Managing mobile devices in Kaspersky Security Center Web Console

To perform centralized configuration of mobile devices, you must configure policies. A policy is a set of security settings for managing mobile devices of specified operating systems and device operating modes within an administration group and for managing the mobile apps installed on devices.

This section describes how to create administration groups, configure policies for mobile devices, and connect mobile devices to Kaspersky Security Center in order to subsequently manage them.

Creating administration groups

To apply a policy to a group of devices, you are advised to create a separate group for these devices prior to installing mobile management apps.

An administration group is a logical set of managed devices combined on the basis of a specific trait for the purpose of managing the grouped devices as a single unit within Kaspersky Security Center.

All managed devices within an administration group are configured to do the following:

• Use the same settings, which you can specify in policies.
• Use a common operating mode for all applications through the creation of group tasks with specified settings. Examples of group tasks include creating and installing a common installation package, updating the application databases and modules, scanning the device on demand, and enabling real-time protection.

A managed device can belong to only one administration group.

You can create hierarchies that have any degree of nesting for Administration Servers and groups. A single hierarchy level can include secondary and virtual Administration Servers, groups, and managed devices. You can also move devices from one group to another.

Immediately after Kaspersky Security Center is installed, the hierarchy of administration groups contains only one administration group called Managed devices. When creating a hierarchy of administration groups, you can add devices to the Managed devices group, and add nested groups.

To create an administration group:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) > Hierarchy of groups.
2. In the administration group structure, select the administration group that the new administration group will belong to.
3. Click Add.
4. In the Name of the new administration group window that opens, enter a name for the group, and then click Add.

A new administration group with the specified name appears in the hierarchy of administration groups.

To automatically create a structure of administration groups:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) > Hierarchy of groups.
2. Click Import.

The New administration group structure wizard starts. Follow the instructions of the wizard.

After creating an administration group, we recommend configuring the option to automatically assign devices on which you want to install apps to this group. Then configure the settings that are common to all devices using a specific policy.

Configuring policies

This section describes how to manage policies in Kaspersky Security Center Web Console.

Creating a policy

Kaspersky Security Center Web Console lets you create policies to configure the security settings of a group of Android, iOS, and Aurora mobile devices. The values of security settings configured in policies are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings.

You can create policies using the Mobile policy wizard.

To create a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, click Current path to select the administration group for which you want to create a policy.

   By default, the new policy is applied to the Managed devices group.

3. Click Add to start the Mobile policy wizard.
4. In the Select application window, select the Kaspersky Mobile Devices Protection and Management option, and then click Next.

   The Mobile policy wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Step 1. License

At this step, choose a license.

The license you choose determines the security settings that you can configure in a policy. By default, the license that supports the Kaspersky Secure Mobility Management functionality is pre-selected. You can choose a different license manually.

Step 2. Operating systems and device operating modes

At this step, choose the operating systems the policy will apply to and specify the device operating modes.

• Android
  • Personal device (basic protection and management of a personal Android device).
  • Device with corporate container (isolated corporate environment on an Android device).
  • Corporate device (an extended set of settings for managing a corporate Android device).

    For detailed information, refer to the About Android device operating modes section.

• iOS
  • Basic protection (protection against web threats and jailbreak detection on iOS devices).
  • Basic control (basic management of a personal iOS device).
  • Supervised (an extended set of settings for managing an iOS device).

    For detailed information, refer to the About iOS device operating modes section.

    To connect and manage iOS devices in basic control and supervised operating modes, you must have an iOS MDM Server installed in the selected administration group. For detailed information on installing iOS MDM Server, refer to the Deploying iOS MDM Server section.

• Aurora
  • Protection (protection of Aurora devices against threats).

    To connect Aurora devices, you need to have Kaspersky Endpoint Security for Aurora pre-installed on the devices that will connect.

In the New policy window:

1. In the Name field, type the name of the new policy. If you specify the name of an existing policy, it will have (1) added at the end automatically.
2. In the Policy status block of settings, select the status of the policy:
   • Active. The wizard saves the created policy on the Administration Server. At the next synchronization of mobile devices with the Administration Server, the policy will be used on devices as an active policy.
   • Inactive. The wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to an active state.

     Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive.

3. On the General tab of the Settings inheritance block of settings, select the inheritance options:
   • Inherit settings from parent policy

     If you enable this option in a child policy and an administrator locks some settings in the parent policy, then you cannot change these settings in the child policy.

     If you disable this option in a child policy, then you can change all the settings in the child policy, even if some settings are locked in the parent policy.

   • Force inheritance of settings in child policies

     If you enable this option in a parent policy, this enables the Inherit settings from parent policy option for each child policy. In this case, you cannot disable this option for any child policy. All the settings that are locked in the parent policy are forcibly inherited in the child groups and you cannot change these settings in the child groups.

   By default, the Inherit settings from parent policy option is enabled and the Force inheritance of settings in child policies option is disabled.

   Inheritance of policy settings works only if either identical device operating modes are selected for the parent and child policy or device operating modes selected for the child policy provide more security settings. For example, a child policy for Android devices with a corporate container can inherit settings from a parent policy for personal devices but cannot inherit settings from a parent policy for corporate devices.
   If you create a child policy that is incompatible with the parent policy, you must delete it and create a new child policy to manage devices.

4. Click Save.

The new policy for mobile devices is created.

Modifying a policy

Kaspersky Security Center Web Console lets you modify policies.

To modify a policy:

1. Open the policy properties window by doing one of the following:
   • In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of policies that opens, click the name of the policy that you want to modify.
   • In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices. Click the mobile device that falls under the policy that you want to modify, and then select the policy on the Active policies and policy profiles tab.
2. In the policy properties window, navigate to the Application settings tab, and then define the policy settings.

   You can also configure general settings, settings inheritance, event logging and notifications, and policy profiles, and also view the revision history. For more information, please refer to the Kaspersky Security Center Help.

3. Click Save to save the changes you have made to the policy and exit the policy properties window.

The policy is modified. Mobile device settings are configured after the next device synchronization with Kaspersky Security Center.

Copying a policy

Kaspersky Security Center Web Console lets you create a copy of a policy.

To create a copy of a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy you want to copy, and then click Copy.
3. In the tree of administration groups that opens, select the target group where you want the policy to be created.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Copy.
5. Click OK to confirm the operation.

A copy of the policy will be created in the target group under the same name. The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) suffix is added to the name of the newly created or moved policy, for example: (1).

Moving a policy to another administration group

Kaspersky Security Center Web Console lets you move a policy to another administration group.

To move a policy to another administration group:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy that you want to move to another administration group, and then click Move.
3. In the tree of administration groups that opens, select the target group to which you want to move the policy.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.
5. Click OK to confirm the operation.

The result depends on the policy inheritance properties:

• If the policy is not inherited in the source group, it will be moved to the target group.
• If the policy is inherited in the source group, it will not be moved. Instead, a copy of the policy will be created in the target group.

The status of each copied or moved policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with a name identical to that of the newly created or moved policy already exists in the target group, the (<next sequence number>) suffix is added to the name of the newly created or moved policy, for example: (1).

Viewing the list of policies

Kaspersky Security Center Web Console lets you view the list of created policies, their statuses, and properties.

To view the list of policies:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. The list of policies opens with brief information about the policies. On this page, you can create, modify, copy, move, and delete policies.

Viewing the policy distribution results

Kaspersky Security Center Web Console lets you view the distribution chart of a policy and the information about all devices that fall under that policy.

To view the results of distributing a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy whose distribution results you want to view, and then click Distribution.

The policy distribution results page opens. This page contains the policy summary, a policy distribution chart, and a table with information about all devices that fall under that policy. You can open the policy properties window by clicking the Configure policy button.

Managing revisions to policies

Kaspersky Security Center Web Console lets you view modifications made to a policy over a certain period, as well as save information about these modifications in a file.

To view a policy revision:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, click the policy whose revision you want to view, and then go to the Revision history section.
3. In the list of policy revisions, click the number of the revision that you want to view.

   If the size of the revision is more than 10 MB, you will not be able to view it using Kaspersky Security Center Web Console. You will be prompted to save the selected revision to a JSON file.
   
   If the size of the revision does not exceed 10 MB, a report in HTML format with the settings of the selected policy revision is displayed. The report is displayed in a pop-up window, so make sure pop-ups are allowed in your browser.

   To save a policy revision to a JSON file, in the list of policy revisions, select the revision that you want to save, and then click Save to file.

The revision is saved to a JSON file.

For detailed information on managing revisions to policies, refer to the Kaspersky Security Center Help.

Restricting permissions to configure policies

Kaspersky Security Center administrators can configure the access permissions of Web Console users for different functions of the Kaspersky Secure Mobility Management solution depending on the job duties of users.

In the Web Console interface, you can configure access rights on the Security and User roles tabs of the Administration Server properties window. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes.

For each functional area, the administrator can assign the following permissions:

• Allow editing. The Web Console user is allowed to change the policy settings in the properties window.
• Block editing. The Web Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface.

Configuring role-based access control

Kaspersky Security Center Web Console provides facilities for role-based access to the features of Kaspersky Secure Mobility Management.

You can configure access rights to application features for Kaspersky Secure Mobility Management in one of the following ways:

• By configuring the rights for each user or group of users individually.
• By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application. You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

For detailed information on configuring user access in Kaspersky Security Center, refer to the Kaspersky Security Center Help.

Some of the predefined user roles are not authorized to work with mobile devices. The predefined user roles which are available for the Kaspersky Secure Mobility Management features are listed in the table below.

Predefined user roles for Kaspersky Secure Mobility Management

For detailed information on predefined user roles, refer to the Kaspersky Security Center Help.

Access rights to Kaspersky Secure Mobility Management features

Mobile Device Management access rights

Configuring policy profiles

Sometimes it may be necessary to create and centrally modify several instances of a single policy for an administration group. These instances might differ by only one or two settings.

To help you avoid creating several instances of a single policy, Kaspersky Security Center Web Console lets you create policy profiles. Policy profiles are necessary if you want devices within a single administration group to run under different policy settings.

A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device. Activation of a profile modifies the settings of the "basic" policy that were initially active on the device. The modified settings take values that have been specified in the profile.

You can modify the specific conditions that must affect activation of the policy profile that you are creating. For mobile devices, you can modify the following conditions:

• Rules for specific device owner

  Profile activation on the device according to its owner.

  • Device owner
  • Device owner is included in an internal security group
• Rules for role assignment

  Profile activation on the device depending on the owner's role.

  • Activate policy profile by specific role of device owner
• Rules for tag usage

  Profile activation on the device depending on the tags assigned to the device.

  • Tag list
  • Apply to devices without the specified tags
• Rules for Active Directory usage

  Policy profile activation on the device based on the device allocation in an Active Directory organizational unit or the membership of that device (or the device owner) in an Active Directory security group. The configuration scope depends on the currently used policy.

  • Device owner's membership in an Active Directory security group
  • Device membership in Active Directory security group
  • Device allocation in Active Directory organizational unit

For detailed information on configuring activation rules, creating, deleting, or copying policy profiles, refer to the Kaspersky Security Center Help.

If you copy a policy profile to an incompatible policy (a policy in which the operating systems and device operating modes of this profile are not configured), such profile will not work properly.

Deleting a policy

Kaspersky Security Center Web Console lets you delete policies.

You can delete only policies that are not inherited in the current administration group. If a policy is inherited, you can only delete it in the higher-level group for which it was created.

To delete a policy:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles.
2. In the list of policies that opens, select the check box next to the name of the policy that you want to delete, and then click Delete.
3. In the window that opens, click OK to confirm the operation.

The policy is deleted. Before the new policy is applied, mobile devices belonging to the administration group continue to work according to the settings specified in the policy that has been deleted.

Connecting mobile devices to Kaspersky Security Center Web Console

Expand all | Collapse all

To manage mobile devices and the mobile management apps installed on them, you must connect these devices to Kaspersky Security Center.

Before connecting, make sure the license that supports the Mobile Management solution is configured in the License keys section of the Administration Server properties.

To connect a mobile device to Kaspersky Security Center:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of mobile devices that opens, click Add.

   The Mobile device connection wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Welcome

On the welcome screen, you can read a summary of the Mobile device connection wizard steps.

Step 1. Policy

At this step, choose a policy for devices that will connect. Devices operate according to the security settings specified in the policy.

• Use an existing policy

  For this option, specify the administration group of the policy you want to choose. The policy name, operating systems and operating modes of the devices managed by this policy will be displayed.

  If necessary, click Go to policy to view the properties of the policy you have selected.

• Create a new policy

  For this option, click the Create policy button that appears. You will be redirected to the Mobile policy wizard. After a policy with the required properties is created, you can return to the Mobile device connection wizard.

Step 2. Operating systems

At this step, choose the operating systems of the devices that will connect. The policy settings determine the available operating systems: Android, iOS, or Aurora.

• Android

  After you select this operating system, the Kaspersky Endpoint Security for Android Installation settings will be displayed. To modify them, click Edit settings.

  1. Choose the Installation source for Kaspersky Endpoint Security for Android:
     • Kaspersky website

       Choose this method for mobile devices that can access the internet to download the APK installation file from the Kaspersky website. The app will then be updated from the Kaspersky website or using HUAWEI AppGallery, Samsung Galaxy Store, RuStore, or Xiaomi GetApps.

       This installation source works for all operating modes.

     • Installation package

       The Kaspersky Endpoint Security for Android installation package will be downloaded from the Kaspersky Security Center server and updated via Kaspersky Security Center using policy settings. You can choose this method if mobile devices in your company have no access to the internet.

       For this installation source, before connecting mobile devices, create the Kaspersky Endpoint Security for Android installation package.

       This installation source works for all operating modes.

       • To choose an installation package, click Select installation package, and then select the installation package from the list that opens.
       • If there are no available installation packages, you will be offered to create one. Click Create installation package, and then follow the steps of the New package wizard as described in the Kaspersky Security Center Help to create an installation package from a file or create a stand-alone installation package. After the installation package is created, you can return to the Mobile device connection wizard.

       Automatic app updates through the store are not available with this installation method. You can update the app manually in the App update section of the policy settings.
       The latest installation package uploaded to Kaspersky Security Center is used to install the app on devices.

       For corporate devices, make sure the Allow using HTTP to download the app on corporate devices check box is selected to ensure Kaspersky Endpoint Security for Android is downloaded. Otherwise, the app will be downloaded via HTTPS only if the Kaspersky Security Center Web Server certificate was issued by a trusted certificate authority.

       For more information on the installation methods, refer to the Installing Kaspersky Endpoint Security for Android section.

  2. Choose Installation network for Kaspersky Endpoint Security for Android (corporate devices only):
     • Prompt the user to select a Wi-Fi network on device

       If you choose this option, the user will be prompted to connect to any available Wi-Fi network for downloading the app.

     • Only use the specified Wi-Fi network (Android 9 or later)

       To choose an installation network, click Select network.

       In the window that opens, specify the following settings:

       • Service set identifier (SSID)

         Specifies the name of a wireless network with an access point (SSID). The wireless network name should not be longer than 32 characters.

       • Hidden network

         Specifies whether the selected network broadcasts its SSID.

       • Network protection

         Specifies a wireless network security type. Possible values:

         • NONE

           If selected, the network is not protected.

         • WPA

           If selected, the network is protected using the WPA security protocol. This option requires entering a password to access the network.

         • WEP

           If selected, the network is protected using the WEP protocol. This option requires entering a password to access the network and applies only to devices running Android 9 or earlier.

       • Password

         Specifies the password for accessing a wireless network protected using a WPA or WEP protocol. The password will be sent to the user in a QR code.

         Do not send a password for a confidential Wi-Fi network that must not be publicly accessible. The password is sent to the user in unencrypted form along with other device configuration data.

       • Use proxy server

         Specifies the use of a proxy server. If this check box is selected, you need to provide the proxy server address and port. You can also specify a list of addresses for which the proxy will be bypassed.

       • Proxy server address

         Specifies the IP address or the symbol name (web address) of the proxy server. The maximum number of characters is 256.

       • Proxy server port

         Specifies the port number of the proxy server. The value should be in the interval between 0 and 65536.

       • PAC file URL

         A URL to a proxy auto-configuration (PAC) file for the Wi-Fi network.

       • Do not use proxy server for the following addresses

         Specifies the addresses for which the proxy server should not be used.

         You can enter the address in example.com format. If you enter example.com, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

       Do not use a password for a confidential Wi-Fi network that must not be publicly accessible. The unencrypted password is sent to the user in a QR code along with other device configuration data.

     • Try to use mobile network (Android 8 or later)

       If you choose this option, the device will try to use mobile data to download the app. If the device does not have a SIM card or the mobile network is not available, the user will be prompted to select any available Wi-Fi network.

  3. Click the Enable all system apps check box (corporate devices only) if you want system apps to remain active on the device. If necessary, they can be disabled later in the App Control section.
• iOS

  To connect and manage iOS devices in basic control and supervised operating modes, you must have an iOS MDM Server installed in the selected administration group. For detailed information on installing iOS MDM Server, refer to the Deploying iOS MDM Server section.

  The Kaspersky Security for iOS app will be installed on personal iOS devices in the basic protection operating mode.

  A device management profile will be installed on the devices operating in basic control and supervised operating modes.

  On devices running iOS 12.1 or later, you must manually confirm the installation of a device management profile on a mobile device. You must also grant the permission for remote management of the device.

• Aurora

  To connect Aurora devices, you need to have Kaspersky Endpoint Security for Aurora pre-installed on the devices that will connect.

Step 3. Accept agreements

At this step, choose who must accept the End User License Agreement (EULA) and Privacy Policy.

• Administrator

  The agreements are accepted by the administrator in the next step of the wizard. In this case, the app skips the acceptance step during the app installation.

• Users

  The agreements are accepted on mobile devices by users.

This step only applies to Android and iOS operating systems. If you are connecting Aurora devices, the agreements are only accepted by users on their mobile devices.

Please note that the administrator will be offered to accept the EULA only after the same version of the EULA is accepted by users on devices for the first time. After the connection and first synchronization of devices with Kaspersky Security Center, the administrator will be able to accept this version of EULA upon subsequent connection of devices.

The list of accepted agreements is available in the End User License Agreements section of the Administration Server properties.

Step 4. End User License Agreement and Privacy Policy

At this step, if Administrator is selected as the recipient of the agreements in the previous step of the wizard, you will be offered to read the Privacy Policy, EULA, and all the documents associated with it. You must accept the terms and conditions of the EULA and Privacy Policy before installation of the mobile device management apps.

Step 5. Users

At this step, choose one or more users of the devices that will connect. These users will receive the details for installing the app to connect their devices to Kaspersky Security Center. If a user is not in the list, you can add a new user account without exiting the wizard.

Due to technical limitations, you cannot select and send the connection details to more than 75 users within a single session of Mobile device connection wizard. We recommend that you divide the devices that will connect into groups of less than 75 devices and connect these groups sequentially within separate wizard sessions.

• To choose an existing user, select check boxes next to the corresponding user names.
• To add a new user, click Add user.
  1. Specify user credentials in the Credentials block of settings.
     • User name
     • Password

       The password must meet the following complexity requirements:

       • It must contain between 8 and 16 characters.
       • It must contain the characters from at least three of these groups: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;).
  2. If necessary, specify the optional details in the Optional information group of settings.
     • Full user name
     • Description
     • Email address
     • Phone number
  3. Click OK to save the changes.

     The new user will be added and displayed in the list of users.

• To modify user details, click Edit user.

  The fields you can modify depend on the user subtype - internal or domain.

Step 6. Send connection details

At this step, choose how to send the QR codes and links for installing the mobile management apps or device management profiles. You can choose one of the following options:

• Send a message to users' email addresses

  Choose this option to send the connection details by email to the selected users. To install the app or a device management profile, the user needs to scan the QR code using the camera of the mobile device or open the link to the installation package.

  These email addresses must be specified in the user account settings in Kaspersky Security Center.
  
  If you want to send the connection details to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Send a copy of the message to an alternate email address check box, and then specify the required email address.

• Show QR codes and links after completing the wizard

  Choose this option to scan the QR code with the camera of the mobile device or follow the link in the wizard.

Step 7. Confirm

At this step, check the mobile device connection details specified in the earlier steps, and then click Finish to confirm the operation.

Finish

On the Finish screen:

• If you chose the Send a message to users' email addresses option, the specified users will receive the emails with QR codes and links for connecting mobile devices to the Administration Server.
• If you chose the Show QR codes and links after completing the wizard option, the connection details will be available on the Finish screen. You can view the displayed details or click Download list to receive a file with summarized information.

Click Close to exit the wizard.

As soon as users install the mobile management apps, their devices are connected to the Administration Server and displayed on the Devices tab of Kaspersky Security Center Web Console.

You can now configure the settings for devices and mobile management apps using policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

Direct connection of Android devices to Kaspersky Security Center

Android devices can connect directly to port 13292 of the Administration Server.

Depending on the method used for authentication, two connection options are possible.

Connecting devices with a user certificate

When connecting a device with a user certificate, the device is associated with the user account to which the corresponding certificate has been assigned through the Administration Server tools.

In this case, two-way SSL authentication (mutual authentication) will be used. Both the Administration Server and the device will be authenticated with certificates.

Connecting devices without a user certificate

When connecting a device without a user certificate, the device is associated with none of the user's accounts on Administration Server. However, when the device receives any certificate, the device will be associated with the user to which the corresponding certificate has been assigned through the Administration Server tools.

When connecting that device to the Administration Server, one-way SSL authentication will be applied, which means that only Administration Server is authenticated with the certificate. After the device retrieves the user certificate, the type of authentication will change to two-way SSL authentication (2-way SSL authentication, mutual authentication).

Moving unassigned mobile devices to administration groups

When the mobile devices are connected to Kaspersky Security Center, they are displayed on the Discovery & deployment > Unassigned devices page of Kaspersky Security Center Web Console. To manage newly connected devices, you can create a rule that automatically assigns them to administration groups or you can move them to an administration group manually.

To move an unassigned mobile device to an administration group:

1. In the main window of Kaspersky Security Center web console, select Discovery & deployment > Unassigned devices.
2. Select the device that you want to move to an administration group, and then click Move to group.
3. In the tree of administration groups that opens, select the target group to which you want to move the device.

   You can create a new administration group by selecting an existing group, and then clicking Add child group.

4. Click Move.

The device is moved to the specified administration group and the corresponding policy is applied to it.

Actions on mobile devices to connect to Administration Server

Depending on the mode in which your device will operate, you may have to perform additional actions to protect your device and connect it to the Administration Server.

Install a mobile certificate

If you received a certificate password, you must use it to install the mobile certificate on your device.

To install the mobile certificate:

1. Remember or write down the password you received from your administrator by email.
2. Do one of the following:
   • On an Android device, enter the certificate password when prompted by Kaspersky Endpoint Security for Android.
   • On an iOS device, enter the certificate password during installation of the device management profile.

The mobile certificate will be installed on your device.

Pre-configure corporate Android devices

To connect a corporate Android device to the Administration Server, you must pre-configure the device depending on the operating system version and availability of a QR code scanner.

Configuring synchronization settings

To manage mobile devices and receive reports or statistics from mobile devices of users, you must configure the synchronization settings. Synchronization is performed using the HTTPS protocol. Mobile device synchronization with the Administration Server may be performed in the following ways:

• By schedule. You can configure the synchronization schedule in the policy settings. Modifications to policy settings, commands and tasks will be performed when the device synchronizes with Kaspersky Security Center according to the schedule, i.e. with a delay. By default, mobile devices are synchronized with Kaspersky Security Center automatically every 6 hours.

  Due to Doze limitations, when you select a short synchronization period, devices may synchronize with the Administration Server less frequently than expected.

  Using short synchronization periods decreases device battery life.

• Forced. Synchronization is performed using FCM (Firebase Cloud Messaging) push notifications. Forced synchronization is primarily intended for timely delivery of commands to a mobile device. This may be useful when a mobile device is in battery-saver mode, because in this case the app may perform tasks later than specified. If you want to use forced synchronization, make sure that the FCM settings are configured in Kaspersky Security Center.

To configure synchronization settings for Android devices:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the KES for Android settings section.
4. On the Scheduled synchronization card, click Settings.

   The Scheduled synchronization window opens.

5. Enable synchronization using the Scheduled synchronization toggle switch.
6. In the Synchronization period drop-down list, select the period of time between synchronizations of devices with Kaspersky Security Center.
7. To disable synchronization of devices with Kaspersky Security Center while roaming, select the Do not synchronize while roaming check box.

   The device user can manually perform synchronization in the app settings (Settings → App settings → Synchronization → Synchronize).

8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. You can manually synchronize the mobile device using a special command.

To configure synchronization settings for iOS devices operating in basic protection mode:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the KS for iOS settings section.
4. On the Scheduled synchronization card, click Settings.

   The Scheduled synchronization window opens.

5. Enable synchronization using the Scheduled synchronization toggle switch.
6. In the Synchronization period drop-down list, select the period of time between synchronizations of devices with Kaspersky Security Center. The default value is 6 hours.
7. Click OK.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. You can manually synchronize the mobile device using a special command.

Managing certificates of mobile devices

Kaspersky Security Center Web Console lets you issue, renew, or delete mobile, mail, or VPN certificates of mobile devices.

This section contains information about how to manage mobile device certificates and configure their issuance rules.

Configuring certificate issuance rules

Kaspersky Security Center Web Console lets you configure how the certificates for mobile devices are issued, renewed, and protected.

To configure certificate issuance rules:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, click Issuance rules.
   • In the PKI settings section:
     1. In the Integration with PKI block of settings, enable the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch to issue certificates automatically following integration.

        Click Select device, and then specify a device with Network Agent installed that will connect to Microsoft CA.

        For detailed information on PKI, refer to the Integration with Public Key Infrastructure section.

     2. In the Domain account for transmitting requests to issue certificates block of settings, specify the PKI account name (the name of the user account to be used for PKI integration in the userPrincipalName@DNSDomainName format) and Password (the domain password for the account).
     3. Click Save to apply the changes.
   • In the Mobile certificates section, you can do the following:
     1. In the Validity block of settings, in the Certificate validity period (days) field, specify the certificate lifetime in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.
     2. In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 30.

        Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.

     3. In the Password protection block of settings, select the Prompt for password during certificate installation check box to prompt the user for a password when the certificate is installed on a mobile device. The password is used only once during the installation of the certificate on the mobile device. The password will be automatically generated by Administration Server and sent to the user by email. You can specify the password length in the Password length field.

        Password protection is only available for mobile certificates.

     4. Click Save to apply the changes.
   • In the Mail certificates and VPN certificates sections, if PKI integration is configured:
     1. In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires.

        Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.

     2. In the PKI settings block of settings, specify the Certificate template name in PKI (the certificate template that will be used to issue certificates to domain users).

        The Network Agent for Windows service installed on a device which connects to CA is run under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.

        When connecting a non-domain user's mobile device (running either Android or iOS) to Kaspersky Security Center, the attempt to issue a certificate may fail.

     3. In the Automatic issuance of mail certificate on device connection and Automatic issuance of VPN certificate on device connection blocks of settings, select the Issue for devices managed by Kaspersky Endpoint Security for Android or Issue for iOS MDM devices check boxes to enable automatic issuance of a mail or VPN certificate when devices connect to Kaspersky Security Center.

        If you selected the Issue for iOS MDM devices check box, choose the certificate alias from the drop-down list. The certificate alias is a name that identifies the certificate. You can configure the subsequent use of the selected alias for the certificate issuance in the following policy sections:

        • For mail certificates: in the properties of the Email account for iOS MDM devices and in the properties of the Exchange ActiveSync account for iOS MDM devices.
        • For VPN certificates: in the properties of the VPN network for iOS MDM devices and in the properties of the Wi-Fi network for iOS MDM devices.

        You can also change the alias for individual or multiple mail and VPN certificates by clicking Modify alias in the list of certificates (Assets (Devices) → Mobile → Certificates).

     4. Click Save to apply the changes.

The specified settings will be used by Kaspersky Security Center to issue, renew, and protect the certificates of mobile devices.

Issuing mobile device certificates

You can issue mobile, mail, or VPN certificates for mobile devices.

To issue a certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, click Add.

   The Certificate issuance wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.

Welcome

On the welcome screen, you can read a summary of the Certificate issuance wizard steps.

Please note that the numbering and set of steps may vary depending on the certificate type, operating system, and the issuance settings defined in the Issuance rules section.

Step 1. Certificate type

At this step, choose the certificate to be issued.

• Mail certificate (to configure corporate email on devices).
• VPN certificate (to configure access to private networks and corporate web resources on devices).
• Mobile certificate (to identify mobile devices on the Administration Server).

Step 2. Operating system

At this step, choose the operating system of the devices for which the certificate will be issued.

• Android
• iOS

Step 3. Connection method

This step is displayed only if you selected Mail certificate or VPN certificate as the certificate type and Android as the operating system of the devices for which the certificate will be issued.

At this step, choose the method for connecting devices to Administration Server.

• Connect using mobile certificate authentication

  Select this option if you want the mobile certificate to be used for user identification upon connecting to Administration Server.

• Connect without mobile certificate authentication

  Select this option if you want to install a certificate on a device using no certificate authentication.

Step 4. Users

At this step, choose one or more users that will receive the details for installing certificates. If a user is not in the list, you can add a new user account without exiting the wizard.

• To choose an existing user, select check boxes next to the corresponding user names.
• To add a new user, click Add user.
  1. Specify user credentials in the Credentials block of settings.
     • User name
     • Password

       The password must meet the following complexity requirements:

       • It must contain between 8 and 16 characters.
       • It must contain the characters from at least three of these groups: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;).
  2. If necessary, specify the optional details in the Optional information group of settings.
     • Full user name
     • Description
     • Email address
     • Phone number
  3. Click OK to save the changes.

     The new user will be added and displayed in the list of users.

• To modify user details, click Edit user.

The fields you can modify depend on the user subtype - internal or domain.

Step 5. Certificate alias and source

At this step, choose the certificate alias and source for importing the certificate.

• Certificate alias

  A certificate alias is a name that identifies the certificate. You can use the selected alias later to configure policy settings: Email account for iOS MDM devices; Exchange ActiveSync account for iOS MDM devices; VPN network for iOS MDM devices; Wi-Fi network for iOS MDM devices.

  This option is available only if you selected Mail certificate or VPN certificate as the certificate type.

• Integrate issuance with Microsoft CA via PKI

  For this option, specify one of the available templates imported from Microsoft CA in the PKI template field.

  This option is available only if the integration with PKI is enabled in the Issuance rules.

• Upload file

  For this option, specify the Certificate format:

  • For the PKCS #12 format, in the Certificate file field, click Select, and then specify a P12 or PFX file.
  • For the X.509 format, in the Private key file field, click Select, and then specify a PRK or PEM file.

    In the Certificate file field, click Select, and then specify a CER, CRT, or CERT file.

    After you specify the files, you can also enter the Certificate password.

Step 6. Authentication method

This step is displayed only if you selected Mobile certificate as the certificate type, or if you selected Mail certificate or VPN certificate for Android devices and specified the Connect without mobile certificate authentication option as the connection method.

At this step, choose the user authentication method for receiving the certificate.

• Domain or internal user credentials. Users will access the certificate using the domain or internal user credentials. On mobile devices, users will have to specify the login in one of the following formats:
  • userPrincipalName@DNSDomainName
  • sAMAccountName
  • sAMADomain\sAMAccountName
• Password. Users will access the certificate using a password sent by email or displayed after completing the wizard.

In the Certificate use on device block of settings, click the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box if you want to allow using one certificate multiple times on the same device.

This option is available only if Android is chosen as the operating system of the devices for which the certificate will be issued.

Step 7. Send certificate details

At this step, choose how to send the certificate installation details. You can choose one of the following options:

• Send a message to users' email addresses

  Choose this option to send the certificate installation details by email to the selected users. These email addresses must be specified in the user account settings in Kaspersky Security Center.
  
  If you want to send the certificate installation details to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Send a copy of the message to an alternate email address check box, and then specify the required email address.

• Show the details after completing the wizard

  Choose this option to display the certificate installation details at the final step of the Certificate issuance wizard.

Step 8. Confirm

At this step, check the certificate issuance details specified in the earlier steps, and then click Confirm and issue certificate to confirm the operation.

Finish

On the Finish screen:

• If you chose the Send a message to users' email addresses option, the specified users will receive the emails with certificate installation details.
• If you chose the Show the details after completing the wizard option, certificate installation details are displayed on the Finish screen. You can view the displayed details or click Download list to receive a file with summarized information.

Click Close to exit the wizard.

After completing the Certificate issuance wizard, certificates are created and added to the list of user certificates. You can delete or renew certificates, as well as view their properties.

Renewing mobile device certificates

If one of the certificates is about to expire, you can renew it using Kaspersky Security Center Web Console.

By following the steps below, you can renew a mobile certificate or a mail or VPN certificate issued via PKI.

To renew a certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate you want to renew, and then click Renew.

The status of the certificate changes to Certificate renewed.

Deleting mobile device certificates

You can delete the certificates of mobile devices using Kaspersky Security Center Web Console.

Please note that if you delete a mobile certificate, the device can no longer synchronize with Administration Server and cannot be managed by means of Kaspersky Security Center.

When you delete a certificate, it is only removed from Kaspersky Security Center Web Console and is no longer renewed, but remains on the device. To delete a certificate from iOS MDM devices, corporate devices, or devices with corporate container, you must execute the Wipe corporate data command. On personal Android devices, users should delete the certificate manually.

When you delete a mobile certificate of the iOS MDM device, the device is not removed from Kaspersky Security Center Web Console, but it loses the ability to synchronize with iOS MDM Server and the "Inactive" status is assigned to it. In this case, you have to delete this device from the list of managed devices in Kaspersky Security Center Web Console, and then reconnect it using Mobile device connection wizard.

To delete a certificate from Kaspersky Security Center Web Console:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate you want to delete, and then click Delete.

The certificate is deleted and removed from the list of certificates.

Integration with Public Key Infrastructure

You can integrate the issuance of certificates with Microsoft Certification Authority (CA) via Public Key Infrastructure (PKI). Integration with PKI is primarily intended for simplifying the issuance of domain user certificates by Administration Server. Following integration, certificates are issued automatically.

You can perform the PKI integration with specified settings and assign PKI to act as the source of certificates for specific types of certificates. The PKI integration settings specified in the Issuance rules let you set the individual default template for all types of certificates.

The specifics of using PKI integration to issue certificates:

• The PKI integration is disabled by default. You can enable it using the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch. For detailed information on enabling PKI and configuring its settings, refer to the Configuring certificate issuance rules section.
• The certificate issuance is carried out using Network Agent Windows, which enables the integration between Administration Server and Microsoft CA. Since there can be multiple devices with Network Agent installed, you can specify the device that will connect to Microsoft CA in the Issuance rules. This device must have an Enrollment Agent (EA) certificate installed in the certificates repository of the account under which the integration with PKI is performed. The certificate is issued by the administrator of the domain's CA.
• The account under which integration with PKI is performed must be a domain user and have the right to Log On As Service.
• Kaspersky Security Center can only work with one PKI (Microsoft CA) integration at a time.

For detailed information on configuring integration with PKI to issue certificates, refer to the Configuring certificate issuance rules section.

Viewing the list of mobile device certificates

Kaspersky Security Center Web Console lets you view the created mobile device certificates and their properties.

To view the list of all certificates and their properties:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the window that opens, you can view the list of all created certificates and their properties displayed in the table.

To view the properties of an individual certificate:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
2. In the list of certificates that opens, select the certificate whose properties you want to view.
3. In the Certificate details window, view the certificate properties:
   • User name
   • Status
   • Type
   • Protocol
   • Source
   • Expiration date
   • Issue date
   • Latest status update
   • Alias
   • Automatic renewal disabled
   • Thumbprint

To view the certificates installed on an iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Devices.
2. In the list of mobile devices that opens, choose the device whose certificates you want to view.
3. In the device properties window that opens, choose the Certificates section.

   The list of certificates installed on the device and their properties are displayed.

   • Certificate name
   • User certificate
   • Certificate thumbprint