Deploying a mobile device management solution in Kaspersky Security Center Web Console

To connect and manage mobile devices using Kaspersky Security Center Web Console, you must deploy a mobile device management solution. This section describes the recommended actions when getting started with Kaspersky Secure Mobility Management.

Deploying Kaspersky Security Center Linux and Kaspersky Security Center Web Console

Select a Linux device that you intend to use as the administrator's workstation, ensure that the device meets the software and hardware requirements, and then install Kaspersky Security Center and Kaspersky Security Center Web Console on the device.

For instructions on installing Kaspersky Security Center Linux, refer to the Kaspersky Security Center Help.

For instructions on installing Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

Deploying mobile management plug-ins

To use the Kaspersky Secure Mobility Management solution and connect mobile devices, you must add and install the following mobile management plug-ins:

• Kaspersky Mobile Devices Protection and Management
  • on_prem_ksm_policies_<version>.zip

    Archive that contains the files required for the installation of the Kaspersky Mobile Devices Protection and Management plug-in:

    • plugin.zip

      Archive that contains the Kaspersky Mobile Devices Protection and Management plug-in.

    • signature.txt

      File that contains the signature for the Kaspersky Mobile Devices Protection and Management plug-in.

• iOS MDM Server settings
  • on_prem_iosmdm_<version>.zip

    Archive that contains the files required for the installation of the iOS MDM Server settings plug-in:

    • plugin.zip

      Archive that contains the iOS MDM Server settings plug-in.

    • signature.txt

      File that contains the signature for the iOS MDM Server settings plug-in.

To install a management plug-in:

1. In the main window of Kaspersky Security Center Web Console, select Settings > Web plug-ins.
2. In the window that opens, click Add.

   The list of available plug-ins is displayed.

3. In the list of available plug-ins, select the plug-in you want to install by clicking on its name.

   A plug-in description page is displayed.

4. On the plug-in description page, click Install plug-in.
5. When the installation is complete, click OK.

The management plug-in is downloaded with the default configuration and displayed in the list of management plug-ins.

You can add plug-ins and update downloaded plug-ins from a file. You can download management plug-ins and web management plug-ins from the Kaspersky Customer Service webpage.

To load or update a plug-in from a file:

1. In the main window of Kaspersky Security Center Web Console, select Settings > Web plug-ins.
2. In the window that opens:
   • Click Add from file to load a plug-in from a file.
   • Click Update from file to load an update of a plug-in from a file.
3. Specify the file and signature of the file.
4. Load the specified files.

The management plug-in is loaded from the file and displayed in the list of management plug-ins.

Updates functionality (including providing anti-malware signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

Configuring Administration Server settings for connecting mobile devices

Before connecting mobile devices to Kaspersky Security Center Web Console, you must define the connection settings in the Administration Server properties.

To configure Administration Server settings for connecting mobile devices:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.
2. In the Administration Server properties window that opens, configure the Administration Server port that will be used by mobile devices:
   1. In the General tab, select the Additional ports section.
   2. Enable the Open port for mobile devices toggle button.

      If this option is enabled, the port for mobile devices will be open on the Administration Server.

   3. In the Port for mobile device synchronization field, specify the port through which mobile devices will connect to the Administration Server.

      Port 13292 is used by default.

      If the Open port for mobile devices toggle button is off or an incorrect connection port is specified, mobile devices will not be able to connect to the Administration Server.

3. If necessary, edit the certificate that will be used by mobile devices to connect to the Administration Server.

   By default, Administration Server uses the certificate created after the port for mobile devices is opened. You can reissue or replace the certificate issued through the Administration Server with another certificate.

   To edit the certificate:

   1. In the General tab, select the Certificates section.
   2. Define the required settings.

      For more details on working with certificates in Kaspersky Security Center Linux, refer to the Kaspersky Security Center Help.

4. Click Save to save the changes you have made and exit the Administration Server properties window.

The mobile device connection settings are configured.

Scenario: Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Web Console

This scenario describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13292 must be open on the host with the connection gateway.
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Stages

The configuration proceeds in the following steps:

1. Installing Network Agent in the connection gateway role on a host

   First, you need to install Network Agent on the selected host device acting in the gateway connection role.

   For information about generating a Network Agent installation package, refer to the Kaspersky Security Center Help.

   You can install Network Agent in interactive mode by specifying installation parameters step by step. Alternatively, you can use an answer file—a text file that contains a custom set of installation parameters: variables and their respective values. Using this answer file allows you to run an installation in silent mode, that is, without user participation. For information on installing Network Agent in silent mode, refer to the Kaspersky Security Center Help.

2. Configuring the connection gateway on Kaspersky Security Center Administration Server

   Once you have installed Network Agent in the connection gateway role, you must connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server.

   You must create a new group under the Managed Devices group and add the device acting as a connection gateway to the group that you have created. For information on manually adding devices to groups in Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.

   After that, assign the device as a distribution point and configure the distribution point to act as a connection gateway in the Connection gateway section of the distribution point properties. Then enable the Open port for mobile devices (SSL authentication of the Administration Server only) and Open port for mobile devices (two-way SSL authentication) options and specify ports and DNS domain names of the distribution point to connect mobile devices.

Results

The connection gateway will be configured. You will be able to add new mobile devices by specifying the connection gateway address.

Adding installation packages to Administration Server repository

For further deployment of mobile management systems, you need to add the following installation packages to the Administration Server repository:

• Network Agent Linux installation package (for later installation of Network Agent on a workstation).
• iOS MDM Server installation package (for later installation of iOS MDM Server to connect and manage iOS devices).
• Kaspersky Endpoint Security for Android installation package (for later installation of Kaspersky Endpoint Security for Android on devices).

For instructions on adding installation packages to the Administration Server repository, refer to the Kaspersky Security Center Help.

Adding a license key to the Administration Server repository

To connect mobile devices to Kaspersky Security Center Web Console and manage them, you must add a license key that supports the Mobile Device Management solution to the Administration Server repository.

The license under which the solution is used determines a scope of basic or advanced settings you can configure. With a license that does not provide the extended Kaspersky Secure Mobility Management functionality, only basic device protection settings are available in the Kaspersky Mobile Devices Protection and Management plug-in. For detailed information on licenses, refer to the About the license section.

To add a license key to the Administration Server repository:

• In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.

  In the Administration Server properties window that opens:

  1. In the General tab, select the License keys section.
  2. In the Current license block of settings, click Select and specify the KEY file you want to add.

     The license you choose must support the Mobile Management solution.

  3. Click Save.

The license key is added to the Administration Server repository.

To view the list of the license keys added to the Administration Server repository:

In the main window of Kaspersky Security Center Web Console, select Operations > Kaspersky licenses.

The displayed list contains the key files and activation codes added to the Administration Server repository.

To view the detailed information about a license key:

1. In the main window of Kaspersky Security Center Web Console, select Operations > Kaspersky licenses.
2. Click the name of the required license key.

   In the license key properties window that opens, on the General tab, you can view the detailed information about the selected license key.

Installing Network Agent Linux

Network Agent Linux is a Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications that are installed on a workstation or server.

To deploy an iOS device management system, you must install Network Agent on a workstation on which iOS MDM Server will later be deployed. After Network Agent is installed, you will be able to configure and install iOS MDM Server on it to subsequently connect and manage iOS devices.

For the instructions on installing Network Agent Linux, refer to the Kaspersky Security Center Help.

Configuring Kaspersky Security Center Linux Web Server settings

Kaspersky Security Center Linux Web Server (Web Server) is a component of Kaspersky Security Center Linux installed together with the Administration Server. Web Server is designed for network transmission of stand-alone installation packages, device management profiles, and files from a shared folder.

Installation packages that have been created are published on Web Server automatically and then removed after the first download. The administrator can send a new link to the user in any convenient way, such as by email.

For detailed information, refer to the Kaspersky Security Center Help.

To connect mobile devices, make sure the Web Server FQDN is specified correctly in the Administration Server properties:

1. In the main window of Kaspersky Security Center Web Console, click the settings icon () next to the name of the Administration Server.
2. In the Administration Server properties window that opens, on the General tab, select the Web Server section.
3. In the Web Server FQDN field, check if the specified FQDN (a fully qualified domain name) is publicly resolvable by DNS servers.