Deploying iOS MDM Server

iOS MDM Server is a component of Kaspersky Secure Mobility Management which allows iOS MDM devices to connect to Kaspersky Security Center and facilitates management of these devices through Apple Push Notifications (APNs) by installing dedicated device management profiles on them.

iOS MDM Server receives inbound connections from mobile devices through its TLS port (by default, port 443), which is managed by Kaspersky Security Center using Network Agent. Network Agent is installed locally on a device with an iOS MDM Server deployed.

The number of copies of iOS MDM Server to be installed can be selected either based on available hardware or on the total number of mobile devices covered.

Please keep in mind that the recommended maximum number of mobile devices to be managed through iOS MDM Server is 50,000. In order to reduce the load, the entire pool of devices can be distributed among several servers that have iOS MDM Server installed.

Configuring an iOS MDM Server installation package

Before you install iOS MDM Server, you need to configure the iOS MDM Server installation package properties.

The iOS MDM Server installation package is an archive that contains the files required for the installation of the iOS MDM Server depending on the package manager and architecture: kliosmdm-<architecture>-<version>-<package manager>_<language>.tar.gz

To configure an iOS MDM Server installation package:

1. In the main window of Kaspersky Security Center We Console, select Operations > Repositories > Installation packages.
2. In the window that opens, click the iOS MDM Server installation package you want to configure.

   The installation package properties window opens.

3. In the Settings tab, specify the iOS MDM Server properties.
   1. In the Connection settings group of settings, configure the following properties:

      It is recommended to use the default values.

      • iOS MDM external connection port. In this field, specify an external port for connecting mobile devices to the iOS MDM service.

        External port 5223 is used by mobile devices for communication with the APNs server. Make sure that port 5223 is open in the Firewall for connecting with the address range 17.0.0.0/8.

        Port 443 is used for connecting to iOS MDM Server by default. If port 443 is already in use by another service or application, it can be replaced with, for example, port 9443.

        Port 2197 is used by iOS MDM Server to send notifications to the APNs server. APNs servers run in load-balancing mode. Mobile devices do not always connect to the same IP addresses to receive notifications. The 17.0.0.0/8 address range is reserved for Apple, and it is therefore recommended to specify this entire range as an allowed range in Firewall settings.

      • Network Agent connection port. In this field, specify a port for connecting the iOS MDM service to Network Agent. The default port number is 9799.
      • iOS MDM local connection port. In this field, specify a local port for connecting Network Agent to the iOS MDM service. The default port number is 9899.
   2. In the iOS MDM Server address group of settings, specify the address of the workstation on which iOS MDM Server is to be installed. This address will be used for connecting managed mobile devices to the iOS MDM service. The workstation must be available for connection of iOS MDM devices.

      Choose one of the following options:

      • Use FQDN device name. The fully qualified domain name (FQDN) of the device will be used.
      • Use specified address. Specify the specific address of the device manually.

        Do not add the URL scheme and the port number in the address string. These values will be added automatically.

4. Click Save.

The iOS MDM Server installation package properties are configured. Now you can install iOS MDM Server with the specified settings.

Installing iOS MDM Server using a remote installation task

Kaspersky Security Center Web Console lets you install iOS MDM Server remotely using a remote installation task. This task is created and assigned to up to 1000 devices through a corresponding wizard. The wizard will help install iOS MDM Server in an administration group, on devices with specific IP addresses, or on a selection of managed devices.

Please note that you will not be able to specify the iOS MDM Server settings during the installation. The settings are configured in the iOS MDM Server installation package properties.

Before installing iOS MDM Server on a device, make sure the Kaspersky Mobile Devices Protection and Management and iOS MDM Server settings plug-ins are installed.

To install iOS MDM Server using a remote installation task:

1. Install Network Agent on a workstation on which iOS MDM Server will be deployed.
2. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
3. Click Install.

   The New task wizard starts. Proceed through the wizard using the Next button.

4. In the New task settings window that opens:
   1. In the Task name field, specify a custom name for the task, if necessary (The default name is "Install iOS MDM Server").
   2. In the Devices to which the task will be assigned group of settings, choose Specify device addresses manually or import addresses from a list. You can specify DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
5. At the Task scope step:
   1. Click Add devices.
   2. In the window that opens, in the drop-down list, choose the Select networked devices detected by Administration Server option.
   3. Select devices or a device selection.
   4. Click Add.

   After you add the devices, they are displayed in the table.

6. At the Installation packages step, specify the following settings:
   1. In the Select installation package field, select the configured iOS MDM Server installation package.
   2. In the Select Network Agent field, select the installed Network Agent.
   3. In the Force installation package download group of settings, select the Using Network Agent check box to distribute the files that are required for iOS MDM Server installation via Network Agent.
   4. In the Maximum number of concurrent downloads field, specify the maximum allowed number of devices to which Administration Server can simultaneously transmit the files.
   5. In the Maximum number of installation attempts field, specify the maximum number of times the installer will be allowed to run.
   6. Specify the additional settings:
      • Click the Do not re-install application if it is already installed check box. The application will not be re-installed if it has already been installed on the device.
      • Click the Verify operating system type before downloading check box. Before transmitting the files to devices, Kaspersky Security Center checks if the installation utility settings are applicable to the operating system of the device. If the settings are not applicable, Kaspersky Security Center does not transmit the files and does not attempt to install the application. For example, to install some application to devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.
7. At the next step of the wizard, you will be prompted to select the action that will be performed if installation process prompts to restart the operating system. Select the Do not restart the device option or skip this step, as it does not apply to Linux operating system.
8. At the Select accounts to access devices step, choose the No account required (Network Agent installed) option. If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running. If Network Agent has not been installed on devices, this option is unavailable.
9. At the Finish task creation step, click the Finish button to create the task and close the wizard.

iOS MDM Server is installed using a remote installation task.

Local installation of iOS MDM Server on a device via an installation package

Kaspersky Security Center Web Console lets you install iOS MDM Server on a local device using an installation package, that is, without interactively inputting the installation settings.

Before installing iOS MDM Server on a device, make sure the Kaspersky Mobile Devices Protection and Management and iOS MDM Server settings plug-ins are installed.

To install and configure iOS MDM Server on a local device manually:

1. Install iOS MDM Server:
   1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
   2. Depending on your operating system, run one of the following commands to launch the installation file:
      1. For Debian:

         apt install /<path>/kliosmdm_<version_number>_amd64.deb

      2. For Red Hat Enterprise Linux:

         yum install /<path>/kliosmdm_<version_number>.x86_64.rpm -y

         iOS MDM Server is installed. The installer offers to start the setup procedure by executing the postinstall.pl script.

2. Configure iOS MDM Server using one of the methods:
   1. Configuration with the postinstall settings specified by the interactive step-by-step wizard:
      1. Run the following command:

         /opt/kaspersky/iosmdm/lib/bin/setup/postinstall.pl

   2. Configuration with the key arguments specified as postinstall settings:
      1. Run the following command:

         opt/kaspersky/bin/postinstall.pl -- <params>

         where <params> is one of the settings specified in the iOS MDM Server installation settings table below.

The names and possible values for the settings that can be configured when installing iOS MDM Server are listed in the table. You can specify these settings in any convenient order.

iOS MDM Server installation settings

To install and configure iOS MDM Server in silent mode automatically using an answer file:

An answer file is a text file that contains a custom set of installation settings (variables and their corresponding values).

1. Create an answer file (in TXT format) in the directory where the installation will be performed: /tmp/answers.txt.
2. Specify the required values in the answer file:
   • EULA_ACCEPTED=1

     Acceptance of the terms of the End User License Agreement.

   • KLIOSMDM_AUTOINSTALL=1

     Using a TXT answer file with iOS MDM Server installation settings.

   • EXTERNALSERVERPORT=443

     Port for connecting a device to iOS MDM Server.

   • CONNECTORPORT=9799

     Local port for connecting the iOS MDM service to Network Agent.

   • LOCALSERVERPORT=9899

     Local port for connecting Network Agent to the iOS MDM service.

   • EXTERNAL_SERVER_URL=example.fqdn.com

     External address of the device on which iOS MDM Server is to be installed.

3. Set the value of the KLAUTOANSWERS environment variable by entering the full name of the answer file (including the path), for example: export KLAUTOANSWERS=/tmp/answers.txt.
4. Launch the iOS MDM Server installation.

iOS MDM Server is installed and configured in silent mode automatically using an answer file.

Updating iOS MDM Server using a remote installation task or locally

Kaspersky Security Center Web Console lets you update iOS MDM Server using a remote installation task or locally on a device.

Please note that you will not be able to specify the iOS MDM Server settings during the update. The settings are configured in the iOS MDM Server installation package properties.

To update iOS MDM Server using a remote installation task:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
2. Click Update.

   The New task wizard starts. Proceed through the wizard using the Next button.

3. In the New task settings window that opens:
   1. In the Task name field, specify a custom name for the task, if necessary (The default name is Update iOS MDM Server).
   2. In the Devices to which the task will be assigned group of settings, the device on which iOS MDM Server is installed will be displayed.
4. At the Installation packages step, specify the following settings:
   1. In the Select installation package field, select the configured iOS MDM Server installation package.
   2. In the Force installation package download group of settings, select the Using Network Agent check box to distribute the files that are required to update iOS MDM Server via Network Agent.
   3. In the Maximum number of concurrent downloads field, specify the maximum allowed number of client devices to which Administration Server can simultaneously transmit the files.
   4. In the Maximum number of installation attempts field, specify the maximum number of times the installer will be allowed to run.
   5. Specify the additional settings:
      • Click the Do not re-install application if it is already installed check box. The application will not be re-installed if it has already been installed on this device.
      • Click the Verify operating system type before downloading check box. Before transmitting the files to devices, Kaspersky Security Center checks if the installation utility settings are applicable to the operating system of the device. If the settings are not applicable, Kaspersky Security Center does not transmit the files and does not attempt to install the application. For example, to install some application on devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.
5. At the next step of the wizard, you will be asked to select the action that will be performed if the application installation prompts you to restart the operating system. Select the Do not restart the device option or skip this step, as it does not apply to the Linux operating system.
6. At the Select accounts to access devices step, choose the No account required (Network Agent installed) option. If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running. If Network Agent has not been installed on devices, this option is unavailable.
7. At the Finish task creation step, click the Finish button to create the task and close the wizard.

iOS MDM Server is updated using the remote installation task.

To update iOS MDM Server locally, follow the steps described for Local installation of iOS MDM Server on a device via installation package using the newer version of the installation package.

Deleting iOS MDM Server using a remote uninstallation task

Kaspersky Security Center Web Console lets you delete iOS MDM Server remotely using a remote uninstallation task.

Before deleting iOS MDM Server, make sure the iOS MDM Server installation package has been created and added to the Administration Server repository (Operations > Repositories > Installation packages).

To delete iOS MDM Server:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → iOS MDM Servers.
2. Select the iOS MDM Server that you want to uninstall, and then click Delete.

   The New task wizard starts. Follow the wizard steps as described in the Kaspersky Security Center Help.