Deploying Kaspersky applications

This section describes Kaspersky applications deployment on client devices in your organization by means of OSMP Console.

Scenario: Kaspersky applications deployment

This scenario explains how to deploy Kaspersky applications through OSMP Console. You can use the Protection deployment wizard, or you can complete all necessary steps manually.

Stages

Kaspersky applications deployment proceeds in stages:

1. Downloading and creating installation packages

   Download the package manually.

   If you cannot install Kaspersky applications by means of Open Single Management Platform on some devices, for example, on remote employees' devices, you can create stand-alone installation packages for applications. If you use stand-alone packages to install Kaspersky applications, you do not have to create and run a remote installation task, nor create and configure tasks for Kaspersky Endpoint Security for Windows.

   Alternatively, you can download the distribution packages for Network Agent and security applications from the Kaspersky website. If the remote installation of the applications is not possible for some reason, you can use the downloaded distribution packages to install the applications locally.

2. Creating, configuring, and running the remote installation task

   This step is part of the Protection deployment wizard. If you choose not to run the Protection deployment wizard, you must create this task manually and configure it manually.

   You also can manually create several remote installation tasks for different administration groups or different device selections. You can deploy different versions of one application in these tasks.

   Make sure that all the devices on your network are discovered; then run the remote installation task (or tasks).

   If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system, install the insserv-compat package first to configure Network Agent.

3. Creating and configuring tasks

   The Update task of Kaspersky Endpoint Security must be configured.

   Create this task manually and configure it manually. Make sure that the schedule for the task meets your requirements. (By default, the scheduled start for the task is set to Manually, but you might want to choose another option.)

4. Creating policies

   Create the policy for Kaspersky Endpoint Security manually. You can use the default settings of the policy; you can also modify the default settings of the policy according to your needs at any time.

5. Verifying the results

   Make sure that deployment was completed successfully: you have policies and tasks for each application, and these applications are installed on the managed devices.

Results

Completion of the scenario yields the following:

• All required policies and tasks for the selected applications are created.
• The schedules of tasks are configured according to your needs.
• The selected applications are deployed, or scheduled to be deployed, on the selected client devices.

Protection deployment wizard

To install Kaspersky applications, you can use the Protection deployment wizard. The Protection deployment wizard enables remote installation of applications either through specially created installation packages or directly from a distribution package.

The Protection deployment wizard performs the following actions:

• Downloads an installation package for application installation (if it was not created earlier). The installation package is located at Discovery & deployment → Deployment & assignment → Installation packages. You can use this installation package for the application installation in the future.
• Creates and runs a remote installation task for specific devices or for an administration group. The newly created remote installation task is stored in the Tasks section. You can later start this task manually. The task type is Install application remotely.

If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system, install the insserv-compat package first to configure Network Agent.

Step 1. Starting Protection deployment wizard

You can start the Protection deployment wizard manually at any time.

To start the Protection deployment wizard manually,

In the main menu, go to Discovery & deployment → Deployment & assignment → Protection deployment wizard.

The Protection deployment wizard starts. Proceed through the wizard by using the Next button.

Step 2. Selecting the installation package

Select the installation package of the application that you want to install.

If the installation package of the required application is not listed, click the Add button and then select the application from the list.

Step 3. Selecting a method for distribution of key file or activation code

Expand all | Collapse all

Select a method for the distribution of the key file or the activation code:

• Do not add license key to installation package

  The key is automatically distributed to all devices with which it is compatible:

  • If automatic distribution has been enabled in the key properties.
  • If the Add key task has been created.
• Add license key to installation package

  The key is distributed to devices together with the installation package.

  We do not recommend that you distribute the key using this method because the shared Read access rights are enabled to the repository of installation packages.

If the installation package already includes a key file or an activation code, this window is displayed, but it only contains the license key information.

Step 4. Selecting Network Agent version

If you selected the installation package of an application other than Network Agent, you also have to install Network Agent, which connects the application with Kaspersky Security Center Administration Server.

Select the latest version of Network Agent.

Step 5. Selecting devices

Expand all | Collapse all

Specify a list of devices on which the application will be installed:

• Install on managed devices

  If this option is selected, the remote installation task is created for a group of devices.

• Select devices for installation

  The task is assigned to devices included in a device selection. You can specify one of the existing selections.

  For example, you may want to use this option to run a task on devices with a specific operating system version.

Step 6. Specifying the remote installation task settings

Expand all | Collapse all

On the Remote installation task settings page, specify the settings for remote installation of the application.

In the Force installation package download settings group, specify how files that are required for the application installation are distributed to client devices:

• Using Network Agent

  If this option is enabled, installation packages are delivered to client devices by Network Agent installed on those client devices.

  If this option is disabled, installation packages are delivered using the operating system tools of client devices.

  We recommend that you enable this option if the task has been assigned to devices with Network Agents installed.

  By default, this option is enabled.

• Using operating system resources through distribution points

  If this option is enabled, installation packages are transmitted to client devices using operating system tools through distribution points. You can select this option if there is at least one distribution point on the network.

  If the Using Network Agent option is enabled, the files are delivered using operating system tools only if Network Agent tools are unavailable.

  By default, this option is enabled for remote installation tasks that have been created on a virtual Administration Server.

  The only way to install an application for Windows (including Network Agent for Windows) on a device that does not have Network Agent installed is by using a Windows-based distribution point. Therefore, when you install a Windows application:

  • Select this option.
  • Ensure that a distribution point is assigned for the target client devices.
  • Ensure the distribution point is Windows-based.
• Using operating system resources through Administration Server

  If this option is enabled, files are transmitted to client devices by using operating system tools of client devices through the Administration Server. You can enable this option if no Network Agent is installed on the client device, but the client device is in the same network as the Administration Server.

  By default, this option is enabled.

Define the additional setting:

• Do not re-install application if it is already installed

  If this option is enabled, the selected application will not be re-installed if it has already been installed on this client device.

  If this option is disabled, the application will be installed anyway.

  By default, this option is enabled.

• Assign package installation in Active Directory group policies
  

  If this option is enabled, an installation package is installed by using the Active Directory group policies.

  This option is available if the Network Agent installation package is selected.

  By default, this option is disabled.

Step 7. Removing incompatible applications before installation

This step is only present if the application that you deploy is known to be incompatible with some other applications.

Select the option if you want Open Single Management Platform to automatically remove applications that are incompatible with the application you deploy.

The list of incompatible applications is also displayed.

If you do not select this option, the application will only be installed on devices that have no incompatible applications.

Step 8. Moving devices to Managed devices

Expand all | Collapse all

Specify whether devices must be moved to an administration group after Network Agent installation.

• Do not move devices

  The devices remain in the groups in which they are currently located. The devices that have not been placed in any group remain unassigned.

• Move unassigned devices to group

  The devices are moved to the administration group that you select.

The Do not move devices option is selected by default. For security reasons, you might want to move the devices manually.

Step 9. Selecting accounts to access devices

Expand all | Collapse all

If necessary, add the accounts that will be used to start the remote installation task:

• No account required (Network Agent installed)

  If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running.

  If Network Agent has not been installed on client devices, this option is not available.

• Account required (Network Agent is not used)

  Select this option if Network Agent is not installed on the devices for which you assign the remote installation task. In this case, you can specify a user account or an SSH certificate to install the application.

  • Local Account. If this option is selected, specify the user account under which the application installer will be run. Click the Add button, select Local Account, and then specify the user account credentials.

    You can specify multiple user accounts if, for example, none of them have all the required rights on all devices for which you assign the task. In this case, all added accounts are used for running the task, in consecutive order, top-down.

  • SSH certificate. If you want to install an application on a Linux-based client device, you can specify an SSH certificate instead of a user account. Click the Add button, select SSH certificate, and then specify the private and public keys of the certificate.

    To generate a private key, you can use the ssh-keygen utility. Note that Open Single Management Platform supports the PEM format of private keys, but the ssh-keygen utility generates SSH keys in the OPENSSH format by default. The OPENSSH format is not supported by Open Single Management Platform. To create a private key in the supported PEM format, add the -m PEM option in the ssh-keygen command. For example:

    ssh-keygen -m PEM -t rsa -b 4096 -C "<user email>"

Step 10. Starting installation

This page is the final step of the wizard. At this step, the Remote installation task has been successfully created and configured.

By default, the Run the task after the wizard finishes option is not selected. If you select this option, the Remote installation task will start immediately after you complete the wizard. If you do not select this option, the Remote installation task will not start. You can later start this task manually.

Click OK to complete the final step of the Protection deployment wizard.

Adding management plug-ins for Kaspersky applications

For remote administration of Kaspersky applications by using OSMP Console, you must install management web plug-ins. Management web plug-in installation is possible after you deploy Kaspersky Next XDR Expert.

To install a management web plug-in for a Kaspersky application:

1. Move the management web plug-in archive to the administrator host on which the KDT utility is located.
2. If necessary, on the administrator host, export the current version of the configuration file.

   You do not need to export the configuration file if the installation parameters are not added or modified.

3. Run the following command to install the plug-in:

   ./kdt apply -k <path_to_plugin_archive> -i <path_to_configuration_file>

   In the command, specify the path to the plug-in archive and the path to the current configuration file. You do not need to specify the path to the configuration file in the command if the installation parameters are not added or modified.

The management web plug-in is installed. Reload OSMP Console to display the added plug-in.

You can view the list of components related to OSMP (including management web plug-ins) by using KDT. Also, you can view OSMP Console version and the list of installed management web plug-ins. To do this, in the main menu of OSMP Console, go to your account settings, and then select About.

Removing management web plug-ins

You can remove the management web plug-ins of Kaspersky applications that provide additional functionality for Kaspersky Next XDR Expert. The Kaspersky Next XDR Expert services plug-ins are used for the correct function of Kaspersky Next XDR Expert and cannot be removed (for example, the plug-in of Incident Response Platform).

To remove a management web plug-in:

1. If needed, run the following command to obtain the name of the plug-in that you want to remove:

   ./kdt status

   The list of components is displayed.

2. On the administrator host, run the following command. Specify the name of the plug-in that you want to remove:

   ./kdt remove --cnab <plug-in_name>

The specified management web plug-in is removed by KDT.

Viewing the list of components integrated in Open Single Management Platform

You can view the list of components integrated in OSMP (including management web plug-ins) by using KDT.

To view the list of components,

On the administrator host on which KDT is located, run the following command:

./kdt state

The list of components integrated in OSMP (including management web plug-ins) is displayed in the command line window.

Viewing names, parameters, and custom actions of Kaspersky Next XDR Expert components

KDT allows you to view the list of the Kaspersky Next XDR Expert components that are contained in the transport archive, as well as the list of installed components. Also, you can view the parameter list and the custom action list of a Kaspersky Next XDR Expert component. If custom actions are available for the component, you can also view the description and parameters of the specified custom action by using KDT.

Custom action is an action that allows you to perform additional operations specific to the Kaspersky Next XDR Expert component (except installation, update, deletion). For example, recovering Administration Server data and increasing the amount of disk space used for Administration Server and its logs are performed by using custom actions.
A custom action is run by using KDT as follows:
./kdt invoke <component_name> --action <custom_action> --param <custom_action_parameter>

To view the list of Kaspersky Next XDR Expert components included in the transport archive,

On the administrator host where the KDT utility is located, run the following command. In the command, specify the path to the transport archive and its name:

./kdt describe -k <transport_archive_name_with_path>

To view the list of Kaspersky Next XDR Expert components,

On the administrator host where the KDT utility is located, run the following command:

./kdt describe

The lists of Kaspersky Next XDR Expert components are displayed.

To view the parameter list and the custom action list of the Kaspersky Next XDR Expert component,

On the administrator host where the KDT utility is located, run the following command and specify the name of the Kaspersky Next XDR Expert component:

./kdt describe <component_name>

The lists of the parameters and custom actions available for the specified component are displayed.

To view the description and the parameter list of the custom action,

On the administrator host where the KDT utility is located, run the following command and specify the Kaspersky Next XDR Expert component name and its command:

./kdt describe <component_name> <custom_action>

The description and the parameter list of the specified component custom action are displayed.

Downloading and creating installation packages for Kaspersky applications

You can create installation packages for Kaspersky applications from Kaspersky web servers if your Administration Server has access to the internet.

To download and create installation package for Kaspersky application:

1. Do one of the following:
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Installation packages.
   • In the main menu, go to Operations → Repositories → Installation packages.

   You can also view notifications about new packages for Kaspersky applications in the list of onscreen notifications. If there are notifications about a new package, you can click the link next to the notification and proceed to the list of available installation packages.

   A list of installation packages available on Administration Server is displayed.

2. Click Add.

   The New package wizard starts. Proceed through the wizard by using the Next button.

3. Select Create an installation package for a Kaspersky application.

   A list of available installation packages on Kaspersky web servers appears. The list contains installation packages only for those applications that are compatible with the current version of Open Single Management Platform.

4. Click the name of an installation package, for example, Kaspersky Endpoint Security for Linux.

   A window opens with information about the installation package.

   You can download and use an installation package which includes cryptographic tools that implement strong encryption, if it complies with applicable laws and regulations. To download the installation package of Kaspersky Endpoint Security for Windows valid for the needs of your organization, consult the legislation of the country where the client devices of your organization are located.

5. Read the information and click the Download and create installation package button.

   If a distribution package can not be converted to an installation package, the Download distribution package button instead of the Download and create installation package is displayed.

   The downloading of the installation package to Administration Server starts. You can close the wizard's window or proceed to the next step of the instruction. If you close the wizard's window, the download process will continue in background mode.

   If you want to track an installation package download process:

   1. In the main menu, go to Operations → Repositories → Installation packages → In progress ().
   2. Track the operation progress in the Download progress column and the Download status column of the table.

   When the process is complete, the installation package is added to the list on the Downloaded tab. If the download process stops and the download status switches to Accept EULA, then click the installation package name, and then proceed to the next step of the instruction.

   If the size of data contained in the selected distribution package exceeds the current limit, an error message is displayed. You can change the limit value and then proceed with the installation package creation.

6. For some Kaspersky applications, during the download process the Show EULA button is displayed. If it is displayed, do the following:
   1. Click the Show EULA button to read the End User License Agreement (EULA).
   2. Read the EULA that is displayed on the screen, and click Accept.

      The downloading continues after you accept the EULA. If you click Decline, the download is stopped.

7. When the downloading is complete, click the Close button.

The installation package is displayed in the list of installation packages.

Creating installation packages from a file

You can use custom installation packages to do the following:

• To install any application (such as a text editor) on a client device, for example, by means of a task.
• To create a stand-alone installation package.

A custom installation package is a folder with a set of files. The source to create a custom installation package is an archive file. The archive file contains a file or files that must be included in the custom installation package.

While creating a custom installation package, you can specify command-line parameters, for example, to install the application in silent mode.

To create a custom installation package:

1. Do one of the following:
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Installation packages.
   • In the main menu, go to Operations → Repositories → Installation packages.

   A list of installation packages available on the Administration Server is displayed.

2. Click Add.

   The New package wizard starts. Proceed through the wizard by using the Next button.

3. Select Create an installation package from a file.
4. Specify the package name and click the Browse button.
5. In the window that opens, choose an archive file located on the available disks.

   You can upload a ZIP, CAB, TAR, or TAR.GZ archive file. It is not possible to create an installation package from an SFX (self-extracting archive) file.

   File upload to the Administration Server starts.

6. If you specified a file of a Kaspersky application, you may be prompted to read and accept the End User License Agreement (EULA) for the application. To continue, you must accept the EULA. Select the Accept the terms and conditions of this End User License Agreement option only if you have fully read, understand and accept the terms of the EULA.

   Additionally, you may be prompted to read and accept the Privacy Policy. To continue, you must accept the Privacy Policy. Select the I accept the Privacy Policy option only if you understand and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.

7. Select a file (from the list of files that are extracted from the chosen archive file) and specify the command-line parameters of an executable file.

   You can specify command-line parameters to install the application from the installation package in a silent mode. Specifying command-line parameters is optional.

   The process to create the installation package is started.

   The wizard informs you when the process is finished.

   If the installation package is not created, an appropriate message is displayed.

8. Click the Finish button to close the wizard.

The installation package appears in the list of installation packages.

In the list of installation packages available on Administration Server, by clicking the link with the name of a custom installation package, you can:

• View the following properties of an installation package:
  • Name. Custom installation package name.
  • Source. Application vendor name.
  • Application. Application name packed into the custom installation package.
  • Version. Application version.
  • Language. Language of the application packed into the custom installation package.
  • Size (MB). Size of the installation package.
  • Operating system. Type of the operating system for which the installation package is intended.
  • Created. Installation package creation date.
  • Modified. Installation package modification date.
  • Type. Type of the installation package.
• Change the command-line parameters.

Creating stand-alone installation packages

You and device users in your organization can use stand-alone installation packages to install applications on devices manually.

A stand-alone installation package is an executable file that you can store on the Web Server or in the shared folder, send by email, or transfer to a client device by another method. On the client device, the user can run the received file locally to install an application without involving Open Single Management Platform. You can create stand-alone installation packages for Kaspersky applications and for third-party applications. To create a stand-alone installation package for a third-party application you must create a custom installation package.

Be sure that stand-alone installation package is not available for third persons.

To create a stand-alone installation package:

1. Do one of the following:
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Installation packages.
   • In the main menu, go to Operations → Repositories → Installation packages.

   A list of installation packages available on Administration Server is displayed.

2. In the list of installation packages, select an installation package and, above the list, click the Deploy button.
3. Select the Using a stand-alone package option.

   The Stand-alone installation package creation wizard starts. Proceed through the wizard by using the Next button.

4. Make sure that the Install Network Agent together with this application option is enabled if you want to install Network Agent together with the selected application.

   By default, this option is enabled. It is recommended to enable this option if you are not sure whether Network Agent is installed on the device. If Network Agent is already installed on the device, after the stand-alone installation package with Network Agent installed Network Agent will be updated to the newer version.

   If you disable this option, Network Agent will not be installed on the device and the device will be unmanaged.

   If a stand-alone installation package for the selected application already exists on Administration Server, the wizard informs you about this fact. In this case, you must select one of the following actions:

   • Create stand-alone installation package. Select this option, for example, if you want to create a stand-alone installation package for a new application version and also want to retain a stand-alone installation package that you created for a previous application version. The new stand-alone installation package is placed in another folder.
   • Use existing stand-alone installation package. Select this option if you want to use an existing stand-alone installation package. The process of package creation will not be started.
   • Rebuild existing stand-alone installation package. Select this option if you want to create a stand-alone installation package for the same application again. The stand-alone installation package is placed in the same folder.
5. On the Move to list of managed devices step, the Do not move devices option is selected by default. If you do not want to move the client device to any administration group after Network Agent installation, do not change choice of option.

   If you want to move client device after Network Agent installation, select the Move unassigned devices to this group option and specify an administration group to which you want to move the client device. By default, the device is moved to the Managed devices group.

6. When the process of the stand-alone installation package creation is finished, click the FINISH button.

   The Stand-alone Installation Package Creation Wizard closes.

The stand-alone installation package is created and placed on the Web Server. You can view the list of stand-alone packages by clicking the View the list of stand-alone packages button above the list of installation packages.

Changing the limit on the size of custom installation package data

The total size of data unpacked during creation of a custom installation package is limited. The default limit is 1 GB.

If you attempt to upload an archive file that contains data exceeding the current limit, an error message is displayed. You might have to increase this limit value when creating installation packages from large distribution packages.

To change the limit value for the custom installation package size,

On the administrator host where the KDT utility is located, run the following command:

./kdt invoke ksc --action klscflag --param klscflag_param=" -fset -pv klserver -n MaxArchivePkgSize -t d -v <number of bytes>"

Where <number of bytes> is a number of bytes in hexadecimal or decimal format.

For example, if the required limit is 2 GB, you can specify the decimal value 2147483648 or the hexadecimal value 0x80000000. In this case, for a local installation of Administration Server, you can use the following command:

./kdt invoke ksc --action klscflag --param klscflag_param=" -fset -pv klserver -n MaxArchivePkgSize -t d -v 2147483648"

The limit on the size of custom installation package data is changed.

Installing Network Agent for Linux in silent mode (with an answer file)

You can install Network Agent on Linux devices by using an answer file—a text file that contains a custom set of installation parameters: variables and their respective values. Using this answer file allows you to run an installation in silent mode, that is, without user participation.

To perform installation of Network Agent for Linux in silent mode:

1. If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system, install the insserv-compat package first to configure Network Agent.

   If you want to install Network Agent on devices that use the operating system RED OS 7.3.4 or later or MSVSPHERE 9.2 or later, install the libxcrypt-compat package for the correct function of Network Agent.

2. Read the End User License Agreement. Follow the steps below only if you understand and accept the terms of the End User License Agreement.
3. Set the value of the KLAUTOANSWERS environment variable by entering the full name of the answer file (including the path), for example, as follows:

   export KLAUTOANSWERS=/tmp/nagent_install/answers.txt

4. Create the answer file (in TXT format) in the directory that you have specified in the environment variable. Add to the answer file a list of variables in the VARIABLE_NAME=variable_value format, each variable on a separate line.

   For correct usage of the answer file, you must include in it a minimum set of the three required variables:

   • KLNAGENT_SERVER
   • KLNAGENT_AUTOINSTALL
   • EULA_ACCEPTED

   You can also add any optional variables to use more specific parameters of your remote installation. The following table lists all of the variables that can be included in the answer file:

   Variables of the answer file used as parameters of Network Agent for Linux installation in silent mode

   Variables of the answer file used as parameters of Network Agent for Linux installation in silent mode

   Variable name	Required	Description	Possible values
   KLNAGENT_SERVER	Yes	Contains the Administration Server name presented as fully qualified domain name (FQDN) or IP address.	DNS name or IP address.
   KLNAGENT_AUTOINSTALL	Yes	Defines whether silent installation mode is enabled.	1—Silent mode is enabled; the user is not prompted for any actions during installation. Other—Silent mode is disabled; the user may be prompted for actions during installation.
   EULA_ACCEPTED	Yes	Defines whether the user accepts the End User License Agreement (EULA) of Network Agent; when missing, can be interpreted as non-acceptance of the EULA.	1—I confirm that I have fully read, understand, and accept the terms and conditions of this End User License Agreement. Other or not specified—I do not accept the terms of the License Agreement (installation is not performed).
   KLNAGENT_PROXY_USE	No	Defines whether connection with the Administration Server will use proxy settings. The default value is 0.	1—Proxy settings are used. Other—Proxy settings are not used.
   KLNAGENT_PROXY_ADDR	No	Defines the address of the proxy server used for connection with the Administration Server.	DNS name or IP address.
   KLNAGENT_PROXY_LOGIN	No	Defines the user name used for login to the proxy server.	Any existing user name.
   KLNAGENT_PROXY_PASSWORD	No	Defines the user password used for login to the proxy server.	Any set of alphanumeric characters allowed by the password format in the operating system.
   KLNAGENT_VM_VDI	No	Defines whether Network Agent is installed on an image for creation of dynamic virtual machines.	1—Network Agent is installed on an image, which is subsequently used for creation of dynamic virtual machines. Other—No image is used during installation.
   KLNAGENT_VM_OPTIMIZE	No	Defines whether the Network Agent settings are optimal for hypervisor.	1—The default local settings of Network Agent are modified so that they allow optimized usage on hypervisor.
   KLNAGENT_TAGS	No	Lists the tags assigned to the Network Agent instance.	One or multiple tag names separated with semicolon.
   KLNAGENT_UDP_PORT	No	Defines the UDP port used by Network Agent. The default value is 15000.	Any existing port number.
   KLNAGENT_PORT	No	Defines the non-TLS port used by Network Agent. The default value is 14000.	Any existing port number.
   KLNAGENT_SSLPORT	No	Defines the TLS port used by Network Agent. The default value is 13000.	Any existing port number.
   KLNAGENT_USESSL	No	Defines whether Transport Layer Security (TLS) is used for connection.	1 (default)—TLS is used. Other—TLS is not used.
   KLNAGENT_GW_MODE	No	Defines whether connection gateway is used.	1 (default)—The current settings are not modified (at the first call, no connection gateway is specified). 2—No connection gateway is used. 3—Connection gateway is used. 4—The Network Agent instance is used as connection gateway in demilitarized zone (DMZ).
   KLNAGENT_GW_ADDRESS	No	Defines the address of the connection gateway. The value is applicable only if KLNAGENT_GW_MODE=3.	DNS name or IP address.
   KLNAGENT_DEVICEOWNER_REGISTRATION_START	No	Allows to run the user registration as a device owner utility after Network Agent installation. If turned off, then the registration as a device owner is not available to a user.	1—The user registration as a device owner utility will run after Network Agent installation. Other—Turned off.
   PTCH_ALLOW_APPLY_NONAPROVED_PATCHES	No	Defines whether to install the downloaded updates automatically for Network Agent with the Undefined status.	true (default)—Updates are installed automatically. false—Updates are not installed automatically.

5. Install Network Agent:
   • To install Network Agent from an RPM package to a 32-bit operating system, execute the following command:
     # rpm -i klnagent-<build number>.i386.rpm
   • To install Network Agent from an RPM package to a 64-bit operating system, execute the following command:
     # rpm -i klnagent64-<build number>.x86_64.rpm
   • To install Network Agent from an RPM package on a 64-bit operating system for the Arm architecture, execute the following command:
     # rpm -i klnagent64-<build number>.aarch64.rpm
   • To install Network Agent from a DEB package to a 32-bit operating system, execute the following command:
     # apt-get install ./klnagent_<build number>_i386.deb
   • To install Network Agent from a DEB package to a 64-bit operating system, execute the following command:
     # apt-get install ./klnagent64_<build number>_amd64.deb
   • To install Network Agent from a DEB package on a 64-bit operating system for the Arm architecture, execute the following command:
     # apt-get install ./klnagent64_<build number>_arm64.deb

Installation of Network Agent for Linux starts in silent mode; the user is not prompted for any actions during the process.

Preparing a device running Astra Linux in the closed software environment mode for installation of Network Agent

Prior to the installation of Network Agent on a device running Astra Linux in the closed software environment mode, you must perform two preparation procedures—the one in the instructions below and general preparation steps for any Linux device.

Before you begin:

• Make sure that the device on which you want to install Network Agent for Linux is running one of the supported Linux distributions.
• Download the necessary Network Agent installation file from the Kaspersky website.

Run the commands provided in this instruction under an account with root privileges.

To prepare a device running Astra Linux in the closed software environment mode for installation of Network Agent:

1. Open the /etc/digsig/digsig_initramfs.conf file, and then specify the following setting:

   DIGSIG_ELF_MODE=1

2. In the command line, run the following command to install the compatibility package:

   apt install astra-digsig-oldkeys

3. Create a directory for the application key:

   mkdir -p /etc/digsig/keys/legacy/kaspersky/

4. Place the application key /opt/kaspersky/ksc64/share/kaspersky_astra_pub_key.gpg in the directory created in the previous step:

   cp kaspersky_astra_pub_key.gpg /etc/digsig/keys/legacy/kaspersky/

   If the Open Single Management Platform distribution kit does not include the kaspersky_astra_pub_key.gpg application key, you can download it by clicking the link: https://media.kaspersky.com/utilities/CorporateUtilities/kaspersky_astra_pub_key.gpg.

5. Update the RAM disks:

   update-initramfs -u -k all

   Reboot the system.

6. Perform the preparation steps common for any Linux device.

The device is prepared. You can now proceed to the installation of Network Agent.

Viewing the list of stand-alone installation packages

You can view the list of stand-alone installation packages and properties of each stand-alone installation package.

To view the list of stand-alone installation packages for all installation packages:

Above the list, click the View the list of stand-alone packages button.

In the list of stand-alone installation packages, their properties are displayed as follows:

• Package name. Stand-alone installation package name that is automatically formed as the application name included in the package and the application version.
• Application name. Application name included in the stand-alone installation package.
• Application version.
• Network Agent installation package name. The property is displayed only if Network Agent is included in the stand-alone installation package.
• Network Agent version. The property is displayed only if Network Agent is included in the stand-alone installation package.
• Size. File size in MB.
• Group. Name of the group to which the client device is moved after Network Agent installation.
• Created. Date and time of the stand-alone installation package creation.
• Modified. Date and time of the stand-alone installation package modification.
• Path. Full path to the folder where the stand-alone installation package is located.
• Web address. Web address of the stand-alone installation package location.
• File hash. The property is used to certify that the stand-alone installation package was not changed by third-party persons and a user has the same file you have created and transferred to the user.

To view the list of stand-alone installation packages for specific installation package:

Select the installation package in the list and, above the list, click the View the list of stand-alone packages button.

In the list of stand-alone installation packages, you can do the following:

• Publish a stand-alone installation package on the Web Server by clicking the Publish button. Published stand-alone installation package is available for downloading for users whom you sent the link to the stand-alone installation package.
• Cancel publication of a stand-alone installation package on the Web Server by clicking the Unpublish button. Unpublished stand-alone installation package is available for downloading only for you and other administrators.
• Download a stand-alone installation package to your device by clicking the Download button.
• Send email with the link to a stand-alone installation package by clicking the Send by email button.
• Remove a stand-alone installation package by clicking the Remove button.

Distributing installation packages to secondary Administration Servers

Open Single Management Platform allows you to create installation packages for Kaspersky applications and for third-party applications, as well as distribute installation packages to client devices and install applications from the packages. To optimize the load on the primary Administration Server, you can distribute installation packages to secondary Administration Servers. After that, the secondary Servers transmit the packages to client devices, and then you can perform the remote installation of the applications on your client devices.

To distribute installation packages to secondary Administration Servers:

1. Make sure that the secondary Administration Servers are connected to the primary Administration Server.
2. In the main menu, go to Assets (Devices) → Tasks.

   The list of tasks is displayed.

3. Click the Add button.

   The New task wizard starts. Follow the steps of the wizard.

4. On the New task settings page, from the Application drop-down list, select Kaspersky Security Center. Then, from the Task type drop-down list, select Distribute installation package, and then specify the task name.
5. On the Task scope page, select the devices to which the task is assigned in one of the following ways:
   • If you want to create a task for all secondary Administration Servers in a specific administration group, select this group, and then create a group task for it.
   • If you want to create a task for specific secondary Administration Servers, select these Servers, and then create a task for them.
6. On the Distributed installation packages page, select the installation packages that are to be copied to the secondary Administration Servers.
7. Specify an account to run the Distribute installation package task under this account. You can use your account and keep the Default account option enabled. Alternatively, you can specify that the task should be run under another account that has the necessary access rights. To do this, select the Specify account option, and then enter the credentials of that account.
8. On the Finish task creation page, you can enable the Open task details when creation is complete option to open the task properties window, and then modify the default task settings. Otherwise, you can configure the task settings later, at any time.
9. Click the Finish button.

   The task created for distributing installation packages to the secondary Administration Servers is displayed in the task list.

10. You can run the task manually or wait for it to launch according to the schedule that you specified in the task settings.

After the task is completed, the selected installation packages are copied to the specified secondary Administration Servers.

Preparing a Linux device and installing Network Agent on a Linux device remotely

Expand all | Collapse all

Network Agent installation is comprised of two steps:

• A Linux device preparation
• Network Agent remote installation

If you want to install Network Agent on devices that use the operating system RED OS 7.3.4 or later or MSVSPHERE 9.2 or later, install the libxcrypt-compat package for the correct function of Network Agent.

A Linux device preparation

To prepare a device running Linux for remote installation of Network Agent:

1. Make sure that the following software is installed on the target Linux device:
   • Sudo (for Ubuntu 10.04, Sudo version is 1.7.2p1 or later)
   • Perl language interpreter version 5.10 or later
2. Test the device configuration:
   1. Check whether you can connect to the device through an SSH client (such as PuTTY).

      If you cannot connect to the device, open the /etc/ssh/sshd_config file and make sure that the following settings have the respective values listed below:

      PasswordAuthentication no

      ChallengeResponseAuthentication yes

      Do not modify the /etc/ssh/sshd_config file if you can connect to the device with no issues; otherwise, you may encounter SSH authentication failure when running a remote installation task.

      Save the file (if necessary) and restart the SSH service by using the sudo service ssh restart command.

   2. Disable the sudo password for the user account under which the device is to be connected.
   3. Use the visudo command in sudo to open the sudoers configuration file.

      In the file you have opened, add the following line to the end of the file: <username> ALL = (ALL) NOPASSWD: ALL. In this case, <username> is the user account which is to be used for the device connection using SSH. If you are using the Astra Linux operating system, in the /etc/sudoers file, add the last line with the following text: %astra-admin ALL=(ALL:ALL) NOPASSWD: ALL

   4. Save the sudoers file and then close it.
   5. Connect to the device again through SSH and make sure that the Sudo service does not prompt you to enter a password; you can do this using the sudo whoami command.
3. If you want to install Network Agent on devices running operating system with the systemd initialization system, open the /etc/systemd/logind.conf file, and then do one of the following:
   • Specify no as a value for the KillUserProcesses setting: KillUserProcesses=no.
   • For the KillExcludeUsers setting, type the user name of the account under which the remote installation is to be performed, for example, KillExcludeUsers=root.

   Astra Linux target device

   If the target device is running Astra Linux, add export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin string in the /home/<username>/.bashrc file, where <username> is the user account which is to be used for the device connection using SSH.

   OSnova target device

   If the target device is running OSnova, do the following:

   1. Open the /usr/lib/systemd/logind.conf/10-enable-kill-user-processes.conf file, and then comment out the #KillUserProcess=yes line.
   2. Open the /usr/lib/NESS/pam-user-session file, and then comment out the #loginctl terminate-session "$XDG_SESSION_ID" line.

   To apply the changed setting, restart the Linux device or execute the following command:

   $ sudo systemctl restart systemd-logind.service

4. If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system, install the insserv-compat package first to configure Network Agent.
5. If you want to install Network Agent on devices that have the Astra Linux operating system running in the closed software environment mode, perform additional steps to prepare Astra Linux devices.
6. If you want to install Network Agent on devices running Ubuntu Server or Ubuntu Desktop version 10.04, perform additional steps to prepare these devices.

Network Agent remote installation

To install Network Agent on Linux devices remotely:

1. Download and create an installation package:
   1. Before installing the package on the device, make sure that it already has all the dependencies (programs and libraries) installed for this package.

      You can view the dependencies for each package on your own, using utilities that are specific for the Linux distribution on which the package is to be installed. For more details about utilities, refer to your operating system documentation.

   2. Download the Network Agent installation package by using the application interface or from the Kaspersky website.
   3. To create a remote installation package, use the following files:
      • klnagent.kpd
      • akinstall.sh
      • .deb or .rpm package of Network Agent
2. Create a remote installation task with the following settings:
   • On the Settings page of the New task wizard, select the Using operating system resources through Administration Server check box. Clear all other check boxes.
   • On the Selecting an account to run the task page specify the settings of the user account that is used for device connection through SSH.
3. Run the remote installation task. Use the option for the su command to preserve the environment: -m, -p, --preserve-environment.

Installing applications using a remote installation task

Open Single Management Platform allows you to install applications on devices remotely, using remote installation tasks. Those tasks are created and assigned to devices through a dedicated wizard. To assign a task more quickly and easily, you can specify devices (up to 1000 devices) in the wizard window in one of the following ways:

• Assign task to an administration group. In this case, the task is assigned to devices included in an administration group created earlier.
• Specify device addresses manually or import addresses from a list. You can specify DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
• Assign task to a device selection. In this case, the task is assigned to devices included in a selection created earlier. You can specify the default selection or a custom one that you created. You can only select up to 1000 devices.

For correct remote installation on a device with no Network Agent installed, the following ports must be opened: a) TCP 139 and 445; b) UDP 137 and 138. By default, these ports are opened on all devices included in the domain. They are opened automatically by the remote installation preparation utility.

Installing an application remotely

Expand all | Collapse all

This section contains information on how to remotely install an application on devices in an administration group, devices with specific addresses, or a selection of devices.

To install an application on specific devices:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts.

3. In the Task type field, select Install application remotely.
4. Select one of the following options:
   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

     If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

   • Specify device addresses manually or import addresses from a list

     You can specify DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

   The Install application remotely task is created for the specified devices. If you selected the Assign task to an administration group option, the task is a group one.

5. At the Task scope step, specify an administration group, devices with specific addresses, or a device selection.

   The available settings depend on the option selected at the previous step.

6. At the Installation packages step, specify the following settings:
   • In the Select installation package field, select the installation package of an application that you want to install.
   • In the Force installation package download settings group, specify how files that are required for the application installation are distributed to client devices:
     • Using Network Agent

       If this option is enabled, installation packages are delivered to client devices by Network Agent installed on those client devices.

       If this option is disabled, installation packages are delivered using the operating system tools of client devices.

       We recommend that you enable this option if the task has been assigned to devices with Network Agents installed.

       By default, this option is enabled.

     • Using operating system resources through distribution points

       If this option is enabled, installation packages are transmitted to client devices using operating system tools through distribution points. You can select this option if there is at least one distribution point on the network.

       If the Using Network Agent option is enabled, the files are delivered using operating system tools only if Network Agent tools are unavailable.

       By default, this option is enabled for remote installation tasks that have been created on a virtual Administration Server.

       The only way to install an application for Windows (including Network Agent for Windows) on a device that does not have Network Agent installed is by using a Windows-based distribution point. Therefore, when you install a Windows application:

       • Select this option.
       • Ensure that a distribution point is assigned for the target client devices.
       • Ensure the distribution point is Windows-based.
     • Using operating system resources through Administration Server

       If this option is enabled, files are transmitted to client devices by using operating system tools of client devices through the Administration Server. You can enable this option if no Network Agent is installed on the client device, but the client device is in the same network as the Administration Server.

       By default, this option is enabled.

   • In the Maximum number of concurrent downloads field, specify the maximum allowed number of client devices to which Administration Server can simultaneously transmit the files.
   • In the Maximum number of installation attempts field, specify the maximum allowed number of installer runs.

     If the number of attempts specified in the parameter is exceeded, Open Single Management Platform does not start the installer on the device anymore. To restart the Install application remotely task, increase the value of the Maximum number of installation attempts parameter and start the task. Alternatively, you can create a new Install application remotely task.

   • If you migrate from one Kaspersky application to another and your current application is password-protected, enter the password in the Password to uninstall the current Kaspersky application field. Note that during the migration, your current Kaspersky application will be uninstalled.

     The Password to uninstall the current Kaspersky application field is only available if you have selected the Using Network Agent option in the Force installation package download settings group.

     You can use the uninstall password only for the Kaspersky Security for Windows Server to Kaspersky Endpoint Security for Windows migration scenario when installing Kaspersky Endpoint Security for Windows by using the Install application remotely task. Using the uninstall password when installing other components may cause installation errors.

     To complete the migration scenario successfully, make sure that the following prerequisites are met:

     • You are using Kaspersky Security Center Network Agent 14.2 for Windows or later.
     • You are installing the application on devices running Windows.
   • Define the additional setting:
     • Do not re-install application if it is already installed

       If this option is enabled, the selected application will not be re-installed if it has already been installed on this client device.

       If this option is disabled, the application will be installed anyway.

       By default, this option is enabled.

     • Verify operating system type before downloading

       Before transmitting the files to client devices, Open Single Management Platform checks if the Installation utility settings are applicable to the operating system of the client device. If the settings are not applicable, Open Single Management Platform does not transmit the files and does not attempt to install the application. For example, to install some application to devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.

     • Assign package installation in Active Directory group policies

       If this option is enabled, an installation package is installed by using the Active Directory group policies.

       This option is available if the Network Agent installation package is selected.

       By default, this option is disabled.

     • Prompt users to close running applications

       Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

       If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

       If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

       By default, this option is disabled.

   • Select on which devices you want to install the application:
     • Install on all devices

       The application will be installed even on devices managed by other Administration Servers.

       This option is selected by default. You do not have to change this setting if you have only one Administration Server in your network.

     • Install only on devices managed through this Administration Server

       The application will be installed only on devices managed by this Administration Server. Select this option if you have more than one Administration Server in your network and want to avoid conflicts between them.

   • Specify whether devices must be moved to an administration group after installation:
     • Do not move devices

       The devices remain in the groups in which they are currently located. The devices that have not been placed in any group remain unassigned.

     • Move unassigned devices to the selected group (only a single group can be selected)

       The devices are moved to the administration group that you select.

     Note that the Do not move devices option is selected by default. For security reasons, you might want to move the devices manually.

7. At the this step of the wizard, specify whether the devices must be restarted during installation of applications:
   • Do not restart the device

     If this option is selected, the device will not be restarted after the security application installation.

   • Restart the device

     If this option is selected, the device will be restarted after the security application installation.

8. If necessary, at the Select accounts to access devices step, add the accounts that will be used to start the Install application remotely task:
   • No account required (Network Agent installed)

     If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running.

     If Network Agent has not been installed on client devices, this option is not available.

   • Account required (Network Agent is not used)

     Select this option if Network Agent is not installed on the devices for which you assign the remote installation task. In this case, you can specify a user account or an SSH certificate to install the application.

     • Local Account. If this option is selected, specify the user account under which the application installer will be run. Click the Add button, select Local Account, and then specify the user account credentials.

       You can specify multiple user accounts if, for example, none of them have all the required rights on all devices for which you assign the task. In this case, all added accounts are used for running the task, in consecutive order, top-down.

     • SSH certificate. If you want to install an application on a Linux-based client device, you can specify an SSH certificate instead of a user account. Click the Add button, select SSH certificate, and then specify the private and public keys of the certificate.

       To generate a private key, you can use the ssh-keygen utility. Note that Open Single Management Platform supports the PEM format of private keys, but the ssh-keygen utility generates SSH keys in the OPENSSH format by default. The OPENSSH format is not supported by Open Single Management Platform. To create a private key in the supported PEM format, add the -m PEM option in the ssh-keygen command. For example:

       ssh-keygen -m PEM -t rsa -b 4096 -C "<user email>"

9. At the Finish task creation step, click the Finish button to create the task and close the wizard.

   If you enabled the Open task details when creation is complete option, the task settings window opens. In this window, you can check the task parameters, modify them, or configure a task start schedule, if necessary.

10. In the task list, select the task you created, and then click Start.

    Alternatively, wait for the task to launch according to the schedule that you specified in the task settings.

When the remote installation task is completed, the selected application is installed on the specified devices.

Installing applications on secondary Administration Servers

To install an application on secondary Administration Servers:

1. Establish a connection with the Administration Server that controls the relevant secondary Administration Servers.
2. Make sure that the installation package corresponding to the application being installed is available on each of the selected secondary Administration Servers. If you cannot find the installation package on any of the secondary Servers, distribute it. For this purpose, create a task with the Distribute installation package task type.
3. Create a task for a remote application installation on secondary Administration Servers. Select the Install application on secondary Administration Server remotely task type.

   The New task wizard creates a task for remote installation of the application selected in the wizard on specific secondary Administration Servers.

4. Run the task manually or wait for it to launch according to the schedule that you specified in the task settings.

When the remote installation task is complete, the selected application is installed on the secondary Administration Servers.

Specifying settings for remote installation on Unix devices

Expand all | Collapse all

When you install an application on a Unix device by using a remote installation task, you can specify Unix-specific settings for the task. These settings are available in the task properties after the task is created.

To specify Unix-specific settings for a remote installation task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click the name of the remote installation task for which you want to specify the Unix-specific settings.

   The task properties window opens.

3. Go to Application settings → Unix-specific settings.
4. Specify the following settings:
   • Set a password for the root account (only for deployment through SSH)

     If the sudo command cannot be used on the target device without specifying the password, select this option, and then specify the password for the root account. Kaspersky Next XDR Expert transmits the password in an encrypted form to the target device, decrypts the password, and then starts the installation procedure on behalf of the root account with the specified password.

     Kaspersky Next XDR Expert does not use the account or the specified password to create an SSH connection.

   • Specify the path to a temporary folder with Execute permissions on the target device (only for deployment through SSH)

     If the /tmp directory on the target device does not have the execute permission, select this option, and then specify the path to the directory with the execute permission. Kaspersky Next XDR Expert uses the specified directory as a temporary directory to access via SSH. The application places the installation package in the directory and runs the installation procedure.

5. Click the Save button.

The specified task settings are saved.

Starting and stopping Kaspersky applications

You can use the Start or stop application task for starting and stopping Kaspersky applications on managed devices.

To create the Start or stop application task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Proceed through the wizard by using the Next button.

3. In the Application drop-down list, select the application for which you want to create the task.
4. In the Task type list, select the Application activation task.
5. In the Task name field, specify the name of the new task.

   The task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

6. Select the devices to which the task will be assigned.
7. In the Applications window, do the following:
   • Select the check boxes next to the names of applications for which you want to create the task.
   • Select the Start application or the Stop application option.
8. If you want to modify the default task settings, enable the Open task details when creation is complete option at the Finish task creation step. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs, and then save the settings.

The task is created and configured.

If you want to run the task, select it in the task list, and then click the Start button.

Replacing third-party security applications

Installation of Kaspersky security applications through Open Single Management Platform may require removal of third-party software that is incompatible with the application being installed. Open Single Management Platform provides several ways of removing the third-party applications.

Removing incompatible applications when configuring remote installation of an application

You can enable the Uninstall incompatible applications automatically option when you configure remote installation of a security application in the Protection deployment wizard. When this option is enabled, Open Single Management Platform removes incompatible applications before installing a security application on a managed device.

Removing incompatible applications through a dedicated task

To remove incompatible applications, use the Uninstall application remotely task. This task should be run on devices before the security application installation task. For example, in the installation task you can select On completing another task as the schedule type where the other task is Uninstall application remotely.

This method of uninstallation is useful when the security application installer cannot properly remove an incompatible application.

Removing applications or software updates remotely

Expand all | Collapse all

You can remove applications or software updates on managed devices that run Linux remotely only by using Network Agent.

To remove applications or software updates remotely from selected devices:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Proceed through the wizard by using the Next button.

3. In the Application drop-down list, select Open Single Management Platform.
4. In the Task type list, select the Uninstall application remotely task type.
5. In the Task name field, specify the name of the new task.

   A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

6. Select the devices to which the task will be assigned.

   Go to the next step of the wizard.

7. Select what kind of software you want to remove, and then select specific applications, updates, or patches that you want to remove:
   • Uninstall managed application

     A list of Kaspersky applications is displayed. Select the application that you want to remove.

     Ensure that the Use uninstallation password policy setting is disabled for the managed application.

   • Uninstall incompatible application

     A list of applications incompatible with Kaspersky security applications or Open Single Management Platform is displayed. Select the check boxes next to the applications that you want to remove.

   • Uninstall application from applications registry

     By default, Network Agents send the Administration Server information about the applications installed on the managed devices. The list of installed applications is stored in the applications registry.

     To select an application from the applications registry:

     1. Click the Application to uninstall field, and then select the application that you want to remove.

        If you select Kaspersky Security Center Network Agent, when you run the task, the status Completed successfully shows that the process of removing started. If Kaspersky Security Center Network Agent is removed, the status does not change. If the task fails, the status changes to Failed.

     2. Specify the uninstallation options:
        • Uninstallation mode

          Select how you want to remove the application:

          • Define uninstallation command automatically

            If the application has an uninstallation command defined by the application vendor, Open Single Management Platform uses this command. We recommend that you select this option.

          • Specify uninstallation command

            Select this option if you want to specify your own command for the application uninstallation.

            We recommend that you first try to remove the application by using the Define uninstallation command automatically option. If the uninstallation through the automatically defined command fails, then use your own command.

            Type an installation command into the field, and then specify the following option:

            Use this command for uninstallation only if the default command was not autodetected

            Open Single Management Platform checks whether or not the selected application has an uninstallation command defined by the application vendor. If the command is found, Open Single Management Platform will use it instead of the command specified in the Command for application uninstallation field.

            We recommend that you enable this option.

        • Perform restart after successful application uninstallation

          If the application requires the operating system to be restarted on the managed device after successful uninstallation, the operating system is restarted automatically.

   • Uninstall the specified application update, patch, or third-party application

     A list of updates, patches, and third-party applications is displayed. Select the item that you want to remove.

     The displayed list is a general list of applications and updates, and it does not correspond to the applications and updates installed on the managed devices. Before selecting an item, we recommend that you ensure that the application or update is installed on the devices defined in the task scope. You can view the list of devices on which the application or update is installed, via the properties window.

     To view the list of devices:

     1. Click the name of the application or update.

        The properties window opens.

     2. Open the Devices section.

        You can also view the list of installed applications and updates in the device properties window.

8. Specify how client devices will download the Uninstallation utility:
   • Using Network Agent

     The files are delivered to client devices by Network Agent installed on those client devices.

     If this option is disabled, the files are delivered using the Linux operating system tools.

     We recommend that you enable this option if the task has been assigned to devices that have Network Agents installed.

   • Using operating system resources through Administration Server

     The option is obsolete. Use the Using Network Agent or Using operating system resources through distribution points option instead.

     The files are transmitted to client devices by using the Administration Server operating system tools. You can enable this option if no Network Agent is installed on the client device, but the client device is on the same network as the Administration Server.

   • Using operating system resources through distribution points

     The files are transmitted to client devices by using operating system tools through distribution points. You can enable this option if there is at least one distribution point on the network.

     If the Using Network Agent option is enabled, the files are delivered by using operating system tools only if Network Agent tools are unavailable.

   • Maximum number of concurrent downloads

     The maximum allowed number of client devices to which Administration Server can simultaneously transmit the files. The larger this number, the faster the application will be uninstalled, but the load on Administration Server is higher.

   • Maximum number of uninstallation attempts

     If, when running the Uninstall application remotely task, Open Single Management Platform fails to uninstall an application on a managed device within the number of installer runs specified by the parameter, Open Single Management Platform stops delivering the Uninstallation utility to this managed device and does not start the installer on the device anymore.

     The Maximum number of uninstallation attempts parameter allows you to save the resources of the managed device, as well as reduce traffic (uninstallation, MSI file run, and error messages).

     Recurring task start attempts may indicate a problem on the device and which prevents uninstallation. The administrator should resolve the problem within the specified number of uninstallation attempts and then restart the task (manually or by a schedule).

     If uninstallation is not achieved eventually, the problem is considered unresolvable and any further task starts are seen as costly in terms of unnecessary consumption of resources and traffic.

     When the task is created, the attempts counter is set to 0. Each run of the installer that returns an error on the device increments the counter reading.

     If the number of attempts specified in the parameter has been exceeded and the device is ready for application uninstallation, you can increase the value of the Maximum number of uninstallation attempts parameter and start the task to uninstall the application. Alternatively, you can create a new Uninstall application remotely task.

   • Verify operating system type before downloading

     Before transmitting the files to client devices, Open Single Management Platform checks if the Installation utility settings are applicable to the operating system of the client device. If the settings are not applicable, Open Single Management Platform does not transmit the files and does not attempt to install the application. For example, to install some application to devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.

   Go to the next step of the wizard.

9. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)
     • Restart after (min)
   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

   Go to the next step of the wizard.

10. If necessary, add the accounts that will be used to start the remote uninstallation task:
    • No account required (Network Agent installed)

      If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running.

      If Network Agent has not been installed on client devices, this option is not available.

    • Account required (Network Agent is not used)

      Select this option if Network Agent is not installed on the devices for which you assign the Uninstall application remotely task. In this case, you can specify a user account or an SSH certificate to uninstall the application.

      • Local Account. If this option is selected, specify the user account under which the application installer will be run. Click the Add button, select Local Account, and then specify the user account credentials.

        You can specify multiple user accounts if, for example, none of them have all the required rights on all devices for which you assign the task. In this case, all added accounts are used for running the task, in consecutive order, top-down.

      • SSH certificate. If you want to uninstall an application from a Linux-based client device, you can specify an SSH certificate instead of a user account. Click the Add button, select SSH certificate, and then specify the private and public keys of the certificate.

        To generate a private key, you can use the ssh-keygen utility. Note that Open Single Management Platform supports the PEM format of private keys, but the ssh-keygen utility generates SSH keys in the OPENSSH format by default. The OPENSSH format is not supported by Open Single Management Platform. To create a private key in the supported PEM format, add the -m PEM option in the ssh-keygen command.

        For example:

        ssh-keygen -m PEM -t rsa -b 4096 -C "<user email>"

11. At the Finish task creation step of the wizard, enable the Open task details when creation is complete option to modify the default task settings.

    If you do not enable this option, the task will be created with the default settings. You can modify the default settings later.

12. Click the Finish button.

    The wizard creates the task. If you enabled the Open task details when creation is complete option, the task properties window automatically opens. In this window, you can specify the general task settings and, if required, change the settings specified during task creation.

    You can also open the task properties window by clicking the name of the created task in the list of tasks.

    The task is created, configured, and displayed in the list of tasks at Assets (Devices) → Tasks.

13. To run the task, select it in the task list, and then click the Start button.

    You can also set a task start schedule on the Schedule tab of the task properties window.

    For a detailed description of scheduled start settings, refer to the general task settings.

After the task is completed, the selected application is removed from the selected devices.

Remote uninstallation issues

Sometimes remote uninstallation of third-party applications may finish with the following warning: "Remote uninstallation has finished on this device with warnings: Application for removal is not installed." This issue occurs when the application to be uninstalled has already been uninstalled or was installed only for an individual user. Applications installed for an individual user (also referred to as per-user applications) become invisible and cannot be uninstalled remotely if the user is not logged in.

This behavior differs from applications intended for use by multiple users on the same device (also referred to as per-device applications). Per-device applications are visible and accessible to all users of the device.

Therefore, per-user applications must be uninstalled only when the user is logged in.

Source of information about installed applications

The Network Agent retrieves information about software installed on Windows devices from the following registry keys:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

  Contains information about applications installed for all users.

• HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

  Contains information about applications installed for all users.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall

  Contains information about applications installed for the current user.

• HKEY_USER<...>\Software\Microsoft\Windows\CurrentVersion\Uninstall

  Contains information about applications installed for specific users.

Preparing a device running SUSE Linux Enterprise Server 15 for installation of Network Agent

To install Network Agent on a device with the SUSE Linux Enterprise Server 15 operating system:

Before the Network Agent installation, run the following command:

$ sudo zypper install insserv-compat

This enables you to install the insserv-compat package and configure Network Agent properly.

Run the rpm -q insserv-compat command to check whether the package is already installed.

If your network includes a lot of devices running SUSE Linux Enterprise Server 15, you can use the special software for configuring and managing the company infrastructure. By using this software, you can automatically install the insserv-compat package on all necessary devices at once. For example, you can use Puppet, Ansible, Chef, you can make your own script—use any method that is convenient for you.

If the device does not have the GPG signing keys for SUSE Linux Enterprise, you may encounter the following warning: Package header is not signed! Select the i option to ignore the warning.

After preparing the SUSE Linux Enterprise Server 15 device, deploy and install Network Agent.

Preparing a Windows device for remote installation

Remote installation of the application on the client device may return an error for the following reasons:

• The task has already been successfully performed on this device.

  In this case, the task does not have to be performed again.

• When a task was started, the device was shut down.

  In this case, turn on the device, and then restart the task.

• There is no connection between the Administration Server and the Network Agent installed on the client device.

  To determine the cause of the problem, use the utility designed for remote diagnostics of client devices (klactgui).

• If Network Agent is not installed on the device, the following issues may occur during remote installation:
  • Network errors
  • Misconfigured operating system
  • Incorrectly configured account rights in the remote installation task

  To avoid issues that may occur during installation of the application on a client device without Network Agent installed, you must force the installation of selected installation packages by using the remote installation task of Open Single Management Platform—provided that each device has a user account with local administrator rights.

Previously, the riprep utility was used to prepare a Windows device for remote installation. This is now considered an outdated method for configuring operating systems. The riprep utility is not recommended for use on operating systems newer than Windows XP and Windows Server 2003 R2.

Forced installation can also be applied if devices cannot be directly accessed by Administration Server. For example, if the devices are on isolated networks or on a local network, while Administration Server is in the DMZ. In such cases, a distribution point is required for deployment to such devices.

Using distribution points as local installation centers may also be useful when performing installation on devices in subnets communicating with Administration Server via a low-capacity channel while a broader channel is available between devices in the same subnet.

In case of initial deployment, Network Agent is not installed. Therefore, in the settings of the remote installation task, you cannot select distribution of files required for application installation by using Network Agent. You can only choose to distribute files by using operating system resources through Administration Server or distribution points.

You should specify an account that has access to the admin$ share in the settings of the remote installation task.

You can specify target devices either explicitly (with a list), by selecting the Open Single Management Platform administration group to which they belong, or by creating a selection of devices based upon a specific criterion. The installation start time is defined by the task schedule. If the Run missed tasks setting is enabled in the task properties, the task can be run either immediately after target devices are turned on or when they are moved to the target administration group.

Forced installation consists of delivering installation packages to target devices, subsequent copying of files to the admin$ resource on each of the target devices, and remote registration of supporting services on those devices. Delivery of installation packages to target devices is performed through the Open Single Management Platform feature that ensures network interaction. The following conditions must be met in this case:

• Target devices are accessible from the distribution point with the Windows operating system, from which remote installation to client devices is to be carried out and this distribution point is selected for the target devices.
• Name resolution for target devices functions properly on the network.
• The administrative shares (admin$) remain enabled on target devices.
• The following system services are running on target devices:
  • Server (LanmanServer)

    By default, this service is running.

  • DCOM Server Process Launcher (DcomLaunch)
  • RPC Endpoint Mapper (RpcEptMapper)
  • Remote Procedure Call (RpcSs)
• Port TCP 445 is open on target devices, to enable remote access through Windows tools.

  TCP 139, UDP 137, and UDP 138 are used by older protocols and are no longer necessary for current applications.

  Dynamic outbound access ports must be allowed on the firewall, for connections from distribution points to target devices.

• The Active Directory domain policy security settings are allowed to provide the operation of the NTLM protocol during the deployment of Network Agent.
• On target devices running Microsoft Windows XP, Simple File Sharing mode is disabled.
• On target devices, the access sharing and security model are set as Classic – local users authenticate as themselves. It can in no way be Guest only – local users authenticate as Guest.
• Target devices are members of the domain, or uniform accounts with administrator rights are created on target devices in advance.

To deploy Network Agent or other applications successfully to a device that is not joined to a Windows Server 2003 or later Active Directory domain, you must disable remote UAC on that device. Remote UAC is one of the reasons that prevent local administrative accounts from accessing admin$, which is necessary for forced deployment of Network Agent or other applications. Disabling remote UAC does not affect local UAC.

During installation on new devices that have not yet been allocated to any of the Open Single Management Platform administration groups, you can open the remote installation task properties and specify the administration group to which devices will be moved after Network Agent installation.

When creating a group task, keep in mind that each group task affects all devices in all nested groups within a selected group. Therefore, you must avoid duplicating installation tasks in subgroups.

A simplified way to create tasks for forced installation of applications is automatic installation. To do this, you must open the administration group properties, open the list of installation packages, and then select the ones that must be installed on devices in this group. As a result, the selected installation packages will be automatically installed on all devices in this group and all of its subgroups. The time interval over which the packages will be installed depends on the network throughput and the total number of networked devices.

You can use several distribution points to reduce the load during the delivery of installation packages to target devices. Note that this installation method places a significant load on devices acting as distribution points. If you use distribution points, you have to make sure that they are present in each of the isolated subnets hosting target devices.

The free disk space in the partition with the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must exceed, by many times, the total size of the distribution packages of installed applications.