to CA is run under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.

        When connecting a non-domain user's mobile device (running either Android or iOS) to Kaspersky Security Center, the attempt to issue a certificate may fail.

     3. In the Automatic issuance of mail certificate on device connection and Automatic issuance of VPN certificate on device connection blocks of settings, select the Issue for devices managed by Kaspersky Endpoint Security for Android or Issue for iOS MDM devices check boxes to enable automatic issuance of a mail or VPN certificate when devices connect to Kaspersky Security Center.

        If you selected the Issue for iOS MDM devices check box, choose the certificate alias from the drop-down list. The certificate alias is a name that identifies the certificate. You can configure the subsequent use of the selected alias for the certificate issuance in the following policy sections:

        • For mail certificates: in the properties of the Email account for iOS MDM devices and in the properties of the Exchange ActiveSync account for iOS MDM devices.
        • For VPN certificates: in the properties of the VPN network for iOS MDM devices and in the properties of the Wi-Fi network for iOS MDM devices.

        You can also change the alias for individual or multiple mail and VPN certificates by clicking Modify alias in the list of certificates (Assets (Devices) → Mobile → Certificates).

     4. Click Save to apply the changes.

The specified settings will be used by Kaspersky Security Center to issue, renew, and protect the certificates of mobile devices.

Issuing mobile device certificates

You can issue mobile, mail, or VPN certificates for mobile devices.

To issue a certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, click Add.

   The Certificate issuance wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Welcome

On the welcome screen, you can read a summary of the Certificate issuance wizard steps.

Please note that the numbering and set of steps may vary depending on the certificate type, operating system, and the issuance settings defined in the Issuance rules section.

Step 1. Certificate type

At this step, choose the certificate to be issued.

• Mail certificate (to configure corporate email on devices).
• VPN certificate (to configure access to private networks and corporate web resources on devices).
• Mobile certificate (to identify mobile devices on the Administration Server).

Step 2. Operating system

At this step, choose the operating system of the devices for which the certificate will be issued.

• Android
• iOS

Step 3. Connection method

This step is displayed only if you selected Mail certificate or VPN certificate as the certificate type and Android as the operating system of the devices for which the certificate will be issued.

At this step, choose the method for connecting devices to Administration Server.

• Connect using mobile certificate authentication

  Select this option if you want the mobile certificate to be used for user identification upon connecting to Administration Server.

• Connect without mobile certificate authentication

  Select this option if you want to install a certificate on a device using no certificate authentication.

Step 4. Users

At this step, choose one or more users that will receive the details for installing certificates. If a user is not in the list, you can add a new user account without exiting the wizard.

• To choose an existing user, select check boxes next to the corresponding user names.
• To add a new user, click Add user.
  1. Specify user credentials in the Credentials block of settings.
     • User name
     • Password

       The password must meet the following complexity requirements:

       • It must contain between 8 and 16 characters.
       • It must contain the characters from at least three of these groups: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;).
  2. If necessary, specify the optional details in the Optional information group of settings.
     • Full user name
     • Description
     • Email address
     • Phone number
  3. Click OK to save the changes.

     The new user will be added and displayed in the list of users.

• To modify user details, click Edit user.

The fields you can modify depend on the user subtype - internal or domain.

Step 5. Certificate alias and source

At this step, choose the certificate alias and source for importing the certificate.

• Certificate alias

  A certificate alias is a name that identifies the certificate. You can use the selected alias later to configure policy settings: Email account for iOS MDM devices; Exchange ActiveSync account for iOS MDM devices; VPN network for iOS MDM devices; Wi-Fi network for iOS MDM devices.

  This option is available only if you selected Mail certificate or VPN certificate as the certificate type.

• Integrate issuance with Microsoft CA via PKI

  For this option, specify one of the available templates imported from Microsoft CA in the PKI template field.

  This option is available only if the integration with PKI is enabled in the Issuance rules.

• Upload file

  For this option, specify the Certificate format:

  • For the PKCS #12 format, in the Certificate file field, click Select, and then specify a P12 or PFX file.
  • For the X.509 format, in the Private key file field, click Select, and then specify a PRK or PEM file.

    In the Certificate file field, click Select, and then specify a CER, CRT, or CERT file.

    After you specify the files, you can also enter the Certificate password.

Step 6. Authentication method

This step is displayed only if you selected Mobile certificate as the certificate type, or if you selected Mail certificate or VPN certificate for Android devices and specified the Connect without mobile certificate authentication option as the connection method.

At this step, choose the user authentication method for receiving the certificate.

• Domain or internal user credentials. Users will access the certificate using the domain or internal user credentials. On mobile devices, users will have to specify the login in one of the following formats:
  • userPrincipalName@DNSDomainName
  • sAMAccountName
  • sAMADomain\sAMAccountName
• Password. Users will access the certificate using a password sent by email or displayed after completing the wizard.

In the Certificate use on device block of settings, click the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box if you want to allow using one certificate multiple times on the same device.

This option is available only if Android is chosen as the operating system of the devices for which the certificate will be issued.

Step 7. Send certificate details

At this step, choose how to send the certificate installation details. You can choose one of the following options:

• Send a message to users' email addresses

  Choose this option to send the certificate installation details by email to the selected users. These email addresses must be specified in the user account settings in Kaspersky Security Center.
  
  If you want to send the certificate installation details to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Send a copy of the message to an alternate email address check box, and then specify the required email address.

• Show the details after completing the wizard

  Choose this option to display the certificate installation details at the final step of the Certificate issuance wizard.

Step 8. Confirm

At this step, check the certificate issuance details specified in the earlier steps, and then click Confirm and issue certificate to confirm the operation.

Finish

On the Finish screen:

• If you chose the Send a message to users' email addresses option, the specified users will receive the emails with certificate installation details.
• If you chose the Show the details after completing the wizard option, certificate installation details are displayed on the Finish screen. You can view the displayed details or click Download list to receive a file with summarized information.

Click Close to exit the wizard.

After completing the Certificate issuance wizard, certificates are created and added to the list of user certificates. You can delete or renew certificates, as well as view their properties.

Renewing mobile device certificates

If one of the certificates is about to expire, you can renew it using Kaspersky Security Center Web Console.

By following the steps below, you can renew a mobile certificate or a mail or VPN certificate issued via PKI.

To renew a certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate you want to renew, and then click Renew.

The status of the certificate changes to Certificate renewed.

Deleting mobile device certificates

You can delete the certificates of mobile devices using Kaspersky Security Center Web Console.

Please note that if you delete a mobile certificate, the device can no longer synchronize with Administration Server and cannot be managed by means of Kaspersky Security Center.

When you delete a certificate, it is only removed from Kaspersky Security Center Web Console and is no longer renewed, but remains on the device. To delete a certificate from iOS MDM devices, corporate devices, or devices with corporate container, you must execute the Wipe corporate data command. On personal Android devices, users should delete the certificate manually.

When you delete a mobile certificate of the iOS MDM device, the device is not removed from Kaspersky Security Center Web Console, but it loses the ability to synchronize with iOS MDM Server and the "Inactive" status is assigned to it. In this case, you have to delete this device from the list of managed devices in Kaspersky Security Center Web Console, and then reconnect it using Mobile device connection wizard.

To delete a certificate from Kaspersky Security Center Web Console:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate you want to delete, and then click Delete.

The certificate is deleted and removed from the list of certificates.

Integration with Public Key Infrastructure

You can integrate the issuance of certificates with Microsoft Certification Authority (CA) via Public Key Infrastructure (PKI). Integration with PKI is primarily intended for simplifying the issuance of domain user certificates by Administration Server. Following integration, certificates are issued automatically.

You can perform the PKI integration with specified settings and assign PKI to act as the source of certificates for specific types of certificates. The PKI integration settings specified in the Issuance rules let you set the individual default template for all types of certificates.

The specifics of using PKI integration to issue certificates:

• The PKI integration is disabled by default. You can enable it using the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch. For detailed information on enabling PKI and configuring its settings, refer to the Configuring certificate issuance rules section.
• The certificate issuance is carried out using Network Agent Windows, which enables the integration between Administration Server and Microsoft CA. Since there can be multiple devices with Network Agent installed, you can specify the device that will connect to Microsoft CA in the Issuance rules. This device must have an Enrollment Agent (EA) certificate installed in the certificates repository of the account under which the integration with PKI is performed. The certificate is issued by the administrator of the domain's CA.
• The account under which integration with PKI is performed must be a domain user and have the right to Log On As Service.
• Kaspersky Security Center can only work with one PKI (Microsoft CA) integration at a time.

For detailed information on configuring integration with PKI to issue certificates, refer to the Configuring certificate issuance rules section.

Viewing the list of mobile device certificates

Kaspersky Security Center Web Console lets you view the created mobile device certificates and their properties.

To view the list of all certificates and their properties:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the window that opens, you can view the list of all created certificates and their properties displayed in the table.

To view the properties of an individual certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate whose properties you want to view.
3. In the Certificate details window, view the certificate properties:
   • User name
   • Status
   • Type
   • Protocol
   • Source
   • Expiration date
   • Issue date
   • Latest status update
   • Alias
   • Automatic renewal disabled
   • Thumbprint

To view the certificates installed on an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of mobile devices that opens, choose the device whose certificates you want to view.
3. In the device properties window that opens, choose the Certificates section.

   The list of certificates installed on the device and their properties are displayed.

   • Certificate name
   • User certificate
   • Certificate thumbprint