Kaspersky Security for Mobile Administrator's Guide

Transcription

1 Kaspersky Security for Mobile Administrator's Guide APPLICATION VERSION: 10.0 SERVICE PACK 1

2 Dear User, Thank you for choosing our product. We hope that you will find this documentation useful and that it will answer any questions that you may have. Note: This document is the property of Kaspersky Lab ZAO (herein also referred to as Kaspersky Lab): all rights to this document are reserved by the copyright laws of the Russian Federation and by international treaties. Illegal reproduction or distribution of this document or parts hereof will result in civil, administrative, or criminal liability under applicable law. Any type of reproduction or distribution of any materials, including translations, may be allowed only with written permission from Kaspersky Lab. This document and related graphic images can be used for informational, non-commercial, or personal use exclusively. This document may be amended without prior notice. You can find the latest version of this document at the Kaspersky Lab website, at Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any third-party materials used herein, or for any potential harm associated with the use of such materials. Document revision date: Kaspersky Lab ZAO. All Rights Reserved

3 CONTENTS ABOUT THIS GUIDE... 7 In this document... 7 Document conventions... 9 SOURCES OF INFORMATION ABOUT THE APPLICATION Sources of information for independent research Discussing Kaspersky Lab applications on the Forum KASPERSKY SECURITY FOR MOBILE About Kaspersky Security for Mobile What's new Distribution kit Hardware and software requirements APPLICATION ARCHITECTURE About the Administration Plug-in of Kaspersky Endpoint Security About Kaspersky Mobile Device Management plug-in About Kaspersky Endpoint Security mobile apps COMMON DEPLOYMENT MODELS FOR THE INTEGRATED SOLUTION Kaspersky Endpoint Security management plug-in deployment model Kaspersky Mobile Device Management plug-in deployment model Models of Kaspersky Endpoint Security mobile app deployment on Android devices Model of deployment via SMS link Model of deployment via workstations Model of deployment via Google Play Models of Kaspersky Safe Browser mobile app deployment on ios devices Model of deployment via the ios MDM server Deployment via Apple Store Model of Kaspersky Safe Browser mobile app deployment on Windows Phone devices PREPARING FOR INTEGRATED SOLUTION DEPLOYMENT Installing the Mobile devices support component Upgrading the version of the Administration Server component Configuring Administration Server settings for connection of mobile devices Displaying the Mobile devices folder in the Administration Console Configuring text message delivery Configuring delivery Creating an administration group Creating a rule for device automatic allocating to administration groups Creating an installation package Configuring installation package settings Creating a standalone installation package of Kaspersky Endpoint Security for Android Creating a general certificate UPDATING THE PREVIOUS VERSION OF KASPERSKY SECURITY FOR MOBILE INSTALLING THE INTEGRATED SOLUTION Installation of Administration Plug-in for Kaspersky Endpoint Security for Mobile Installing the plug-in for managing EAS and ios MDM devices

4 A D M I N I S T R A T O R ' S G U I D E Installation of Kaspersky Endpoint Security for Android mobile app Installation via link Sending notifications to users Installing the mobile app on the device after receiving an notification Installation via text message link Sending text messages to users Installing the mobile app on the device after receiving the text message Installation using the workstation Creating a remote installation task Delivering the application distribution kit to device using the workstation Installing the mobile app on a device Installing the application from Google Play Installation of Kaspersky Safe Browser for ios mobile app Installation via the ios MDM server Getting the developer certificate Creating a provisioning profile Signing the app distribution kit Installing the mobile app a device Installing the application from Apple Store Installation of Kaspersky Safe Browser for Windows Phone mobile app PREPARING KASPERSKY ENDPOINT SECURITY MOBILE APPS FOR OPERATION ON DEVICES Installing a general certificate Configuring the settings of mobile device connection to Administration Server Mobile apps activation Creating a mail certificate Creating a certificate for VPN GROUP POLICIES FOR MANAGING MOBILE DEVICES About a group policy About a group policy for managing KES devices About a group policy for managing EAS and ios MDM devices Creating a group policy Step 1. Choose a group policy name Step 2. Choose an application for creating a group policy Step 3. Select the policy state CONFIGURING A GROUP POLICY FOR MANAGING KES DEVICES Restricting configuration rights Configuring synchronization settings Configuring anti-virus protection components Configure device scan settings Configuring file system protection settings Configuring update settings Configuring unauthorized access protection Configuring Anti-Theft settings Configuring settings for sending commands to a mobile device Configuring the use of the one-time code for unlocking the device Configuring Web Protection settings Configuring device control Configuring the system password

5 C O N T E N T S Configuring Wi-Fi, camera, and Bluetooth usage Configuring TouchDown settings Configuring Advanced Options Configuring Call & Text Filter settings Configuring Kaspersky Endpoint Security removal settings Configuring the connection to wireless networks Configuring App Control Configuring app startup settings Configuring third-party app installation settings Configuring the installed apps report Managing third-party mobile apps About containers Creating containers Signing apps in a container to be used on ios devices Configuring group policy compliance control for mobile devices About Compliance control Creating compliance check rules Configuring application activation Configuring management of Samsung devices Configuring general settings for Samsung KNOX Configuring Firewall for Samsung KNOX Configuring a virtual private network for Samsung KNOX Configuring Microsoft Exchange settings for Samsung KNOX CONFIGURING A GROUP POLICY FOR MANAGING EAS DEVICES Restricting configuration rights Configuring unlock password strength Configuring synchronization settings Configuring device feature restrictions Configuring app restrictions CONFIGURING A GROUP POLICY FOR MANAGING IOS MDM DEVICES Restricting configuration rights Configuring unlock password strength Configuring ios MDM device feature restrictions Setting a global HTTP proxy Configuring Single Sign-On Configuring access to websites Connection to a wireless network Configuring user data protection with EAP protocols Creating a list of trusted certificates Configuring the VPN connection Configuring an L2TP connection Configuring a PPTP connection Configuring an IPSec connection (Cisco) Configuring a connection with Cisco AnyConnect Configuring a Juniper SSL connection Configuring an F5 SSL connection Configuring a connection with SonicWALL Mobile Connect Configuring a connection with Aruba VIA

6 A D M I N I S T R A T O R ' S G U I D E Configuring a Custom SSL connection Connecting to AirPlay devices Connecting to an AirPrint printer Adding an account Adding an Exchange ActiveSync account Adding an LDAP account Adding a calendar account Adding a contacts account Configuring calendar subscription Adding web clips Adding fonts Adding security certificates Configuring the SCEP profile Configuring the access point (APN) REMOVING A GROUP POLICY REMOVING OF KASPERSKY ENDPOINT SECURITY MOBILE APPS FROM DEVICES Removing of Kaspersky Endpoint Security for Android mobile app Permitting users to remove the app Removing the application from a device Removing of Kaspersky Safe Browser for ios mobile app Removing of Kaspersky Safe Browser for Windows Phone mobile app INFORMATION EXCHANGE WITH KASPERSKY SECURITY NETWORK CONTACTING THE TECHNICAL SUPPORT SERVICE About Technical Support Technical support by phone Technical Support via Kaspersky CompanyAccount Electronic Certificate Signing Request ANNEX. RESTRICTIONS FOR IOS MDM DEVICES GLOSSARY KASPERSKY LAB ZAO INFORMATION ABOUT THIRD-PARTY CODE TRADEMARK NOTIFICATIONS INDEX

7 ABOUT THIS GUIDE The Administrator's Guide for Kaspersky Security for Mobile Integrated Solution is intended for professionals who install and administer Kaspersky Security for Mobile or provide technical support for companies that use Kaspersky Security for Mobile. You can use this guide to: Prepare Kaspersky Security for Mobile for installation, install and activate the application. Configure and use Kaspersky Security for Mobile. This Guide also lists sources of information about the application and ways to get technical support. IN THIS SECTION In this document...7 Document conventions...9 IN THIS DOCUMENT This document comprises the following sections. Sources of information on the application (see page 10) This section describes sources of information about the application and lists websites that you can use to discuss the application. Kaspersky Security for Mobile (see page 12) This section describes the purpose, functionality, and composition of Kaspersky Security for Mobile integrated solution. Application architecture (see page 17) This section describes the Kaspersky Endpoint Security components and their interactions. Basic integrated solution deployment models (see page 20) This section covers the common for the integrated solution Kaspersky Security for Mobile: Preparing to deploy the integrated solution (see page 27) This section describes the preparatory steps to be taken before deploying Kaspersky Endpoint Security 10 mobile apps on user devices. Updating the previous version of Kaspersky Security for Mobile (see page 36) This section describes how to update the previous version of Kaspersky Security for Mobile. 7

8 A D M I N I S T R A T O R ' S G U I D E Installing the integrated solution (see page 37) This section describes the process of installing the components of the integrated solution Kaspersky Security for Mobile. Preparing Kaspersky Endpoint Security mobile apps for operation on devices (see page 48) This section describes how to configure Kaspersky Endpoint Security mobile apps on user devices and assign devices to administration groups. Group policies for managing mobile devices (see page 51 ) This section describes policies that the administrator can use for central management of mobile devices of users. Configuring a group policy for managing KES devices (see page 56) This section provides instructions on configuring a group policy for KES devices. Configuring a group policy for managing EAS devices (see page 79) This section provides instructions on configuring a group policy for EAS devices. Configuring a group policy for managing ios MDM devices (see page 83) This section provides instructions on configuring a group policy for ios MDM devices. Removing a group policy (see page 110) This section describes the actions to be performed in order to remove a group policy. Removing of Kaspersky Endpoint Security mobile apps from devices (see page 111) This section describes how to remove Kaspersky Endpoint Security 10 mobile apps from user devices. Information exchange with Kaspersky Security Network (see page 116) This section describes interaction of Kaspersky Endpoint Security with the Kaspersky Security Network cloud service. Contacting the Technical Support service (see page 117) This section provides information about how to obtain technical support and the requirements for receiving help from Technical Support. App (see page 119) This section describes restrictions on ios MDM devices, which the administrator can configure in the group policy. Glossary (see page 121) This section contains a list of terms that are mentioned in the document and their definitions. Kaspersky Lab ZAO (see page 124) This section provides information about Kaspersky Lab ZAO. 8

9 A B O U T T H I S G U I D E Information about third-party code (see page 125) This section provides information about the third-party code used in the application. Trademark notifications (see page 126) This section lists trademarks of third-party manufacturers that were used in the document. Index This section allows you to quickly find required information within the document. DOCUMENT CONVENTIONS This document uses the following conventions (see table below). Table 1. Document conventions SAMPLE TEXT DESCRIPTION OF DOCUMENT CONVENTION Note that... We recommended that you use... Example: Warnings are highlighted in red and enclosed in frames. Warnings show information about actions that may have unwanted consequences. Notes are boxed. Notes provide additional and reference information. Examples are given on a yellow background under the heading "Example".... Update means... The Databases are out of date event occurs. Press ENTER. Press ALT+F4. Click the Enable button. To configure a task schedule: In the command line, type help. The following message appears: Specify the date in DD:MM:YY format. <User name> The following elements are italicized in the text: New terms Names of application statuses and events The names of keyboard keys appear in bold and are capitalized. Names of keys that are connected by a + (plus) sign indicate the use of a key combination. Those keys must be pressed simultaneously. Names of application interface elements, such as entry fields, menu items, and buttons, are in bold. Introductory phrases of instructions are italicized and are accompanied by the arrow sign. The following types of text content are set off with a special font: Text in the command line Text of messages that the application displays on the screen Data to be entered using the keyboard. Variables are in angle brackets. It is required to replace each variable by the corresponding value, omitting angle brackets. 9

10 SOURCES OF INFORMATION ABOUT THE APPLICATION This section lists the sources of information about the application. You can select the most suitable information source, depending on importance and urgency of the issue. IN THIS SECTION Sources of information for independent research Discussing Kaspersky Lab applications on the Forum SOURCES OF INFORMATION FOR INDEPENDENT RESEARCH You can use the following sources to search for information about Kaspersky Endpoint Security on your own: Kaspersky Endpoint Security page on the Kaspersky Lab website Kaspersky Endpoint Security page on the Technical Support website (Knowledge Base) Online help Documentation If you cannot find a solution for your issue on your own, we recommend contacting Kaspersky Lab Technical Support. An Internet connection is required to use online information sources. Kaspersky Endpoint Security page on the Kaspersky Lab website On the Kaspersky Endpoint Security page ( you can find general information about the application, its features and operation parameters. The page Kaspersky Endpoint Security contains a link to the estore. There you can purchase or renew the application. Kaspersky Endpoint Security page in the Knowledge Base Knowledge Base is a section on the Technical Support website. On the Kaspersky Endpoint Security page in the Knowledge Base ( you can find articles that contain useful information, recommendations and answers to frequently asked questions on the application purchasing, installation, and use. Knowledge Base articles can answer questions relating to not only to Kaspersky Endpoint Security but also to other Kaspersky Lab applications. Knowledge Base articles can also include Technical Support news. 10

11 S O U R C E S O F I N F O R M A T I O N A B O U T T H E A P P L I C A T I O N Online help The online help of the application comprises help files. Context help provides information about Kaspersky Endpoint Security windows: a description of Kaspersky Endpoint Security settings is followed by links to descriptions of the tasks that use these settings. Full help provides information on how to configure and use Kaspersky Endpoint Security. Documentation Application documentation consists of the files of application guides. The administrator guide provides instructions on: Preparing Kaspersky Endpoint Security for installation, installing and activating the application Configuring and using Kaspersky Endpoint Security DISCUSSING KASPERSKY LAB APPLICATIONS ON THE FORUM If your question does not require an immediate answer, you can discuss it with the Kaspersky Lab experts and other users in our forum ( In this forum you can view existing topics, leave your comments, and create new discussion topics. 11

12 KASPERSKY SECURITY FOR MOBILE This section describes the features, components, and distribution kit of the Kaspersky Security for Mobile integrated solution, and contains a list of hardware and software requirements for Kaspersky Security for Mobile. IN THIS SECTION About Kaspersky Security for Mobile What's new Distribution kit Hardware and software requirements ABOUT KASPERSKY SECURITY FOR MOBILE Kaspersky Security for Mobile is an integrated solution for protecting and managing corporate mobile devices and also personal mobile devices used by company employees for corporate purposes (hereinafter "the app"). The Kaspersky Security for Mobile comprehensive solution includes the administration plug-in Kaspersky Endpoint Security 10 Service Pack 1 for Mobile (see page 17), the administration plug-in Kaspersky Mobile Device Management 10 Service Pack 1 (see page 17), and the mobile apps package Kaspersky Endpoint Security for various operating systems (see page 18). The Administration Plug-ins are integrated into the Kaspersky Security Center remote administration system. The administrator can use a single Administration Console of Kaspersky Security Center to manage all mobile device on the corporate network as well as client computers and virtual systems. The Kaspersky Endpoint Security 10 for Mobile Service Pack 1 administration plug-in (hereafter called the "Kaspersky Endpoint Security administration plug-in") lets you connect mobile devices to the company's Administration Server and configure their security policies. After you connect mobile devices to the Administration Server, they become managed. The administrator can remotely monitor managed devices. The Kaspersky Mobile Device Management 10 Service Pack 1 administration plug-in (hereinafter the "Kaspersky Mobile Device Administration plug-in") lets you specify configuration settings for ios devices and devices connected to the corporate server via the Exchange ActiveSync protocol, without using iphone Configuration Utility and the Exchange ActiveSync management profile. Kaspersky Endpoint Security mobile apps support ios, Android, and Windows Phone mobile device operating systems. Kaspersky Endpoint Security mobile apps let you keep corporate security of mobile devices and data stored on them up to date. The components of the Kaspersky Security 10 for Mobile solution enable the administrator to: Remotely connect mobile devices of users to the corporate server Remote configuration of anti-virus protection of mobile devices. Remote configuration of mobile devices according to corporate security requirements. Prevention of leaks of corporate data stored on mobile devices when such devices get lost or stolen. Monitor compliance with corporate security requirements Monitoring of Internet usage on mobile devices. Remote installation of third-party mobile apps on user devices with the possibility of using a special mechanism for protecting corporate data (containers). 12

13 K A S P E R S K Y S E C U R I T Y F O R M O B I L E Configure corporate on mobile devices on the network, including at companies with a Microsoft Exchange server Configuring the settings of corporate network usage on mobile devices. Configuring usage of corporate calendars on mobile devices. Configuring synchronization of corporate contacts. Configure functional and hardware restrictions on mobile devices, and usage restrictions on mobile apps and media content. Configure administrator notifications about events on user devices via and text messages WHAT'S NEW Kaspersky Security for Mobile offers the following new features: Support of general certificates on mobile devices for identifying users in Kaspersky Security Center and securing the data exchange with the Administration Server. Support of commands sent from Kaspersky Security Center to protect data against unauthorized access when the device gets lost or stolen. Support of corporate Self Service Portal that the user can use to: Download the distribution package of Kaspersky Endpoint Security for Android Download a provisioning profile for ios devices Manage the device using special commands. Support of a new system of rights for accessing the application features in the Administration Console of Kaspersky Security Center. Managing mobile devices via the Exchange ActiveSync protocol (hereinafter "EAS devices"). The administrator can configure the following settings of EAS devices in policy properties: System password requirements; Settings of device synchronization with the Microsoft Exchange server. EAS device features restrictions. EAS device applications restrictions. For devices with the Android operating system (hereinafter "Android devices"): Restrictions on the operation of system applications. Restriction of access to all websites except for those specified in the policy. Support of the Android operating system, version 5.0. Support of the Google Cloud Messaging service. 13

14 A D M I N I S T R A T O R ' S G U I D E Administration of Samsung devices that support KNOX 1 and KNOX 2. The administrator can configure the following settings of Samsung devices in policy properties: Firewall operation settings VPN settings (only for KNOX 1) Access point (APN) settings Microsoft Exchange mail server settings. For devices with the ios operating system (hereinafter "ios devices"): Switching between corporate and user modes of Kaspersky Safe Browser. Support of the ios operating system, versions 7.0, 7.1, 8.0. Specifying configuration settings of ios devices. Managing mobile devices via the ios MDM protocol (hereinafter "ios MDM devices"). For devices with the Windows Phone operating system (hereinafter "Windows Phone devices"): Switching between corporate and user modes of Kaspersky Safe Browser. Support of the Locate command sent from Kaspersky Security Center. DISTRIBUTION KIT The Kaspersky Security for Mobile distribution kit includes the following components: The sc_package_en self-unpacking archive containing setup files of mobiles apps for all supported systems: adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll a set of files needed to install Kaspersky Endpoint Security 10 for Android; installer.ini is the configuration file that contain the Administration Server connection setting KSM_10_5_11_xxx.apk a setup file for Kaspersky Endpoint Security 10 for Android; kmlisten.exe is the tool for delivering the application installation package using the workstation. kmlisten.ini is the configuration file that contain the settings for the installation package delivery tool kmlisten.kpd is the application description file klcfginst_en.exe is the setup file of the Kaspersky Endpoint Security 10 for Mobile plug-in for administering the application via the Kaspersky Security Center remote administration system. klmdminst.exe is the setup file of the Kaspersky Mobile Device Management plug-in for managing the application via the Kaspersky Security Center remote administration system. KSM_10_5 11_xxx.apk a setup file for Kaspersky Endpoint Security 10 for Android. KSM_10_3_xx_en.zip a setup file for Kaspersky Endpoint Security 10 for ios. sms_utility_ ru.apk the Kaspersky SMS Broadcasting utility. 14

15 K A S P E R S K Y S E C U R I T Y F O R M O B I L E SigningUtility.zip an archive containing a utility for signing the mobile app distribution package and containers for ios devices. Documentation: Administrator's Guide for Kaspersky Security for Mobile Integrated Solution Context Help for the Administration Plug-in of Kaspersky Endpoint Security 10 for Mobile Context help of Kaspersky Mobile Device Management plug-in Context help for Kaspersky Endpoint Security 10 for Android; HARDWARE AND SOFTWARE REQUIREMENTS Kaspersky Endpoint Security has the following hardware and software requirements: To deploy the comprehensive solution Kaspersky Security for Mobile, the administrator's computer must meet the hardware requirements of Kaspersky Security Center. For more details on using the hardware requirements of Kaspersky Security Center, see the Kaspersky Security Center Administrator's Guide. To support deployment of the Kaspersky Mobile Device Management plug-in, the administrator's computer must meet the following software requirements: Kaspersky Security Center 10 Service Pack 1; Exchange ActiveSync mobile device server component; ios Mobile Device Management (MDM) server. To support deployment of the Administration Plug-in of Kaspersky Endpoint Security, the administrator's computer must meet the following software requirements: Kaspersky Security Center To deploy Kaspersky Endpoint Security mobile apps, the administrator's computer must meet the following software requirements: For deployment on Android devices: Kaspersky Security Center 10.0 Kaspersky SMS Broadcasting utility. For deployment on ios devices: Kaspersky Security Center 10.0 ios Mobile Device Management (MDM) server Kaspersky SMS Broadcasting utility. Key Chain Access utility. To deploy Kaspersky Safe Browser for ios mobile app via the ios MDM server, you need a separate Apple ID on the Apple website and have to be a participant of the Apple Developer Program or the Apple Developer Enterprise Program. Participants of the Apple Developer Program can install Kaspersky Safe Browser on no more than 100 devices a year. Participation in the Apple Developer Enterprise Program lets you install Kaspersky Safe Browser on an unlimited number of devices on your corporate network. 15

16 A D M I N I S T R A T O R ' S G U I D E To be able to sign the distribution kit of Kaspersky Safe Browser for ios and third-party mobile apps in a container, the administrator needs a computer that meets the following requirements: Mac OS X or later, Mac OS X 10.7, OS X 10.8 iphone Configuration Utility 3.5 or later for Maс, or iphone Configuration Utility or later for Windows To deploy Kaspersky Endpoint Security mobile apps on devices managed via the Exchange ActiveSync protocol, the administrator's computer must meet the following software requirements: Kaspersky Security Center 10.0 Exchange ActiveSync mobile device server component Kaspersky Endpoint Security mobile apps can be installed on mobile devices of users running the following operating systems: Android 2.3, 3.0, 3.1, 3.2, 4.0, 4.1, 4.2, 4.3, 4.4, 5.0. Apple ios 7.0, 7.1, 8. Windows Phone

17 APPLICATION ARCHITECTURE This section describes the Kaspersky Endpoint Security components and their interactions. IN THIS SECTION About the Administration Plug-in of Kaspersky Endpoint Security About Kaspersky Mobile Device Management plug-in About Kaspersky Endpoint Security mobile apps ABOUT THE ADMINISTRATION PLUG-IN OF KASPERSKY ENDPOINT SECURITY The Administration Plug-in of Kaspersky Endpoint Security provides the interface for managing mobile devices and mobile apps installed on them via Kaspersky Security Center. The Administration Plug-in of Kaspersky Endpoint Security can be used to: Create group security policies for mobile devices Remotely configure the settings of Kaspersky Endpoint Security apps on user mobile devices Create installation packages and standalone installation packages of mobile apps in Kaspersky Security Center Receive reports and statistics on the operation of Kaspersky Endpoint Security mobile apps on user devices For more details on using the Administration plugins of Kaspersky Security Center, see the Kaspersky Security Center Administrator's Guide. ABOUT KASPERSKY MOBILE DEVICE MANAGEMENT PLUG-IN The Kaspersky Mobile Device Management plug-in provides the interface for managing mobile devices via the Administration Console of Kaspersky Security Center. The Kaspersky Mobile Device Management plug-in can be used to: Remotely configure configuration settings of devices connected to an Exchange ActiveSync mobile device server via Exchange ActiveSync protocol (hereinafter EAS devices ). Remotely configure configuration settings of devices connected to an ios MDM server via ios MDM protocol (hereinafter ios MDM devices ). Receive reports and statistics on the operation of mobile devices of users. For more details on using the Administration plugins of Kaspersky Security Center, see the Kaspersky Security Center Administrator's Guide. 17

18 A D M I N I S T R A T O R ' S G U I D E ABOUT KASPERSKY ENDPOINT SECURITY MOBILE APPS Kaspersky Security mobile apps can be installed on mobile devices running Android, ios, Windows Phone operating systems. Kaspersky Endpoint Security mobile apps protect mobile devices against viruses and other threats, unwanted calls and texts, and web threats. Kaspersky Endpoint Security mobile apps also make it possible to monitor the user's network activity and protect confidential information against unauthorized access. Different app components provide protection against various threats. This makes it possible to configure app settings flexibly depending on specific user needs. Each mobile app included in the suite of Kaspersky Endpoint Security mobile apps is described below. Kaspersky Endpoint Security for Android mobile app This app is designed to protect Android devices. The app consists of the following components: Anti-Virus. It allows you to detect and neutralize threats on your device by using the Anti-Virus databases and the Kaspersky Security Network cloud service. Anti-Virus includes the following components: Protection detects threats in open files, scans new applications, and prevents device infection in real time. Scan is performed on demand for the entire file system, the random access memory, or a folder. Full Scan scans for the presence of malicious objects in the whole file system; Folder Scan scans a specific folder. Full Scan and Folder Scan detect threats in files that have been installed but not yet opened, as well as threats in files that are currently open. Memory Scan detects threats only in files that are currently open. Update allows you to download new Anti-Virus databases for the application. Anti-Theft. This component protects information on the device against unauthorized access in case the device is lost or stolen. This component lets you lock or locate the device or wipe device data remotely via an SMS command or from Kaspersky Security Center. Call & Text Filter. This component blocks unwanted incoming calls and texts in accordance with the selected mode. Incoming calls and texts are filtered using lists of allowed and blocked contacts. The component can block or allow incoming calls and texts from blocked and allowed contacts. Depending on the mode selected, the component can also allow incoming calls and texts from all numbers on the device contact list or block incoming calls and texts from all numbers that contain letters. Web Protection. This component blocks malicious sites designed to spread malicious code. The component also blocks fake (phishing) website designed to steal confidential data of the user (passwords to online banking or e- money systems) and access the user's financial info. The component scans websites before you open them using the Kaspersky Security Network cloud service. Depending on the scan results, Web Protection loads websites that are recognized as genuine, and blocks websites that are considered to be malicious. The component also supports website filtering by categories defined in Kaspersky Security Network. Thus, the administrator can restrict access from certain web pages, for example, the ones from the Gambling or Social networks categories. Containers. This component controls the activity of apps started on the user device. It lets you place a thirdparty app in a special shell. The shell makes it possible to control the activity of the app contained in it, thereby protecting personal and corporate data on the user device. This component also makes it possible to configure encryption of the data of the containerized app or configure user authorization at app launch. The component also controls transmission of data to other apps and restricts device access to the Internet. You can specify containerized apps as recommended or required for installation on user devices. Device Management. This component lets you configure the obligatory prompt for password needed to unlock the mobile device and also specify the minimum password length. It also lets you prohibit the use of Wi-Fi networks, the camera or Bluetooth functionality on the device and configure the TouchDown profile. The component also lets you use Kaspersky Security Center to configure the settings of device connection to the wireless network. App Control. This allows you to modify the settings of application launch on the user mobile device via Kaspersky Security Center. You can specify the apps that are recommended or required for installation on the user device, and also create lists of allowed and blocked apps. The component blocks attempts to run the forbidden applications ( information on the attempts is available in the Kaspersky Security Center reports). This component also supports the use of containers a special shell for mobile apps, which makes it possible to control the activity of the containerized app. You can specify containerized apps as recommended or required for installation on user devices. 18

19 A P P L I C A T I O N A R C H I T E C T U R E Corporate security policy compliance monitor. This component detects violations of the corporate security policy on user mobile devices and impose restrictions on devices if their settings are found to violate the policy. Quarantine. This component moves files detected during device scanning or during real-time protection to a dedicated isolated storage. Quarantine stores files as archives, so they cannot harm the device. The component lets you delete or restore files that were moved to Quarantine. Reports. This component lets you obtain information about the operation of Anti-Virus, Call&Text Filter, and Web Protection on the user's mobile device. The component groups reports chronologically. Reports can contain up to 200 entries. Once the number of report entries exceeds 200, the component overwrites older entries with new ones. Advanced. Configure advanced Kaspersky Endpoint Security settings: pop-up notifications with app events, sound notifications about app events, and the widget on the home screen of the device. This component lets you decrypt data that remains decrypted after encryption of containerized data was disabled, obtain certificates for accessing resources on the corporate network, and remove Kaspersky Endpoint Security from the mobile device. The component also lets you receive license information about general information about Kaspersky Endpoint Security. Manage Samsung device. It lets you use Kaspersky Security Center to configure the settings of the access point (APN), Firewall, and the settings of mobile device connection to the virtual private network (VPN) and the Exchange mail server. Settings can be configured on Samsung Android devices that support Samsung KNOX. Kaspersky Safe Browser for ios mobile app The app is a safe web browser for ios devices. This app provides safe access to the Internet from ios devices connected to the corporate network. The app includes the following components: Web Protection. This component blocks malicious sites designed to spread malicious code. The component also blocks fake (phishing) website designed to steal confidential data of the user (passwords to online banking or e-money systems) and access the user's financial info. The component scans websites before you open them using the Kaspersky Security Network cloud service. Depending on the scan results, Web Protection loads websites that are recognized as genuine, and blocks websites that are considered to be malicious. The component also supports website filtering by categories defined in Kaspersky Security Network. Thus, the administrator can restrict access from certain web pages, for example, the ones from the Gambling or Social networks categories. Containers. This component controls the activity of apps started on the user device. This component places a third-party app in a special shell that lets you control the activity of the containerized app and thus protect personal and corporate data on the user device. This component also makes it possible to configure encryption of the data of the containerized app or configure user authorization at app launch. The component also controls transmission of data to other apps and restricts device access to the Internet. Kaspersky Safe Browser for Windows Phone mobile app The app is a safe web browser for Windows Phone devices. This app provides safe access to the Internet from Windows Phone devices connected to the corporate network. The app includes the following components: Web Protection. This component blocks malicious sites designed to spread malicious code. The component also blocks fake (phishing) website designed to steal confidential data of the user (passwords to online banking or e-money systems) and access the user's financial info. The component scans websites before you open them using the Kaspersky Security Network cloud service. Depending on the scan results, Web Protection loads websites that are recognized as genuine, and blocks websites that are considered to be malicious. The component also supports website filtering by categories defined in Kaspersky Security Network. Thus, the administrator can restrict access from certain web pages, for example, the ones from the Gambling or Social networks categories. Anti-Theft. This component protects information on the device against unauthorized access in case the device is lost or stolen. The component lets you locate a mobile device using an SMS command or via Kaspersky Security Center. For more details on using Kaspersky Endpoint Security mobile apps with Kaspersky Security Center, see the Kaspersky Security Center Administrator's Guide. 19

20 COMMON DEPLOYMENT MODELS FOR THE INTEGRATED SOLUTION This section covers the common for the integrated solution Kaspersky Security for Mobile: Deployment model for the Administration Plug-in of Kaspersky Endpoint Security (see page 20); Deployment model for the administration plug-in Kaspersky Mobile Device Management (see page 17) Deployment of Kaspersky Endpoint Security for Android mobile app (see page 21); Deployment model for the mobile app Kaspersky Safe Browser for ios (see page 24); Deployment model for the mobile app Kaspersky Safe Browser for Windows Phone (see page 26). KASPERSKY ENDPOINT SECURITY MANAGEMENT PLUG-IN DEPLOYMENT MODEL This management plug-in deployment model consists of the following steps: 1. Preparing to install the Administration Plug-in of Kaspersky Endpoint Security for Mobile. a. Upgrading the version of the Administration Server component (see section "Upgrading the version of the Administration Server component" on page 28). b. Configuring the interface of the Administration Console of Kaspersky Security Center. c. Creating administration groups for mobile devices as part of managed computers in the system of Kaspersky Security Center. Devices with Kaspersky Endpoint Security app installed are moved to these groups either manually or according to automatic transfer rules. 2. Installation of the Kaspersky Endpoint Security for Mobile plug-in (see section "Installation of the Management Plug-in for Kaspersky Endpoint Security for Mobile" on page 37). KASPERSKY MOBILE DEVICE MANAGEMENT PLUG-IN DEPLOYMENT MODEL This deployment model consists of the following steps: 1. Preparing to install the Kaspersky Mobile Device Management plug-in. a. Upgrading the version of the Administration Server component (see section "Upgrading the version of the Administration Server component" on page 28). b. Configuring the interface of the Administration Console of Kaspersky Security Center. c. Creating administration groups for mobile devices as part of managed computers in the system of Kaspersky Security Center. Devices with Kaspersky Endpoint Security app installed are moved to these groups either manually or according to automatic transfer rules. 2. Installing the Kaspersky Mobile Device Management plug-in (see section "Installing the plug-in for managing EAS and ios MDM devices" on page 37). 20

21 C O M M O N D E P L O Y M E N T M O D E L S F O R T H E I N T E G R A T E D S O L U T I O N MODELS OF KASPERSKY ENDPOINT SECURITY MOBILE APP DEPLOYMENT ON ANDROID DEVICES The Kaspersky Endpoint Security mobile app can be installed on Android devices in one of the following ways: By sending users messages with a link to the mobile app distribution kit; By sending users text messages with a link to the mobile app distribution kit; Through workstations to which users connect mobile devices; Through Google Play, in which case the user downloads the installation package as a regular Android application. IN THIS SECTION Model of deployment via SMS link Model of deployment via workstations Model of deployment via Google Play MODEL OF DEPLOYMENT VIA SMS LINK When Kaspersky Endpoint Security for Android is deployed via SMS link, users are provided with a specially configured distribution kit containing the settings of the connection to Administration Server. When they install the mobile app, users are not required to specify the connection settings manually. Text (SMS) messages with a link to the standalone installation package can be sent only to end-user devices with a GSM module. This deployment model consists of the following steps: 1. Preparing for installation of the mobile app: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step. b. Upgrading the version of the Administration Server component. c. Configuring the interface of the Administration Console of Kaspersky Security Center. d. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server. e. Creating administration groups for mobile devices as part of managed computers in the system of Kaspersky Security Center. Devices with Kaspersky Endpoint Security app installed are moved to these groups either manually or according to automatic transfer rules. f. Creating a rule for allocating mobile devices to a group automatically. g. Installing the Administration Plug-in of Kaspersky Endpoint Security on the administrator's workstation. h. Configuring the method of delivery of text messages to users. i. Creating the installation package for the Kaspersky Endpoint Security 10 for Mobile remote installation task. 21

22 A D M I N I S T R A T O R ' S G U I D E j. Configuring the settings of the installation package for the Kaspersky Endpoint Security 10 for Mobile remote installation task. k. Creating a standalone installation package of Kaspersky Security 10 for Mobile. The standalone installation package includes the settings of the connection to Administration Server. The standalone package is available in the shared folder on the web server of Kaspersky Security Center. When creating a text message, you have to select a path to the Kaspersky Security Center web server. l. Creating a general certificate for a user account (see page 35). At this step, a certificate is issued for a user account for the purpose of identifying the mobile device user. 2. Installing the mobile app on devices. a. Creating and sending a text message with the link to the standalone installation package to mobile device users. b. Downloading the standalone installation package to the mobile device. At this step, the user downloads the prepared distribution package of the app from the Kaspersky Security Center web server. c. Installing the app on the mobile device. d. Downloading a general certificate to the user's mobile device. At this step, the user downloads the certificate issued for the user to the mobile device. 3. Preparing the app to be used on the device: a. Creating a group policy for managing Kaspersky Endpoint Security settings. b. Activating the application on mobile devices of users. MODEL OF DEPLOYMENT VIA WORKSTATIONS Deployment of the Kaspersky Endpoint Security mobile app for Android via workstations is used when users connect their mobile devices to their workstations. This deployment model consists of the following steps: 1. Preparing for installation of the mobile app: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step. b. Upgrading the version of the Administration Server component. c. Configuring the interface of the Administration Console of Kaspersky Security Center. d. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server. e. Creating administration groups for mobile devices as part of managed computers in the system of Kaspersky Security Center. Devices with Kaspersky Endpoint Security app installed are moved to these groups either manually or according to automatic transfer rules. f. Creating a rule for allocating mobile devices to a group automatically. g. Installing the Administration Plug-in of Kaspersky Endpoint Security on the administrator's workstation. h. Creating the installation package for the Kaspersky Endpoint Security 10 for Mobile remote installation task. i. Configuring the settings of the installation package for the Kaspersky Endpoint Security 10 for Mobile remote installation task. 22

23 C O M M O N D E P L O Y M E N T M O D E L S F O R T H E I N T E G R A T E D S O L U T I O N 2. Installing the mobile app on devices. a. Creating a remote installation task for delivering the Kaspersky Endpoint Security for Android distribution package to users' workstations and installing the utility for uploading the distribution package to mobile devices. b. Uploading the app distribution package to the mobile device. At this step, the user copies the app distribution package to the mobile device by using the utility kmlisten.exe. c. Installing the app on the mobile device. At this step, the user installs the app on the mobile device. 3. Preparing the app to be used on the device: a. Creating a group policy for managing Kaspersky Endpoint Security settings. b. Activating the application on mobile devices of users. MODEL OF DEPLOYMENT VIA GOOGLE PLAY The app can be deployed via Google Play when it is more convenient for users to download the distribution kit of the mobile app from Google Play and install the app. App deployment via Google Play does not require creating an app distribution kit with settings of the connection to Administration Server. The user manually specifies the settings of the connection to Administration Server at the first launch of the mobile app on the device. This deployment model consists of the following steps: 1. Preparing for installation of the mobile app: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step. b. Upgrading the version of the Administration Server component. c. Configuring the interface of the Administration Console of Kaspersky Security Center. d. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server. e. Creating administration groups for mobile devices as part of managed computers in the system of Kaspersky Security Center. Devices with Kaspersky Endpoint Security app installed are moved to these groups either manually or according to automatic transfer rules. f. Creating a rule for allocating mobile devices to a group automatically. g. Installing the Administration Plug-in of Kaspersky Endpoint Security on the administrator's workstation. h. Creating a general certificate for a user account (see page 35). At this step, a certificate is issued for a user account for the purpose of identifying the mobile device user. 2. Installing the mobile app on devices. At this step, the user installs the application and downloads the certificate to the mobile device. 3. Preparing the app to be used on the device: a. Creating a group policy for managing Kaspersky Endpoint Security settings. b. Activating the application on mobile devices of users. c. Performing initial configuration of the app. At this step, the user specifies the settings of the mobile device connection to Administration Server. 23

24 A D M I N I S T R A T O R ' S G U I D E MODELS OF KASPERSKY SAFE BROWSER MOBILE APP DEPLOYMENT ON IOS DEVICES The Kaspersky Safe Browser for ios mobile app can be installed on devices either by the administrator when ios devices are connected to the ios MDM server or by the user by downloading the mobile app from Apple Store. IN THIS SECTION Model of deployment via the ios MDM server Model of deployment via Apple Store MODEL OF DEPLOYMENT VIA THE IOS MDM SERVER To install Kaspersky Endpoint Security mobile app on users' ios mobile devices, the ios MDM server must be deployed at Kaspersky Security Center. The ios MDM server is included in the Kaspersky Security Administration Server installation packages if a license covering the Mobile device management functionality has been purchased. Administration Server controls ios mobile devices by means of the ios MDM mobile device server. Centralized management of mobile app settings is performed using polices applied to groups of managed devices. See the Kaspersky Security Center Deployment Guide for details on installing the ios MDM server. This deployment model consists of the following steps: 1. Preparing for installation of the mobile app: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step. b. Upgrading the version of the Administration Server component. c. Configuring the interface of the Administration Console of Kaspersky Security Center. d. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server. e. Creating administration groups for mobile devices as part of managed computers in the system of Kaspersky Security Center. Devices with Kaspersky Endpoint Security app installed are moved to these groups either manually or according to automatic transfer rules. f. Creating a rule for allocating mobile devices to a group automatically. g. Installing the Administration Plug-in of Kaspersky Endpoint Security on the administrator's workstation. h. Creating a general certificate for a user account (see page 35). At this step, a certificate is issued for a user account for the purpose of identifying the mobile device user. 2. Installing the mobile app on devices. a. Getting the Apple Push Notification Certificate (hereinafter the "APN certificate"). b. Installing the APN certificate on the ios MDM server. c. Creating an ios MDM profile and delivering it to user devices. 24

25 C O M M O N D E P L O Y M E N T M O D E L S F O R T H E I N T E G R A T E D S O L U T I O N d. Getting a Developer Certificate. e. Creating a provisioning profile that allows installation of third-party apps on user devices. f. Signing the app distribution kit. g. Installing the mobile app on devices. At this step, the user installs the application on the mobile device and downloads the certificate issued for this user. (see section "Installing the mobile app on the device" on page 46) 3. Preparing the app to be used on the device: a. Creating a group policy for managing Kaspersky Endpoint Security settings. b. Activating the application on mobile devices of users. c. Performing initial configuration of the mobile application on user devices. At this step, the user specifies the settings of the connection to the Administration Server. DEPLOYMENT VIA APPLE STORE The app can be deployed via Apple Store when it is more convenient for users to download the distribution kit of the mobile app from Apple Store and install the app. App deployment via Apple Store does not require creating an app distribution kit with settings of the connection to Administration Server. The user manually specifies the settings of the connection to Administration Server at the first launch of the mobile app on the device. This deployment model consists of the following steps: 1. Preparing for installation of the mobile app: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step. b. Upgrading the version of the Administration Server component. c. Configuring the interface of the Administration Console of Kaspersky Security Center. d. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server. e. Creating administration groups for mobile devices as part of managed computers in the system of Kaspersky Security Center. Devices with Kaspersky Endpoint Security app installed are moved to these groups either manually or according to automatic transfer rules. f. Creating a rule for allocating mobile devices to a group automatically. g. Installing the Administration Plug-in of Kaspersky Endpoint Security on the administrator's workstation. h. Creating a general certificate for a user account (see page 35). At this step, a certificate is issued for a user account for the purpose of identifying the mobile device user. 2. Installing the mobile app on devices. At this step, the user installs the application on the mobile device and downloads the certificate issued for this user. 3. Preparing the app to be used on the device: a. Creating a group policy for managing Kaspersky Endpoint Security settings. b. Activating the application on mobile devices of users. c. Performing initial configuration of the application. At this step, the user specifies the settings of the mobile device connection to Administration Server. 25

26 A D M I N I S T R A T O R ' S G U I D E MODEL OF KASPERSKY SAFE BROWSER MOBILE APP DEPLOYMENT ON WINDOWS PHONE DEVICES To deploy Kaspersky Safe Browser for Windows Phone on a mobile device, the user has to download the mobile app distribution kit from the website of the Windows Phone Store and install the app on the device. There is no need to create an app distribution kit with the settings of device connection to Administration Server. This deployment model consists of the following steps: 1. Preparing for installation of the mobile app: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step. b. Upgrading the version of the Administration Server component. c. Configuring the interface of the Administration Console of Kaspersky Security Center. d. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server. e. Creating administration groups for mobile devices as part of managed computers in the system of Kaspersky Security Center. Devices with Kaspersky Endpoint Security app installed are moved to these groups either manually or according to automatic transfer rules. f. Creating a rule for allocating mobile devices to a group automatically. g. Installing the Administration Plug-in of Kaspersky Endpoint Security on the administrator's workstation. 2. Installing the mobile app on devices. At this step, the user installs the app on the mobile device. 3. Preparing the app to be used on the device: a. Creating a group policy for managing Kaspersky Endpoint Security settings. b. Activating the application on mobile devices of users. c. Performing initial configuration of the application. At this step, the user specifies the settings of the mobile device connection to Administration Server. 26

27 REPARING FOR INTEGRATED SOLUTION DEPLOYMENT Before starting to deploy the Kaspersky Security for Mobile integrated solution, make sure that the following conditions are met: 1. The following Kaspersky Security Center components are deployed on the corporate network: Administration Server and Administration Console. The ios MDM server and the Exchange ActiveSync mobile device server have to be installed in order to manage ios MDM devices and EAS devices (see the Kaspersky Security Center Deployment Guide). 2. The installed components of Kaspersky Security Center meet the system requirements for deploying the Kaspersky Security for Mobile integrated solution. If the Administration Server version does not meet the requirements, delete the old component version and install the version that is specified in the system requirements after backing up Administration Server data. 3. The Mobile devices support component for administering mobile devices via Kaspersky Security Center must be installed. The Mobile devices support component is installed during installation of Administration Server. If the Mobile devices support component has not been installed or the Administration Server version does not meet the requirements for installation of Kaspersky Security for Mobile integrated solution, the administrator must delete the old component version and install the version that is specified in the system requirements after backing up Administration Server data. 4. EAS devices are connected to the Exchange ActiveSync mobile device server while ios MDM devices are connected to the ios MDM server (see the Kaspersky Security Center Administrator's Guide). IN THIS SECTION Installing the Mobile devices support component Upgrading the version of the Administration Server component Configuring Administration Server settings for connection of mobile devices Displaying the Mobile devices folder in the Administration Console Configuring text message delivery Configuring delivery Creating an administration group Creating a rule for device automatic allocating to administration groups Creating an installation package Configuring installation package settings Creating a standalone installation package of Kaspersky Endpoint Security for Android Creating a general certificate

28 A D M I N I S T R A T O R ' S G U I D E INSTALLING THE MOBILE DEVICES SUPPORT COMPONENT Mobile devices are managed via Kaspersky Security Center using the Mobile devices support component. The Mobile device support component is installed during installation of the Administration Server (at the Component selection stage, select the Support of mobile devices check box). When installing Support of Mobile Devices, the Administration Server certificate for mobile devices is created. The certificate is used to authenticate mobile devices during data exchange with the Administration Server. The SSL (Secure Socket Layer) protocol is used for data exchange. Connection between the Administration Server and mobile devices cannot be established without the certificate for mobile devices on the Administration Server. The certificate for mobile devices is stored in the Cert subfolder, in the Kaspersky Security Center installation folder. When the mobile device is synchronized with the Administration Server for the first time, the copy of the certificate is delivered to the device and is stored locally. UPGRADING THE VERSION OF THE ADMINISTRATION SERVER COMPONENT If the Mobile devices support component was not installed during Administration Server installation or an outdated Kaspersky Security Center version that does not support interaction with the Kaspersky Security for Mobile application was installed, you need to upgrade Administration Server. To upgrade Administration Server: 1. Back up the Administration Server data (see Kaspersky Security Center Administrator's Guide). 2. Launch the Setup Wizard for the Administration Server version corresponding to the software requirements of Kaspersky Security 10 for Mobile. 3. At the Selecting components step of the Installation Wizard, select the Support of Mobile Devices check box. You cannot administer mobile devices via Kaspersky Security Center if the Administration Server does not support mobile devices. 4. Restore the Administration Server data from the backup copy (see Kaspersky Security Center Administrator's Guide). CONFIGURING ADMINISTRATION SERVER SETTINGS FOR CONNECTION OF MOBILE DEVICES To ensure synchronization of mobile devices with the Administration Server, before installing Kaspersky Endpoint Security 10 for Mobile apps configure the connection settings for mobile devices in the Administration Server properties. To configure connection settings for mobile devices in the Administration Server properties, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices will be connected. 2. In the context menu of the Administration Server, select Properties. The Administration Server settings window opens. 3. Open the Settings section. 28

29 R E P A R I N G F O R I N T E G R A T E D S O L U T I O N D E P L O Y M E N T 4. In the Administration Server connection settings section, select the Open port for mobile devices check box. 5. In the Port for mobile devices field, specify the port through which mobile devices will connect to the Administration Server. Port is used by default. If the Open port for mobile devices check box is cleared or the wrong connection port is specified, mobile devices will not be able to connect to the Administration Server. DISPLAYING THE MOBILE DEVICES FOLDER IN THE ADMINISTRATION CONSOLE By displaying the Mobile devices folder in the Administration Console, you can view the list of mobile devices managed by the Administration Server and configure the mobile device management settings. To enable the display of the Mobile devices folder in the Administration Console: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the context menu of the Administration Server folder, select View Configuring interface. 3. In the Configuring interface window, select Display Mobile devices management. 4. Click OK. 5. Restart the Administration Console to apply the changes. CONFIGURING TEXT MESSAGE DELIVERY To deploy Kaspersky Endpoint Security mobile apps on user devices via a link sent in text messages, you have to select the method of text message delivery to users. There are two ways to send mass text messages to users via Kaspersky Security Center: Via a mail gateway. The SMTP server and port number must be specified in the Kaspersky Security Center settings to be able to send text messages via the mail gateway. For more details on sending text messages to users via Kaspersky Security Center, see the Kaspersky Security Center Administrator's Guide. You can send messages notifying on Kaspersky Security Center events via the selected Android mobile device that acts as the SMS sender. To assign a mobile device as the sender of all text messages on behalf of Kaspersky Security Center, you need to install a special Kaspersky SMS Broadcasting utility on the device. The Kaspersky SMS Broadcasting tool is installed on mobile devices as a standard Android application. After being installed on the device, the Kaspersky SMS Broadcasting utility shows a prompt for the address and port of the Kaspersky Security Center Administration Server and synchronizes with the Administration Server. After synchronization, the device appears in the Administration Console in the SMS Senders section of the properties window of the Reports and Notifications folder in the list of possible SMS sender devices. We recommend using a mobile device with Kaspersky SMS Broadcasting as the SMS sender, for example, if you want to receive text message delivery reports. For details on how to obtain the Kaspersky SMS Broadcasting utility and install it on the mobile device, see the section on configuring text message settings in the Kaspersky Security Center Deployment Guide. 29

30 A D M I N I S T R A T O R ' S G U I D E To configure delivery of text messages: 1. In the console tree, select the Administration Server to which the mobile devices will be connected. 2. Select the Reports and Notifications folder in the console tree. In the context menu of the folder, select Properties. 3. In the Notification section, set the type of notification to SMS in the drop-down list. 4. Specify the preferred method of text message mailing: To send text messages via a mail gateway, select the Send SMS via mail gateway option and specify the settings of the SMTP server. To send text messages from a mobile device with the Kaspersky SMS Broadcasting utility installed, select the Send SMS via Kaspersky SMS Broadcasting utility option and specify the delivery settings: Phone numbers of recipients, notification text. For more details on using Kaspersky Security Center for sending text messages to users, see the Kaspersky Security Center Administrator's Guide. CONFIGURING DELIVERY To be able to deploy Kaspersky Endpoint Security mobile apps on user devices via , you have to configure delivery from the Administration Server. To configure delivery of notifications: 1. In the console tree, select the Administration Server to which you intend to connect mobile devices. 2. Select the Reports and Notifications folder in the console tree. In the context menu of the folder, select Properties. 3. In the Notification section, select as the notification method in the drop-down list. 4. In the SMTP server field, specify the server address. You can use the IP address or computer name on the Windows network (NetBIOS name) as the address. 5. In the SMTP server port field, specify the SMTP server communication port number. Port 25 is used by default. 6. To apply the changes, click the Apply button. CREATING AN ADMINISTRATION GROUP To perform centralized configuration of the Kaspersky Endpoint Security applications installed on the users' mobile devices, the group policies must be applied to the devices. To apply the policy to a device group, you are advised to create a separate group for these devices in the Managed computers prior to installing Kaspersky Endpoint Security mobile apps on user devices. If Kaspersky Endpoint Security mobile apps are installed via user workstations, you are advised to create separate administration groups for workstations also. Then configure automatic assignment to this group of the devices on which you want to install Kaspersky Endpoint Security. Then configure settings that are common to all devices using a group policy. 30

31 R E P A R I N G F O R I N T E G R A T E D S O L U T I O N D E P L O Y M E N T To create administration group, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, select the Managed computers folder. 3. If you want to create a subgroup for the existing administration group, in the Managed computers folder, select a subfolder in which you want to create a subgroup. 4. Create the group using one of the following methods: In the context menu of the Managed computers folder, or in the context menu of the subfolder, select Create Group; In the workspace of the Managed computers folder or in the subfolder, select the Groups tab and open the window by clicking the Create subgroup link. 5. In the Group name window type the group name and click OK. A new administration group folder with the specified name appears in the console tree. If you use several workstations to install Kaspersky Endpoint Security on mobile devices, you are advised to create a group for them on the Administration Server and move the workstations to this group. You can then create a group task for this group in order to perform remote installation of Kaspersky Endpoint Security app. In this way, you can install the app through all workstations belonging to the group at once. For more detailed information on use of administration groups, see Kaspersky Security Center Administrator's Guide. CREATING A RULE FOR DEVICE AUTOMATIC ALLOCATING TO ADMINISTRATION GROUPS You can administer the settings of Kaspersky Endpoint Security apps installed on users' mobile devices centrally only if the devices belong to a previously created administration group in the Managed computers node, for which a group policy has been configured. If the rule to allocate mobile devices detected on the network to groups automatically is not defined, during the first synchronization of the device with the Administration Server, the device is automatically sent to the KSM10 subfolder of the Domains folder that is included in the Unassigned devices folder. A group policy does not apply to this device. The administrator can create a rule for automatic allocation of mobile devices from the Unassigned devices folder to the specified administration group in the Managed computers folder. To create the rule for automatic allocating of mobile devices to administration group, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, select the Unassigned devices folder. 3. From the context menu of the Unassigned devices folder, select Properties. The Properties: window appears. Unassigned devices. 4. In the Computer relocation section, click Add to start the process of creating the rule for automatic allocating of devices to administration groups. The New rule window appears. 31

32 A D M I N I S T R A T O R ' S G U I D E 5. In the General section, provide the following data: Type the rule name. Specify the administration group to which mobile devices should be allocated after a Kaspersky Endpoint Security mobile app has been installed on them. To do so, click Select to the right of the Group to move computers to field and select the group from the window that appears. In the Rule application section, select Run once for each computer. Select the Move only computers not added to administration groups check box to prevent allocating to the selected group the mobile devices that were allocated to other administration groups when applying the rule. Select the Enable rule check box, so that the rule can be applied to newly detected devices. In the Applications section, select one or several types of operating systems of the devices to be allocated to the specified group: Android, ios, or Windows Phone. 6. Click OK. Once it has been created, the rule appears in the list of device allocation rules in the Computer relocation section in the properties window of the Unassigned devices folder. According to the rule, Kaspersky Security Center allocates all devices that meet the specified requirements from the Unassigned devices folder to the selected group. The mobile devices which were earlier allocated to the Unassigned devices folder can also be allocated to the required administration group of the Managed computers folder manually. For more detailed information on administration groups management and actions with undistributed devices, see Kaspersky Security Center Administrator's Guide. CREATING AN INSTALLATION PACKAGE The installation package of Kaspersky Endpoint Security 10 for Mobile is a self-extracting archive, ak_package.exe, that contains the following files required to install mobile apps on devices: adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll a set of files needed to install Kaspersky Endpoint Security 10 for Android; installer.ini is the configuration file that contain the Administration Server connection setting KSM_10_5_11_xxx_en.apk a setup file for Kaspersky Endpoint Security 10 for Android; kmlisten.exe is the tool for delivering the application installation package using the workstation. kmlisten.ini is the configuration file that contain the settings for the installation package delivery tool kmlisten.kpd is the application description file To create Kaspersky Endpoint Security 10 for Mobile installation package, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, in the Remote installation folder, select the Installation packages subfolder. 3. From the context menu in the Installation packages folder, select New Installation package. The wizard that creates the installation package will be started. Follow the instructions of the Wizard. 32

33 R E P A R I N G F O R I N T E G R A T E D S O L U T I O N D E P L O Y M E N T 4. In the Select installation package type window, click the Create installation package for a Kaspersky Lab application. 5. In the Selecting the distribution package for installation, click the Select button to open the folder where you stored the application distribution kit and select the ak_package.exe self-extracting archive. If you have already unpacked the archive, choose the application description file, kmlisten.kpd. In the entry field, the application name and the version number will appear. After the wizard finishes, the created installation package will appear in the Installation packages folder workspace. The installation packages are stored in the Packages folder, in the public shared folder on the Administration Server. Before using the created installation package to install Kaspersky Endpoint Security for Android, configure the installation package settings. CONFIGURING INSTALLATION PACKAGE SETTINGS You must configure the installation package settings for Kaspersky Endpoint Security 10 for Mobile, so that your mobile device uses the correct Administration Server connection setting. To configure the installation package settings, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices will be connected. 2. In the console tree, in the Remote installation folder, select the Installation packages subfolder. 3. From the context menu for the installation package of the Kaspersky Endpoint Security, select Properties. 4. On the Settings tab, specify the Administration Server connection settings for mobile devices and the name of the administration group to which the mobile devices will be added automatically after the first synchronization with the Administration Server. Follow the steps below: In the Connection to the Administration Server section, in the Server address field, type the name of the Administration Server for mobile devices in the format that was used for installing Mobile devices support during the Administration Server deployment. Depending on the Administration Server name format for the Mobile devices supportcomponent, specify the DNS name or the IP address of the Administration Server. In the SSL port number field, specify the number of the port open on the Administration Server for connecting mobile devices. Port is used by default. In the Allocation of computers to groups section, in the Group name field, type the name of the group to which mobile devices will be added after the first synchronization with the Administration Server (KSM10 is used by default). The specified group will be automatically created in the Unassigned computers folder. In the Actions during installation section, select the Request address check box, thus, at the first launch, the application will ask the user to provide the corporate address. The user's address is used to form the name of the mobile device when it is added to the administration group. The name of an Android mobile device is created according to this template: <user's address (mobile device model device ID)>. 5. To apply the specified settings, click Apply. 33

34 A D M I N I S T R A T O R ' S G U I D E CREATING A STANDALONE INSTALLATION PACKAGE OF KASPERSKY ENDPOINT SECURITY FOR ANDROID To create a standalone installation package, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, in the Remote installation folder, select the Installation packages subfolder. 3. Choose the installation package of Kaspersky Endpoint Security 10 for Mobile. 4. In the context menu of the installation package, select Create a standalone installation package. The wizard that creates the standalone installation package will be started. Follow the instructions of the Wizard. 5. In the Select Network Agent installation package for joint deployment window of the Wizard, clear the Install Network Agent along with this application check box. The Standalone installation package creation result window of the Wizard displays the path to the shared folder containing the standalone installation package that has been created. 6. To open the shared folder, click the Open folder link in the Further actions section. 7. To distribute the path to the created standalone installation package among users via , in the Further actions section click the link Send the link to the standalone installation package by . This opens the message editor window, and the text in the window contains the path to the shared folder with the standalone installation package. 8. To post the link to the created standalone installation package on your corporate website, click the link Sample HTML code for posting link on website. This opens a tmp file containing HTML_RJL links. 9. To publish the created standalone installation package on the web server of Kaspersky Security Center and view the entire list of standalone packages for the selected installation package, in the Standalone installation package wizard completed successfully window select the Open the stand-alone packages list check box. After the wizard closes, the window List of standalone packages for the installation package <Installation package name> opens. This window contains the following information: A list of standalone installation packages The network path to the shared folder in the Path field The address of the standalone package on the web server of Kaspersky Security Center in the URL field When sending notifications, you can specify either the address in the URL field or the path in the Path field as a resource from which users can download the setup file of the app. When sending text message notifications to users, you have to specify the download link appearing in the URL field. You are advised to copy the address of the created standalone package to clipboard and then paste the link to the required installation package into the or text message notification for users. 34

35 R E P A R I N G F O R I N T E G R A T E D S O L U T I O N D E P L O Y M E N T CREATING A GENERAL CERTIFICATE You have to create a general certificate in Administration Console for the purpose of identifying the user of a mobile device. When handling Android devices, you can create a general certificate only for devices running on Android version 4.0 or later. To create a general certificate: 1. Select the Mobile Device Management node in the console tree of Kaspersky Security Center. 2. Select the Certificates folder in the Mobile Device Management node. 3. In the workspace of the Certificates folder, click the Add certificate button to start the Certificate Installation Wizard. 4. In the User selection window of the Wizard, specify the users for whom you want to create a general certificate. 5. In the Certificate type window of the Wizard, select the General certificate option. 6. In the Certificate source window of the Wizard, select the method by which the general certificate is created. To create a general certificate using Administration Server tools automatically, select Specify certificate using Administration Server tools. To assign a previously created certificate to a user, select the Specify certificate file option. Click the Specify button to open the Certificate window and specify the certificate file in it. If you do not want to specify the type of mobile device and the method of notifying the user about certificate creation, clear the Publish certificate check box. 7. In the Device type window of the Wizard, select the type of the user's mobile device for which you want to create the general certificate. 8. In the Installation packages window of the Wizard, select the standalone installation package of Kaspersky Endpoint Security for Android. 9. In the Method of user notification window of the Wizard, configure the settings of mobile device user notification about certificate creation using an SMS or via In the Certificate information window of the Wizard, click the Finish button to finish the Certificate Installation Wizard. As a result, the Certificate Creation Wizard creates a general certificate that the user can install on the mobile device. To get the certificate, start synchronization of the mobile device with the Administration Server. 35

36 UPDATING THE PREVIOUS VERSION OF KASPERSKY SECURITY FOR MOBILE If your organization has already deployed Kaspersky Security for Mobile of one of the previous versions, you can upgrade each component of the solution to a new version. Upgrading management plug-ins To upgrade the management plug-ins of Kaspersky Endpoint Security and Kaspersky Mobile Device Management, remove the previous version of the plug-in in Kaspersky Security Center. The existing administration groups in the Managed computers folder and rules for the automatic allocation of devices from the Unassigned devices folder to these groups are saved. The existing group policies for mobile devices are also saved. New policy settings that implement the new features of the Kaspersky Security for Mobile integrated solution will be added to the existing policies and will have the default values. Upgrading the mobile app You can upgrade the Kaspersky Endpoint Security mobile app by installing the latest version of the app (for example, upgrade Kaspersky Endpoint Security 8 for Smartphone to Kaspersky Endpoint Security 10). At the first launch of Kaspersky Endpoint Security 10, you will be advised to delete any previous versions of the application. You are advised to delete any previous application versions. 36

37 INSTALLING THE INTEGRATED SOLUTION This section describes the process of installing the components of the integrated solution Kaspersky Security for Mobile. IN THIS SECTION Installation of Administration Plug-in for Kaspersky Endpoint Security for Mobile Installing the plug-in for managing EAS and ios MDM devices Installation of Kaspersky Endpoint Security for Android mobile app Installation of Kaspersky Safe Browser for ios mobile app Installation of Kaspersky Safe Browser for Windows Phone mobile app INSTALLATION OF ADMINISTRATION PLUG-IN FOR KASPERSKY ENDPOINT SECURITY FOR MOBILE To install the Kaspersky Endpoint Security management plug-in, copy klcfinst.exe, the plug-in installation file, from the application distribution kit and run it on the administrator's workstation. The installation is performed by the wizard, and you do not need to configure the settings. You can check whether or not the plug-in for Kaspersky Endpoint Security 10 for Mobile is installed by viewing the list of the installed app administration plug-ins in the Advanced section in the Administration Server properties window. INSTALLING THE PLUG-IN FOR MANAGING EAS AND IOS MDM DEVICES To install the Kaspersky Mobile Device Management plug-in for managing EAS and ios MDM devices, copy klmdminst.exe, the plug-in installation file, from the application distribution kit and run it on the administrator's workstation. The installation is performed by the wizard, and you do not need to configure the settings. You can check whether or not the plug-in Kaspersky Mobile Device Management is installed by viewing the list of the installed app administration plug-ins in the Advanced section in the Administration Server properties window. INSTALLATION OF KASPERSKY ENDPOINT SECURITY FOR ANDROID MOBILE APP This section describes the options for installing Kaspersky Endpoint Security 10 for Android mobile app on Android devices. 37

38 A D M I N I S T R A T O R ' S G U I D E IN THIS SECTION Installation via link Installation via text message link Installation using the workstation Installing the application from Google Play INSTALLATION VIA LINK To install Kaspersky Endpoint Security for Android on users' devices through an link, you have to create an installation package and configure its settings. Then proceed to create a standalone installation package based on this installation package. The standalone installation package has to be distributed among mobile device users via messages that contain either the package itself or a link to the Kaspersky Security Center web server, to a shared administrator folder, or to another resource where you have published the standalone installation package. The user downloads the mobile app distribution kit to the mobile device. When the download is complete, the application installation wizard will be launched. Following the wizard's instructions, the user installs Kaspersky Endpoint Security 10 for Android on the mobile device. IN THIS SECTION Sending notifications to users Installing the mobile app on the device after receiving an notification SENDING NOTIFICATIONS TO USERS Before sending notifications to users, make sure that delivery of notifications is configured in the Administration Console of Kaspersky Security Center. To send users an containing the download link to the standalone installation package of Kaspersky Endpoint Security for Android: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. Select the User accounts folder in the console tree. 3. Select one or several users. You are advised to verify user accounts to make sure they contain addresses. 4. Select Notify by in the context menu of the user account. The message editor window opens. 5. Create a message with a link to the standalone installation package of Kaspersky Endpoint Security for Android: Type the subject. Type the massage and add the link to the standalone installation package on the Kaspersky Security Center web server or specify the path to it in your public shared folder. 38

39 I N S T A L L I N G T H E I N T E G R A T E D S O L U T I O N Check the boxes Send to main address andsend to an additional address if you need to use the primary and secondary address of users, respectively. If you need to create QR codes for the links, select the check box for Create graphic QR codes for the web address from the text and send in the message. 6. Click OK to start ing. INSTALLING THE MOBILE APP ON THE DEVICE AFTER RECEIVING AN NOTIFICATION After the user receives the with the link to the standalone installation package from the administrator, the user downloads the mobile app distribution kit to the device using one of available methods. After downloading the file, the user opens the installation file on the device. This automatically starts the mobile app Installation Wizard. The user follows the installation wizard's instructions. If all settings of the device connection to the Administration Server were specified when the installation package was created, the user does not need to perform initial configuration of the mobile app. The user just has to install the general certificate on the mobile device (see the section "Installing the general certificate" on page 48) to identify the device in the Administration Console of Kaspersky Security Center. By default, the Android operating system does not allow installing applications that are not purchased on the Google Play. If app installation does not begin, the user needs to allow installation of apps from external sources in the Android device settings. As a result, Kaspersky Endpoint Security for Android is installed on the user's mobile device. After a device with Kaspersky Endpoint Security installed (hereinafter the "KES device") connects to the Administration Server, it becomes a managed device and can be controlled remotely by the administrator. INSTALLATION VIA TEXT MESSAGE LINK To install the Kaspersky Endpoint Security for Android mobile app via a text message link, you have to create an installation package and configure its settings. Then proceed to create a standalone installation package based on this installation package. The standalone installation package has to be distributed among mobile device users via text messages that contain a link to the Kaspersky Security Center web server or to another resource where you have published the standalone installation package. The user downloads the application distribution kit to the mobile device from the network source specified in the text message. When the download is complete, the application installation wizard will be launched. By following the wizard's instructions, the user installs Kaspersky Endpoint Security for Android on the mobile device. IN THIS SECTION Sending text messages to users Installing the mobile app on the device after receiving the text message SENDING TEXT MESSAGES TO USERS Before sending text messages to users, make sure that delivery of text messages is configured in the Administration Console of Kaspersky Security Center. 39

40 A D M I N I S T R A T O R ' S G U I D E To send SMS messages containing the download link to the standalone installation package of Kaspersky Endpoint Security for Android, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. Select the User accounts folder in the console tree. 3. Select one or several users. You are advised to verify user accounts to make sure they contain phone numbers. 4. Select Notify by SMS from the context menu of the user account. The window to create an SMS message will appear. 5. Select the type of the user's phone number to which the message should be sent by selecting one or several check boxes: Use mobile number, Use additional phone number, or Use primary phone number. 6. Type the message and add the link to the standalone installation package stored on the web server. 7. To enable sending, click OK. INSTALLING THE MOBILE APP ON THE DEVICE AFTER RECEIVING THE TEXT MESSAGE After the user receives the SMS message with the link to the standalone package from the administrator, the user downloads the app distribution kit to the device using one of available methods. After downloading the file, the user opens the installation file on the device. This automatically starts the mobile app Installation Wizard. The user follows the installation wizard's instructions. If all settings of the device connection to the Administration Server were specified when the installation package was created, the user does not need to perform initial configuration of the mobile app. The user just has to install the general certificate on the mobile device (see the section "Installing the general certificate" on page 48) to identify the device in the Administration Console of Kaspersky Security Center. By default, the Android operating system does not allow installing applications that are not purchased on the Google Play. If app installation does not begin, the user needs to allow installation of apps from external sources in the Android device settings. As a result, Kaspersky Endpoint Security for Android is installed on the user's mobile device. After connecting the KES device to the Administration Server, the device becomes managed. The administrator can remotely monitor managed devices. INSTALLATION USING THE WORKSTATION To install Kaspersky Endpoint Security for Android via a workstation, you have to create an installation package and configure its settings. Then create and start the remote installation task for those workstations to which mobile devices of users are connected. To create this task, the administrator can use the remote installation wizard in the Administration Console of Kaspersky Security Center. 40

41 I N S T A L L I N G T H E I N T E G R A T E D S O L U T I O N IN THIS SECTION Creating a remote installation task Delivering the application distribution kit to device using the workstation Installing the mobile app on a device CREATING A REMOTE INSTALLATION TASK To install the application remotely via Kaspersky Security Center, you must create a remote installation task. The created remote installation task will run according to the specified schedule. For more detailed information on remote installation of applications, see Kaspersky Security Center Deployment Guide. To create a task of remote installation of the app for workstations: 1. In the console tree, open the Remote installation folder and click the Start Remote Installation Wizard link to launch the Remote Installation Wizard. 2. In the Select installation package for app installation window of the Wizard, specify the installation package for Kaspersky Endpoint Security 10 for Mobile. 3. If the workstations to which mobile devices of users are connected belong to the Unassigned computers group, in the Choosing computers for installation window click the Select computers for deployment button. 4. If you have created a separate administration group for workstations and you want to create a remote installation task for all workstations at once, in the Choosing computers for installation window click the Deploy to a group of managed computers button. 5. To create the remote installation task only for some of the workstations in the administration group, in the Choosing computers for installation window click the Select computers for deployment button. 6. To create the remote installation task only for active workstations belonging to various administration groups, in the Choosing computers for installation window click the Select computers for deployment button. 7. Follow the wizard's instructions. When the task of remote installation on user workstations is completed, users receive an installation package with the distribution kit of Kaspersky Endpoint Security for Android. The kmlisten.exe utility for delivering the mobile app distribution kit to workstations is also installed and automatically started on workstations. The tool detects mobile device connection to the computer. When the user connects a device that meets the system requirements for installation of Kaspersky Endpoint Security mobile apps on the workstation, the utility shows the message prompting the user to install the application on the connected mobile device. If the user agrees to install the application, the tool downloads the application distribution to the mobile device. When the download is complete, the application installation wizard will be launched. Following the wizard's instructions, the user installs Kaspersky Endpoint Security for Android on the mobile device. DELIVERING THE APPLICATION DISTRIBUTION KIT TO DEVICE USING THE WORKSTATION The kmlisten.exe utility delivers the distribution kit of Kaspersky Endpoint Security for Android to the mobile device. This utility is installed on the workstation as a result of the remote installation task. When a device that meets software and hardware requirements is connected to the workstation, the utility prompts the user to install Kaspersky Endpoint Security 10 for Android on the device. 41

42 A D M I N I S T R A T O R ' S G U I D E To copy the distribution kit of Kaspersky Endpoint Security 10 for Android app from the workstation to the mobile device, you have to follow the steps below: 1. Connect the device to the workstation. If the device meets the mobile app installation system requirements, the kmlisten.exe tool window will open automatically. 2. In the list of detected devices, select the device to which you want to install the application. 3. Click the Install button. The tool copies the application distribution kit to the selected devices and will report the operation results. Installation of Kaspersky Endpoint Security for Android starts automatically on the device after the distribution kit has been downloaded. The kmlisten.exe utility prompts the user to install the app every time the device is connected to the computer. To disable automatic startup of the kmlisten.exe utility every time the mobile device is connected to the computer, the user has to select the check box Disable automatic launch of Kaspersky Endpoint Security 10 for Mobile Installation Wizard in the KSM10 window of the utility. INSTALLING THE MOBILE APP ON A DEVICE After downloading the file, the user opens the installation file on the device. This automatically starts the mobile app Installation Wizard. The user follows the installation wizard's instructions. If all settings of the device connection to the Administration Server were specified when the installation package was created, the user does not need to perform initial configuration of the mobile app. The user just has to install the general certificate on the mobile device (see the section "Installing the general certificate" on page 48) to identify the device in the Administration Console of Kaspersky Security Center. By default, the Android operating system does not allow installing applications that are not purchased on the Google Play. If app installation does not begin, the user needs to allow installation of apps from external sources in the Android device settings. INSTALLING THE APPLICATION FROM GOOGLE PLAY The app is installed from Google Play in cases when users can easily download the app from there and install it themselves. To install the mobile app Kaspersky Endpoint Security for Android, users need to log in to Google Play on their mobile devices, choose the app Kaspersky Endpoint Security and click the Install button. Users use their own Google accounts to install the application. When launching the app on the mobile device for the first time after installing it, users should specify the settings for connecting to the Administration Server and install the general certificate (see the section "Installing the general certificate" on page 48). As a result, Kaspersky Endpoint Security for Android is installed on the user's mobile device. After the next synchronization of the mobile device with Administration Server, the user's mobile device with Kaspersky Endpoint Security for Android (KES-device) installed is moved to the Unassigned devices folder in the group specified during installation of the application (the default group is KSM 10). You can move a mobile device to the group you created in the Managed computers folder either manually or using automatic allocation rules. INSTALLATION OF KASPERSKY SAFE BROWSER FOR IOS MOBILE APP This section describes the options for installing Kaspersky Safe Browser mobile app on ios devices. 42

43 I N S T A L L I N G T H E I N T E G R A T E D S O L U T I O N IN THIS SECTION Installation via the ios MDM server Installing the application from Apple Store INSTALLATION VIA THE IOS MDM SERVER For installing the Kaspersky Safe Browser app for ios, the administrator's workstation must have the ios MDM mobile device server installed. Installation of Kaspersky Safe Browser for ios via the ios MDM server consists of the following steps: 1. Receiving the Apple Push Notification certificate (APN certificate). The APN certificate is issued by the Apple Push Notification Service. The APN certificate enables the Administration Server to connect to the APNs service apters/applepushservice.html in order to send push notifications to ios MDM mobile devices. 2. Creating an ios MDM profile An ios MDM profile contains a set of options for connecting ios MDM mobile devices to the Administration Server. 3. Getting an ios Developer Certificate. The ios Developer Certificate is issued by the ios Development Center Service of Apple. The Developer Certificate makes it possible to sign Kaspersky Safe Browser for ios to enable installation on mobile devices of users. 4. Creating a provisioning profile. A provisioning profile is a profile used to manage apps distributed outside App Store. A provisioning profile includes license information and is linked to a specific app. 5. Signing a distribution kit of Kaspersky Safe Browser for ios. 6. Installing Kaspersky Safe Browser for ios and downloading the general certificate on mobile devices of users. IN THIS SECTION Getting the developer certificate Creating a provisioning profile Signing the app distribution kit Installing the mobile app a device GETTING THE DEVELOPER CERTIFICATE To get an ios Developer Certificate (hereinafter "the developer certificate") on the Apple Developer Portal, one must be a participant of the Apple Developer Program and have an Apple ID 43

44 A D M I N I S T R A T O R ' S G U I D E To get the developer certificate: 1. Go to the Apple Developer Portal and open the ios Dev Center section. 2. Select the Member Center section. 3. Go to the Certificates, Identifiers&Profiles section. 4. Create a developer certificate of the ios App Development format by following the instructions. 5. Save the developer certificate that you received in the folder with the Kaspersky Endpoint Security for ios distribution kit or import it into Key Chain Access if you are going to use the certificate hash. The procedure for getting the developer certificate is described in more detail on the Apple Developer Portal CREATING A PROVISIONING PROFILE To create a provisioning profile on the Apple Developer Portal website at you have to be a participant in the Apple Developer Program and have an Apple ID. To create a provisioning profile: 1. Go to the Apple Developer Portal and open the ios Dev Center section. 2. Select the Member Center section. 3. Go to the Certificates, Identifiers&Profiles section. 4. Depending on the type of your account under which you are registered on the Apple Developer Portal do one of the following: If your account type is Developer, add a mobile device for which you want to create a provisioning profile. You can add provisioning profiles to no more than 100 mobile devices. If your account type is Developer Enterprise, select the Distribution Profiles section. In this section you can create provisioning profiles for any number of devices. 5. Create a provisioning by following the instructions. 6. Save the received provisioning profile in the folder with the Kaspersky Endpoint Security for ios mobile app distribution kit. The procedure of creating the provisioning profile is described in more detail on the Apple Developer Portal SIGNING THE APP DISTRIBUTION KIT The Kaspersky Safe Browser for ios distribution kit is signed using the make_container utility. This utility is included in the SigningUtility.zip archive that is part of the distribution kit of the Kaspersky Security for Mobile integrated solution. A Mac OS computer is required to start the make_container utility. The make_container utility is a console application. To launch it, use the terminal by selecting the following: Applications Utility Terminal. To sign the Kaspersky Safe Browser for ios distribution kit: 1. Open the folder with the application distribution kit. 2. On a Mac OS computer, start the terminal by selecting the following: Applications Utility Terminal. 44

45 I N S T A L L I N G T H E I N T E G R A T E D S O L U T I O N 3. In the command line of the terminal, type the command cd to open the folder with the make_container utility. 4. In the terminal command line, enter the command that starts the make_container utility, with the following required keys: -m key for creating the manifest file. The following settings should be specified for this key: short name of the app to be recorded in the manifest file. long name of the app to be recorded in the manifest file; full path to an external server where the signed app distribution kit will be published, to be recorded in the manifest file. a link to the file of the small app icon (optional parameter); a link to the file of the large app icon (optional parameter). -s --sign keys for signing the app distribution. The following settings should be specified for this key: hash of your developer certificate; app ID; path to the file of the provisioning profile. -о designates the path to the file to be created and signed. The following settings should be specified for this key: path where the signed app distribution kit with the ipa extension will be saved; path to the unsigned distribution kit of the app with the.app extension. The execution of the entered command creates a signed distribution kit of the app with the.ipa extension, as well as a manifest file with the.plist extension, which contains a link to the app distribution kit for installation on mobile devices. 5. Save the created app distribution kit and manifest file on an external server at the path specified in the parameters of the make_container utility launch command. For example: Example:./make_container -m 'KES' 'Kaspersky Endpoint Security' ' ' ' -s --sign 6ACE20618C570E56BB5F FF9ECEF3 com.kaspersky.kes-example./example.mobileprovision -o./kes-example.ipa./kes.app which specifies the following parameters:./make_container launches the make_container utility. 'KES' brief name of the application. 'Kaspersky Endpoint Security' long name of the application. ' link to an external server that will hosted the signed distribution kit of the application. ' link to the file of the large icon of the application. This icon is displayed while the application is being downloaded to the user's device. 45

46 A D M I N I S T R A T O R ' S G U I D E ' link to the file of the small icon of the application. This icon is displayed while the application is being downloaded to the user's device. 6ACE20618C570E56BB5F FF9ECEF3 hash of the developer certificate that you use. The hash is displayed in the properties of the developer certificate imported into Key Chain Access. com.kaspersky.kes-example application ID../example.mobileprovision path to the folder where the provisioning profile is saved../kes-example.ipa path to the destination folder for saving the signed distribution kit of the application../kes.app path to the folder where the unsigned application file is saved. INSTALLING THE MOBILE APP A DEVICE To install Kaspersky Safe Browser for ios on a mobile device: 1. Select the Mobile devices folder in the console tree of Administration Server. 2. Select the Mobile device servers subfolder in the Mobile devices folder. 3. In the workspace of the folder, select the ios MDM server. 4. In the context menu of the ios MDM server, select Properties. A properties window of the ios MDM server will then open. 5. In the <ios MDM server> window, select the Managed applications section. 6. Click Add. 7. In the Add application window that opens, in the Application name field enter the name of the managed application. 8. In the Apple ID or link to application field, specify the link to the external server where the manifest file is published. 9. If you want Kaspersky Safe Browser to be removed from the mobile device after removal of the MDM profile, select the Remove applications after profile removal check box. 10. Select the ios MDM servers subfolder in the Mobile devices folder. 11. Select one or several devices in the list. 12. Start the process of application installation on the device in one of the following ways: In the device context menu, select Install application to device. In the Select application to install window, select Kaspersky Safe Browser in the list of managed applications. Click the Install application to device link in the section with the selected devices. In the Select application to install window, select Kaspersky Safe Browser in the list of managed applications. The mobile app is automatically downloaded to the user's mobile device. The app prompts the user for permission to install. If the user allows installation, the mobile app is installed on the device. The icon of the Browser app appears on the device, showing the application download progress. After installing Kaspersky Safe Browser for ios, the user has to perform initial configuration of the app on the device. The user must specify the Administration Server connection settings provided by the administrator via and the user's address. The user also has to install the general certificate (see the section "Installing the general certificate" on page 48) to identify the mobile device in the Administration Console of Kaspersky Security Center. 46

47 I N S T A L L I N G T H E I N T E G R A T E D S O L U T I O N At the next synchronization of the mobile device with Administration Server, the user's mobile device with Kaspersky Safe Browser for ios installed (hereinafter the "KES device") is moved to the Unassigned devices folder in the group specified during installation of the application (the default group is KSM 10). You can move a mobile device to the group you created in the Managed computers folder either manually or using automatic allocation rules. INSTALLING THE APPLICATION FROM APPLE STORE The app is installed from the Apple Store in cases when users can easily download the app from there and install it themselves. To install the mobile app Kaspersky Safe Browser for ios, users need to log in to the Apple Store on their devices, select the Kaspersky Safe Browser app, and click the Install button. The user uses a personal Apple ID to install the app. When launching the app on the mobile device for the first time after installing it, users should specify the settings for connecting to the Administration Server and install the general certificate (see the section "Installing the general certificate" on page 48). As a result, Kaspersky Safe Browser for ios is installed on the user's mobile device. After the next synchronization of the mobile device with Administration Server, the user's mobile device with Kaspersky Safe Browser for ios installed (hereinafter the "KES device") is moved to the Unassigned devices folder in the group specified during installation of the application (the default group is KSM 10). You can move a mobile device to the group you created in the Managed computers folder either manually or using automatic allocation rules. INSTALLATION OF KASPERSKY SAFE BROWSER FOR WINDOWS PHONE MOBILE APP To install Kaspersky Safe Browser for Windows Phone, the user has to visit the website of the Windows Phone Store on his device and select the Kaspersky Safe Browser app and install it. When launching the app on the mobile device for the first time after installing it, users need to configure the settings for connecting to the Administration Server and install the general certificate (see section "Installing the general certificate" on page 48). As a result, Kaspersky Safe Browser for Windows Phone is installed on the user's mobile device. After a device with Kaspersky Safe Browser installed (hereinafter the "KES device") connects to the Administration Server, it becomes a managed device and can be controlled remotely by the administrator. 47

48 PREPARING KASPERSKY ENDPOINT SECURITY MOBILE APPS FOR OPERATION ON DEVICES This section describes how to configure Kaspersky Endpoint Security mobile apps on user devices and assign devices to administration groups. IN THIS SECTION Installing a general certificate Configuring the settings of mobile device connection to Administration Server Mobile apps activation Creating a mail certificate Creating a certificate for VPN INSTALLING A GENERAL CERTIFICATE The user needs to install a general certificate to enable user identification and secure the exchange of data with the Administration Server. To install the certificate, users must click the Get certificate button in the app settings and enter their domain details. If the user has not installed a general certificate, synchronization with the Administration Server is not possible. After the next synchronization of the mobile device with Administration Server, the user's mobile device with Kaspersky Endpoint Security installed is moved to the Unassigned devices folder in the group specified during installation of the application (the default group is KSM 10). You can move a mobile device to the group you created in the Managed computers folder either manually or using automatic allocation rules. CONFIGURING THE SETTINGS OF MOBILE DEVICE CONNECTION TO ADMINISTRATION SERVER The initial configuring of the mobile apps connection settings to the Administration Server can be skipped in the following situations: The standalone installation file or the pre-configured installation file is downloaded to the Android device (e.g., if the deployment is performed via SMS messages or link). The app has been installed on the mobile device after it was connected to the workstation. In all other cases, the user has to specify the settings of the connection to Administration Server received from the administrator at the first launch of the app: Server address. If the IP address is specified in the Administration Server settings, the user must provide this IP address.. If the DNS name is specified in the Administration Server settings, the user must provide this name. SSL port number. The user must specify the number of the port open on the Administration Server for connecting mobile devices. Port is used by default. The port number is provided in the Settings section of the Administration Server settings. 48

49 P R E P A R I N G K A S P E R S K Y E N D P O I N T S E C U R I T Y M O B I L E A P P S F O R O P E R A T I O N O N D E V I C E S Group. The user has to specify the name of the administration group to which the user's device belongs. address. The user has to specify his or her corporate address. MOBILE APPS ACTIVATION In Kaspersky Security Center, the license can cover various groups of features. For full functionality of the management plug-ins of Kaspersky Endpoint Security 10 and Kaspersky Mobile Device Management 10 and Kaspersky Endpoint Security applications on mobile devices, the license for Kaspersky Security Center purchased by the company has to cover mobile device management functionality. Mobile device management functionality is used to connect mobile devices to Administration Server and administer them using the Exchange ActiveSync and ios MDM resources, and to administer mobile devices with Kaspersky Endpoint Security 10 mobile apps installed. For detailed information about licensing of Kaspersky Security Center and licensing options, see the Kaspersky Security Center Administrator's Guide. A specific feature of Kaspersky Endpoint Security 10 mobile apps activation is that the license data is delivered to the mobile device with the policy during synchronization of the device with Administration Server (see page ). After installation of the app on the mobile device, the device automatically attempts to synchronize with the Administration Server every three hours. After the policy is applied, the device is synchronized with the Administration Server with the frequency that you specified in the network settings for the created policy. By default, synchronization is performed once every six hours. To activate the application on the mobile device you need to create a group policy for the group in which the device is included, and specify for this policy the key from the Administration Server storage that was added using an activation code or key file. Next time, when the mobile device connects to the Administration Server, the license data will be downloaded to the device with the policy. Kaspersky Endpoint Security 10 installed on the device is activated. If the application activation is not completed within three days from the moment of the Kaspersky Endpoint Security 10 installation on the mobile device, the application will be automatically switched to the limited operating mode. In this mode, most of the app components are disabled. When switched to the limited operating mode, the automatic synchronization with the Administration Server is disabled. Therefore, if for some reason the activation of the application has not been completed within three days after the installation, the user must synchronize the device with the Administration Server manually. CREATING A MAIL CERTIFICATE A mail certificate has to be created in order to connect a mail client to the server and download messages to the user's mobile device. To create a mail certificate: 1. Select the Mobile Device Management node in the console tree of Kaspersky Security Center. 2. Select the Certificates folder in the Mobile Device Management node. 3. In the workspace of the Certificates folder, click the Add certificate button to start the Certificate Installation Wizard. 4. In the User selection window of the Wizard, specify the users for whom you want to create a mail certificate. 5. In the Certificate type window of the Wizard, select the Mail certificate option. 6. In the Certificate source window of the Wizard, select the method by which the certificate is created: To create a mail certificate using Administration Server tools automatically, select Specify certificate using Administration Server tools. To assign a previously created certificate to a user, select the Specify certificate file option. Click the Specify button to open the Certificate window and specify the certificate file in it. If you do not want to specify the type of mobile device and the method of notifying the user about certificate creation, clear the Publish certificate check box. 49

50 A D M I N I S T R A T O R ' S G U I D E 7. In the Device type window of the Wizard, select the type of the user's mobile device for which you want to create the mail certificate. 8. If in the Device type window you have selected a type of device that is managed via the ios MDM protocol, specify the tag for the certificate you are creating in the drop-down list of the Certificate tag window. 9. If you have selected an Android device managed by Kaspersky Security for Mobile in the Device type window, in the User notification method window configure the settings of mobile device user notification about certificate creation via SMS or In the Certificate information window, click the Finish button to finish the Certificate Installation Wizard. As a result, the Certificate Creation Wizard creates a mail certificate that the user can install on the mobile device. To get the certificate, start synchronization of the mobile device with the Administration Server. CREATING A CERTIFICATE FOR VPN A certificate for VPN needs to be created in order to connect a user's mobile device to a virtual private network. To create a certificate for VPN: 1. Select the Mobile Device Management node in the console tree of Kaspersky Security Center. 2. Select the Certificates folder in the Mobile Device Management node. 3. In the workspace of the Certificates folder, click the Add certificate button to start the Certificate Installation Wizard. The Certificate Installation Wizard starts. 4. In the User selection window of the Wizard, specify the users for whom you want to create a certificate for VPN. 5. In the Certificate type window of the Wizard, select the Certificate for VPN option. 6. In the Certificate source window of the Wizard, select the method by which the certificate for VPN is created: To create a certificate for VPN using Administration Server tools automatically, select Specify certificate using Administration Server tools. To assign a previously created certificate to a user, select the Specify certificate file option. Click the Specify button to open the Certificate window and specify the certificate file in it. If you do not want to specify the type of mobile device and the method of notifying the user about certificate creation, clear the Publish certificate check box. 7. In the Device type window of the Wizard, select the type of the user's mobile device for which you want to create the certificate for VPN. 8. If in the Device type window you have selected a type of device that is managed via the ios MDM protocol, specify the tag for the certificate you are creating in the drop-down list of the Certificate tag window. 9. If you have selected an Android device managed by Kaspersky Security for Mobile in the Device type window, in the User notification method window configure the settings of mobile device user notification about certificate creation via SMS or In the Certificate information window of the Wizard, click the Finish button to finish the Certificate Installation Wizard. As a result, the Certificate Creation Wizard creates a certificate for VPN that the user can install on the mobile device. To get the certificate, start synchronization of the mobile device with the Administration Server. 50

51 GROUP POLICIES FOR MANAGING MOBILE DEVICES This section describes group policies that the administrator can use to centrally manage mobile devices, as well as mobile apps installed on them. This section also describes the algorithm of creating group policies for managing mobile devices. You can create a group policy for the following applications: Kaspersky Endpoint Security; Kaspersky Mobile Device Management. IN THIS SECTION About a group policy Creating a group policy ABOUT A GROUP POLICY A group policy is a package of settings for managing mobile devices that belong to an administration group and for managing mobile apps installed on the devices. You can create a group policy using the Policy Wizard for Kaspersky Endpoint Security and Kaspersky Mobile Device Management. A group policy created for Kaspersky Endpoint Security is called a KES device management policy (see page 52). A group policy created for Kaspersky Mobile Device Management is called an EAS and ios MDM device management policy (see page 53). You can use a policy to configure administration settings both for a group of devices and individually for each device. For a group of devices, administration settings can be configured in the window of group policy properties. For an individual device, they can be configured in the window of local application settings. Individual management settings specified for one device may differ from the values of settings configured in the policy for a group to which this device belongs. Each parameter represented in a policy has a "lock" attribute, which shows whether the setting is allowed for modification in the policies of nested hierarchy levels (for nested groups and slave Administration Servers), in local application settings. The values of settings configured in the policy and in local application settings are saved on the Administration Server, distributed to mobile devices during synchronization, and saved to devices as current settings of Kaspersky Endpoint Security apps. If the user has specified other values of settings that have not been "locked", during the next synchronization of the device with the Administration Server the new values of settings are relayed to the Administration Server and saved in the local settings of the application instead of the values that had been previously specified by the administrator. To keep the corporate security of KES devices up to date, you can monitor user devices for compliance with a group policy for managing KES devices. For more details on managing policies and administration groups in the Administration Console of Kaspersky Security Center, see the Kaspersky Security Center Administrator's Guide. IN THIS SECTION About a group policy for managing KES devices About a group policy for managing EAS and ios MDM devices

52 A D M I N I S T R A T O R ' S G U I D E ABOUT A GROUP POLICY FOR MANAGING KES DEVICES The Kaspersky Endpoint Security management plug-in lets you create group policies for managing KES devices. A group policy for managing EAS devices offers the administrator the following capabilities: Configure anti-virus protection settings on mobile devices: device scan settings, device protection using cloud technologies, anti-virus database update settings (for Android devices only) (see page 57); Configure settings of the Anti-Theft component (for Android devices only) (see page 60): remotely determine the coordinates of lost or stolen devices; remotely lock a user's mobile device when it gets lost or stolen; remotely wipe corporate data on the mobile device; remotely lock containers; remotely wipe all device data and revert it to factory settings. remotely configure automatic synchronization of devices with the Administration Server (see page 57); Monitor visits to websites on mobile devices (for Android and ios devices only) (see page 62). manage the device unlock password (for Android and ios devices only) (see page 62); Configure usage of containers: authorization, encryption of containerized data (only for Android and ios devices) (see page 69); Configure hardware functions of mobile devices: usage of the camera, usage of Bluetooth, usage of Wi-Fi (only for Android devices) (see page 63); Manage the device system password (for Android devices only) (see page 63). configure the settings of corporate for use via the TouchDown client (for Android devices only) (see page 63); remotely remove Kaspersky Endpoint Security for Android from mobile devices (see page 65); configure the settings of wireless networks for use on mobile devices (for Android devices only) (see page 66); monitor the startup of mobile apps on devices depending on their category (only for Android devices) (see page 66); monitor installation of third-party mobile apps on devices (only for Android devices) (see page 66); monitor devices for compliance with the policy (only for Android devices) (see page 72); Manage Samsung Android devices that support KNOX (see page 75): Configure access points (APN) (for KNOX of any version); Monitor network activity of devices (for KNOX 1, 2); Configure the virtual private network (VPN) (for KNOX 1); Configure synchronization with the Microsoft Exchange server (for KNOX 1, 2). remotely activate Kaspersky Endpoint Security mobile apps on devices (see page 74). 52

53 G R O U P P O L I C I E S F O R M A N A G I N G M O B I L E D E V I C E S ABOUT A GROUP POLICY FOR MANAGING EAS AND IOS MDM DEVICES The Kaspersky Mobile Device Management plug-in lets you create group policies for configuring the configuration settings of EAS and ios MDM devices without using the iphone Configuration Utility and the Exchange ActiveSync management profile. A group policy for managing EAS and ios MDM devices offers the administrator the following capabilities: When managing EAS devices: Configure settings of the device unlock password (see page 80). Configure storage of encrypted data on the device (see page 80). Configure corporate synchronization settings (see page 81). Configure hardware functions of mobile devices, such as usage of removable drives, camera, or Bluetooth (see page 81). Configure restrictions on the usage of mobile apps on the device (see page 82). When managing ios MDM devices: Configure password usage on the device (see page 84). Configure restrictions on usage of hardware features of the device and restrictions on installation and removal of mobile apps (see page 84). Configure restrictions on usage of pre-installed mobile apps, such as YouTube, itunes Store, Safari (see page 84). Configure restrictions on media content viewed (such as movies and TV shows) by region where the device is located (see page 84). Configure settings of device connection to the Internet via the proxy server (Global HTTP proxy) (see page 85). Configure the settings of the account using which the user can access corporate apps and services (Single Sign On technology) (see page 86). Monitor Internet usage (visits to websites) on mobile devices (see page 87). Configure settings of wireless networks (Wi-Fi), access points (APN), and virtual private networks (VPN) that use different authentication mechanisms and network protocols (see pages 88, 109, and 91). Configure settings of the connection to AirPlay devices for streaming photos, music, and videos (see page 98). Configure settings of the connection to AirPrint printers for wireless printing of documents from the device (see page 99). Configure settings of synchronization with the Microsoft Exchange server and user accounts for using corporate on devices (see pages 99 and 101). Configure user accounts for synchronization with the LDAP directory service (see page 102). Configure account data for connecting to CalDAV and CardDAV services, which give access to company calendars and contact lists (see pages 103 and 104). 53

54 A D M I N I S T R A T OR' S G U I D E Configure settings of the ios interface on the user's device, such as fonts or icons for favorite websites (see pages 106 and 105). Add new security certificates on devices (see page 107). Configure settings of the SCEP server so that the device can automatically receive certificates from the Certification Center (see page 107) Add custom settings for operation of mobile apps. A special feature of the EAS and ios MDM device management policy is that it is assigned to an administration group to which an ios MDM server and an Exchange ActiveSync Mobile Device Server (hereafter mobile device servers ) belong. All settings specified in this policy are first distributed to mobile device servers, then to the mobile devices that they manage. If administration groups have a hierarchical structure, slave mobile device servers get the policy settings from the master mobile device servers and distribute them to mobile devices. CREATING A GROUP POLICY This section describes the procedure for creating group policies for devices that use the Kaspersky Endpoint Security mobile app and policies for EAS devices and ios MDM devices. Policies created for an administration group are shown in the work area of the group on the Policies tab. The icon indicating the policy status (active / inactive) appears before the policy name. Several policies for different applications can be created in one group. Only one policy for each application can be active. When a new active policy is created, the previous active policy becomes inactive. You can modify a policy after it is created. To create a policy for Kaspersky Endpoint Security 10 Service Pack 1 for Mobile and Kaspersky Mobile Device Management 10 Service Pack 1: 1. From the administration console tree, select an administration group for which you want to create a policy. 2. In the workspace of the group, select the Policies tab. 3. Click the Create policy link to start the Policy Wizard. This starts the Policy Wizard. Follow the instructions of the Wizard. Use the Next button to navigate the windows of the wizard. To exit the wizard, click Cancel in the wizard window. Policy creation is aborted. STEP 1. CHOOSE A GROUP POLICY NAME At this step, type the name for the new policy in the Name field. If you specify the name of an existing policy, it will have (1) added at the end automatically. Proceed to the next step of the Policy Wizard. STEP 2. CHOOSE AN APPLICATION FOR CREATING A GROUP POLICY At this step, select the application for which you want to create a group policy in the list of applications: Kaspersky Endpoint Security 10 Service Pack 1 for Mobile for devices using the Kaspersky Endpoint Security mobile app. Kaspersky Mobile Device Management 10 Service Pack 1 for EAS devices and ios MDM devices. 54

55 G R O U P P O L I C I E S F O R M A N A G I N G M O B I L E D E V I C E S A policy for mobile devices can be created if the Kaspersky Endpoint Security 10 for Mobile management plug-in and the Kaspersky Mobile Device Management 10 Service Pack 1 management plug-in are installed on the administrator's workstation (see section "Installing the plug-in for managing EAS and ios MDM devices" on page 37). If the plug-ins are not installed, the name of the relevant application does not appear in the list of applications. Proceed to the next step of the Policy Wizard. STEP 3. SELECT THE POLICY STATE At this step, the Wizard prompts you to select the status of the policy: Active policy. The Wizard saves the created policy on the Administration Server. At the next synchronization of the mobile device with the Administration Server, the policy will be used on the device as the active policy. Inactive policy. The Wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. If necessary, an inactive policy can be switched to active state. Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive. Exit the Wizard. 55

56 CONFIGURING A GROUP POLICY FOR MANAGING KES DEVICES Using a policy for Kaspersky Endpoint Security, you can configure the settings for managing KES devices and Kaspersky Endpoint Security mobile apps installed on devices. To configure a group policy for managing KES devices: 1. In the tree of the Administration Console of Kaspersky Security Center, select the administration group that includes KES devices for which you need to configure settings. 2. In the workspace of the group, select the Policies tab. 3. In the list of policies, select a policy for Kaspersky Endpoint Security 10 for Mobile Service Pack 1. If necessary, you can create a new group policy using the Policy Wizard. 4. Open the properties window of the policy by double-clicking. The Properties <policy name> window appears. In this window you can configure the group policy settings. RESTRICTING CONFIGURATION RIGHTS Kaspersky Security Center administrators can configure the access rights of Administration Console users for different application functions, depending on the job duties of users. In the Administration Console interface, access rights can be configured in the Administration Server properties window in the Security and User roles sections. The User roles section lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes. For Kaspersky Endpoint Security, you can also configure user rights according to functional scopes. Below is a table that lists the functional scopes of Kaspersky Endpoint Security, and policy tabs belonging to these functional scopes. Table 2. Functional scopes of the application FUNCTIONAL SCOPE Protection App Control Compliance control Containers Device settings Managing Samsung devices System management Web Protection POLICY TAB Protection, Scan, Update App Control, Third-party apps Compliance control Containers Device Control, Synchronization General settings, KNOX 1 settings, KNOX 2 settings Advanced settings, device settings Web Protection For each functional area, the administrator can assign the following permissions: Permission to edit. The Administration Console user is allowed to change the policy settings in the properties window. Prohibition to edit. The Administration Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface. 56

57 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S For more details on managing user rights and roles in the Administration Console of Kaspersky Security Center, see the Kaspersky Security Center Administrator's Guide. CONFIGURING SYNCHRONIZATION SETTINGS To apply the group policy on mobile devices of users, configure the Administration Server connection settings. The settings of the connection to the Administration Server can be configured on Android, Windows Phone and ios devices. By default, mobile devices are synchronized with the Administration Server automatically every 6 hours. Automatic synchronization is enabled for when the device is roaming. To configure the settings of mobile device synchronization with the Administration Server: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Synchronization section. 3. In the Connect to Administration Server section, configure the settings of device synchronization with the Administration Server: a. Select the frequency of synchronization in the Synchronize drop-down list. b. To block automatic synchronization with the Administration Server when the device is roaming, select the Do not synchronize in roaming check box. The option to block synchronization in roaming mode is unavailable for Android devices. 4. Click Apply to save the changes you have made. As a result, once the policy is applied, the settings of synchronization with the Administration Server will be configured on the mobile device. CONFIGURING ANTI-VIRUS PROTECTION COMPONENTS You can configure settings of protection components only on Android devices. This section describes how you can configure the settings of anti-virus protection components. IN THIS SECTION Configure device scan settings Configuring file system protection settings Configuring Update settings CONFIGURE DEVICE SCAN SETTINGS Configure the user's mobile device scan settings to scan the device for viruses and other malware. Device scan settings can be configured on Android devices only. 57

58 A D M I N I S T R A T O R ' S G U I D E By default, Kaspersky Endpoint Security app scans only executable files stored in device memory and on the memory card, including the contents of archives. On detecting an infected object, the application attempts to disinfect it. If disinfection fails, the application moves the object to Quarantine. The scheduled full scan is not performed. To configure the mobile device scan settings: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Scan section. 3. Configure the device scan settings in the Device scan settings section: If you want the application to scan all files saved on the device and on the memory card, clear the Scan executable files only check box. If you want the app to skip archives, clear the Scan archives with unpacking check box. If you want the app to attempt disinfection of malicious objects, select the Disinfect files, if possible check box. If disinfection fails, the application performs the action that is specified in the Action if disinfection fails section for objects that cannot be disinfected. If the check box is cleared, on detecting a threat Kaspersky Endpoint Security performs the action selected in the Action on threat detection list. 4. The Scheduled scan section lets you configure the settings of the automatic launch of the full scan of the device file system. To do so, click the Schedule button and specify the frequency of the full scan in the Schedule window. 5. Click Apply to save the changes you have made. As a result, once the policy is applied, the device scan settings will be configured on the mobile device. CONFIGURING FILE SYSTEM PROTECTION SETTINGS To protect the file system of a mobile device against infection in real time, configure the settings of the user's mobile device protection. Device protection settings can be configured for Android devices only. Protection is enabled by default. Additional features for Android devices include additional scanning of new apps using the Kaspersky Security Network cloud service as well as detection of adware and apps that can be exploited by intruders to harm the device or user data. On detecting an infected object, Kaspersky Endpoint Security attempts to disinfect it. If disinfection fails, the application moves the object to Quarantine. To configure the settings of mobile device file system protection: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Protection section. 3. In the Protection section, configure the settings of mobile device file system protection: To enable real-time protection of the mobile device against threats, select the Enable Protection check box. To enable extended protection of the mobile device against threats, select the Extended protection mode check box. To enable additional scanning of new apps before their first launch on the user device with the help of the Kaspersky Security Network cloud service, select the Use Kaspersky Security Network for scanning check box. 58

59 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S To block adware and apps that can be exploited by fraudsters to harm the device or user data, select the Adware, dialers, and other check box. 4. To enable the scanning of executable files, select the Scan executable files only check box in the Protection settings section. If the check box is cleared, Kaspersky Endpoint Security scans all types of files. 5. Choose one of the following options in the Action if disinfection fails list: Delete. Skip. Quarantine. 6. Click Apply to save the changes you have made. As a result, once the policy is applied, the device five system protection settings will be configured on the user's mobile device. CONFIGURING UPDATE SETTINGS To keep the Kaspersky Endpoint Security mobile app up to date, configure the settings of database and app version updates. Database update settings can be configured for Android devices only. By default, application database updates are disabled for when the device is roaming. Scheduled updates of application databases are not performed. To configure the settings of app anti-virus database updates on the mobile device: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Update section. 3. If you want Kaspersky Endpoint Security to download database updates according to the update schedule when the device is roaming, select the Allow update in roaming check box in the Update in roaming section. Even if the check box is cleared, the user can manually start an anti-virus database update when the device is roaming. Anti-virus database updates are not available on Android devices in roaming mode. 4. In the Update source section, specify the update source from which Kaspersky Endpoint Security receives and installs anti-virus database updates: Kaspersky Lab's servers; Administration Server; Other source; 5. In the Scheduled update section, configure the settings of the anti-virus database update launch on the user's device: a. Press the Schedule button. b. Specify the update frequency and start time in the Schedule window that opens. 6. Click Apply to save the changes you have made. As a result, once the policy is applied, the settings of database and app version updates will be configured on the mobile device. 59

60 A D M I N I S T R A T O R ' S G U I D E CONFIGURING UNAUTHORIZED ACCESS PROTECTION You can configure settings of unauthorized access protection only on Android devices. This section describes how you can configure the unauthorized access protection settings on the device. IN THIS SECTION Configuring Anti-Theft settings Configuring settings for sending commands to a mobile device Configuring the use of the one-time code for unlocking the device CONFIGURING ANTI-THEFT SETTINGS Configure Anti-Theft settings to protect data on the user's mobile device against unauthorized access when the mobile device gets lost or stolen. Anti-Theft settings can be configured for Android devices only. All Anti-Theft functions are enabled by default. To configure Anti-Theft settings: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Anti-Theft section. 3. If you want the app to send a message with the coordinates of the device that has been lost or stolen to the specified address after receiving your command: a. Select the Enable Locate check box. b. In the field below, enter the address to which messages with the device coordinates will be sent. 4. If you want the app to send a message with the new phone number to the specified address or phone number after the device SIM card has been replaced: a. Select the Enable SIM Watch check box. b. In the Send message to address field, specify the message recipient's address. c. In the Send SMS to phone number field, specify the phone number of the message recipient. 5. If you want the app to lock the device that has been lost or stolen after receiving your command: a. Select the Enable Device Lock check box. b. To lock the mobile device when the SIM card is replaced, select the Lock when SIM card replaced check box. c. In the Text when locked field, enter the message to be displayed on the screen of the locked device. 60

61 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S 6. If you want the app to wipe data on the device that has been lost or stolen after receiving your command: a. Select the Enable Data Wipe check box. b. To be able to delete personal and corporate data from the user's mobile device remotely, select the Wipe corporate data check box. c. To be able to delete all data from the user's mobile device remotely, select the Wipe all data check box. 7. Click Apply to save the changes you have made. As a result, once the policy is applied, the unauthorized access protection settings will be configured on the user's mobile device. CONFIGURING SETTINGS FOR SENDING COMMANDS TO A MOBILE DEVICE Configure the settings of command transmission to the device to protect data on the user's mobile device against unauthorized access when the mobile device gets lost or stolen. By default, transmission of commands the mobile device is disabled. To configure the settings of command transmission to a mobile device: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Anti-Theft section. 3. In the Send commands section, do the following: a. If you want the app to determine the coordinates of the device that has been lost or stolen after receiving your command, select the Locate check box. The Locate feature is available for Android devices and Windows Phone devices only. b. If you want the app to lock the device after receiving your command, select the Lock check box. The Lock feature is available for Android devices only. To unlock the mobile device, the user needs to enter a one-time unlock code. c. If you want the app to wipe device data after receiving your command, select the Data Wipe check box and select the type of data: If you want the app to wipe personal and corporate data from the device, select Corporate data. If you want the app to wipe all data from the device, select All data. Data Wipe is available for Android devices only. 4. Click Apply to save the changes you have made. As a result, once the policy is applied, the settings of command transmission to the device that has been lost or stolen will be configured on the user's mobile device. 61

62 A D M I N I S T R A T O R ' S G U I D E CONFIGURING THE USE OF THE ONE-TIME CODE FOR UNLOCKING THE DEVICE To unlock a user's mobile device that has been locked by the app after the device has been lost or stolen, enter the unique one-time code. The one-time code is generated by the application and is unique to each mobile device. To configure the use of the one-time code for unlocking the device: 1. Select the Mobile Device Management node in the console tree of Kaspersky Security Center. 2. Select the Mobile devices folder in the Mobile Device Management node. 3. Select a mobile device for which you want to get a one-time unlock code. 4. Right-click to open the context menu and select Properties. The Properties window opens: <device name>. 5. In the Properties window, select the Applications section. 6. Select Kaspersky Endpoint Security, and click the Properties button. The Settings of Kaspersky Endpoint Security 10 Service Pack 1 for Mobile window opens. 7. In the Settings of Kaspersky Endpoint Security 10 Service Pack 1 for Mobile window, select the Anti-Theft section. 8. A unique code for the selected device will be shown in the One-time code field of the Send commands section. The user must enter the code to unlock the mobile device. 9. Click the OK button to save the changes you have made. CONFIGURING WEB PROTECTION SETTINGS To protect personal data of the mobile device user on the Internet, configure the settings of the user's access to websites based on predefined lists of allowed and blocked websites. Web Protection settings can be configured only for Android, Windows Phone, and ios devices. Web Protection is enabled by default: user access to websites in the Phishing and Malware categories is blocked. To configure the settings of the device user's access to websites: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Web Protection section. 3. In the Mode section, select the preferred Web Protection mode: If you want the app to restrict user access to websites depending on their content: a. In the Mode section, select Websites of selected categories are blocked. b. Create a list of blocked categories by selecting check boxes opposite the categories of websites access to which will be blocked by the app. You can specify the full address of the website (for example, pictures.example.com), or use regular expressions (for example, *.example.com). 62

63 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S If you want the app to allow user access only to websites specified by the administrator: a. In the Mode section, select Only listed websites are allowed. b. Create a list of websites by adding addresses of websites access to which will not be blocked by the app. If you want the app to block user access to all websites, in the Mode section select All websites blocked. 4. To lift content-based restrictions on user access to websites, clear the Enable Web Protection check box. 5. Click Apply to save the changes you have made. As a result, once the policy is applied, the website access settings will be configured on the user's mobile device. CONFIGURING DEVICE CONTROL You can configure management only for Android devices. This section describes how you can mobile device management settings. IN THIS SECTION Configuring the system password Configuring Wi-Fi, camera, and Bluetooth usage Configuring TouchDown settings CONFIGURING THE SYSTEM PASSWORD To keep an Android device secure, configure usage of the system password for which the user is prompted when the device is turned on. By default, Kaspersky Endpoint Security does not prompt the user to enter or set the system password when the mobile device is powered on. The password must contain at least four characters. To configure system password usage: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Device Management section. 3. If you want the app to check if the system password has been set when the user's mobile device is powered on, select the Require to set device unlock password check box in the Security section. If the application detects that no system password has been set on the device, it prompts the user to set it. The password should be set taking into account the settings configured by the administrator. 4. Specify the minimum number of characters. 5. Click Apply to save the changes you have made. As a result, once the policy is applied, the system password usage settings will be configured on the mobile device. 63

64 A D M I N I S T R A T O R ' S G U I D E CONFIGURING WI-FI, CAMERA, AND BLUETOOTH USAGE To keep an Android device secure, configure the Wi-Fi, camera, and Bluetooth usage settings. By default, the user can use Wi-Fi, camera, and Bluetooth on the device without restrictions. To configure the Wi-Fi, camera, and Bluetooth usage settings on the device: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Device Management section. 3. In the Restrictions section, configure usage of Wi-Fi, camera, and Bluetooth: To disable the Wi-Fi module on the user's mobile device, select the Disable Wi-Fi check box. To disable the camera on the user's mobile device, select the Disable camera check box. The camera can be disabled on Android devices with operating system versions higher than 4.0. To disable Bluetooth on the user's mobile device, select the Disable Bluetooth check box. 4. Click Apply to save the changes you have made. As a result, once the policy is applied, the Wi-Fi, camera, and Bluetooth usage restriction settings will be configured on the mobile device. CONFIGURING TOUCHDOWN SETTINGS To ensure corporate security on the user's mobile device, configure the settings of the TouchDown client. By default, settings of the TouchDown client are not configured. To configure settings of the TouchDown client: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Device Management section. 3. In the TouchDown profile, configure the settings of the TouchDown client: Enter the IP address and DNS name of the server hosting the mail server in the Server address field. Enter the name of the Active Directory domain in which the user account is registered in the Domain field. 4. To install a certificate in the TouchDown client, select the Do not check server certificate check box. This certificate should be added to the user's device in the User accounts node of the Administration Console of Kaspersky Security Center in advance. 5. Click Apply to save the changes you have made. As a result, once the policy is applied, the device TouchDown client settings will be configured on the mobile device. 64

65 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S CONFIGURING ADVANCED OPTIONS You can configure additional group policy settings only for Android devices. This section describes Advanced Options of Kaspersky Endpoint Security and how they can be configured. IN THIS SECTION Configuring Call & Text Filter settings Configuring Kaspersky Endpoint Security removal settings CONFIGURING CALL & TEXT FILTER SETTINGS To block unwanted incoming calls and text messages on the user's mobile device, configure the settings of Call & Text Filter. To configure the settings of Call & Text Filter: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <policy name> window, select the Advanced Options section. 3. Select the Allow Call & Text Filter check box. 4. Click Apply to save the changes you have made. As a result, once the policy is applied, filtering of unwanted incoming calls and text messages will be allowed on the user's mobile device. The user can edit the Call & Text Filter settings via the app interface on the device or view the log of events that have occurred during the operation of the component. CONFIGURING KASPERSKY ENDPOINT SECURITY REMOVAL SETTINGS To remove Kaspersky Endpoint Security from the user's mobile device, configure the app removal settings. To configure the application removal settings: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <policy name> window, select the Advanced Options section. 3. In the Application management section, configure the settings for removing the app from Android devices: To allow the user to remove the application from the mobile device manually, select the Allow removal of Kaspersky Endpoint Security for Android check box. By default, the user is unable to remove the app from the mobile device manually. To remove the application during the next synchronization with the Administration Server, select the Remove Kaspersky Endpoint Security for Android from device check box. 4. Click Apply to save the changes you have made. 65

66 A D M I N I S T R A T O R ' S G U I D E As a result, once the policy is applied, the settings of application removal from the device will be configured on the user's mobile device. CONFIGURING THE CONNECTION TO WIRELESS NETWORKS To connect a user's mobile device to wireless networks, configure the mobile device settings. You can configure wireless network connection settings only for Android devices. To configure wireless network connection settings: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Device settings section. 3. In the Wireless networks section, click Add. The Wireless network window opens. 4. In the Wireless network window, configure the settings of the wireless network connection: a. In the SSID field, enter the name of the wireless network that includes the access point (SSID). b. In the Security type section, select the type of wireless network security (public or secure network protected with WEP or WPA / WPA2 PSK protocol). c. If you selected a secure wireless network at the previous step, specify the network access password in the Password field. d. In the Proxy server address and port field, enter the IP address or symbol name (web address) of the proxy server and port number. The wireless network that you have added appears in the Wireless networks list in the Device settings section. You can modify or delete wireless networks in the list of wireless networks using the Edit and Delete buttons at the top of the list. 5. Click Apply to save the changes you have made. After the policy is applied on the user's mobile device, the user can connect to the wireless network that has been added, without specifying the network settings. CONFIGURING APP CONTROL This section describes how you can configure the App Control settings. App control settings can be configured for Android devices only. 66

67 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S IN THIS SECTION Configuring app startup settings Configuring third-party app installation settings Configuring the installed apps report CONFIGURING APP STARTUP SETTINGS To keep the user's mobile device secure, configure the settings of app startup on the device. To configure the settings of app startup on the mobile device: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <policy name> window, select the App Control section. 3. In the Mode section, select the mode of app startup on the user's mobile device: If you want the mobile device user to be able to start all apps except those specified in the List of categories and apps as blocked apps, select the Blocked apps mode. If you want the mobile device user to be able to start only apps specified in the List of categories and apps as allowed, recommended, or required apps, select the Allowed apps mode. 4. If you want Kaspersky Endpoint Security to generate a report on blocked apps installed on the user's mobile device without blocking them, select the Do not block blocked apps, report only check box. During the next synchronization of the mobile device with the Administration Server, Kaspersky Endpoint Security creates a report named A blocked app has been installed that you can view in the Kaspersky Endpoint Security Administration Console or in the local properties of the app. 5. If you want Kaspersky Endpoint Security to block the startup of system apps on the user's mobile device in Allowed apps mode, select the Block system applications check box. 6. Click Apply to save the changes you have made. As a result, the app startup mode is configured on the user's mobile device after the policy is applied. CONFIGURING THIRD-PARTY APP INSTALLATION SETTINGS According to corporate security requirements, third-party mobile apps can be installed on user devices as allowed, recommended or required apps. You can download mobile app packages (see section "Mobile app package" on page 122) previously created in Kaspersky Security Center. In addition, to protect corporate data you can place a thirdparty app in a container (see section "About containers" on page 69) and download it to the user's mobile device (see section "Creating containers" on page 70). To configure the settings of installation of a third-party mobile app on a user's device: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <policy name> window, select the App Control section. 3. Click the App button. The Mobile app window opens. 67

68 A D M I N I S T R A T O R ' S G U I D E 4. Specify a mobile app package in one of the following ways: Click the Select button located to the right of the Package name field, and in the Packages of mobile apps window that opens select the mobile app package. Specify the mobile app package settings manually: a. In the Package name field, enter the system name of the mobile app package. b. In the App name field, enter the name of the mobile app package that will be displayed on the user's mobile device in the list of categories and apps. c. In the Link to distribution kit field, enter the web address of the HTTP server in the format, where the mobile app package is located. You can specify the web address of the Kaspersky Security Center server or a different HTTP server. 5. In the App type list, select Allowed, Blocked, Required, or Recommended according to the corporate security requirements. 6. Click OK. The mobile app package that you have added appears in the list of categories and apps in the App Control section. You can modify or delete app packages on the list of categories and apps using the Edit and Delete buttons at the top of the list. 7. Click Apply to save the changes you have made. As a result, once the policy is applied, lists of allowed, blocked, required and recommended apps are sent to the user's mobile device. The user personally installs the app on the mobile device after selecting it from the list. When an attempt is made to install a blocked app, Kaspersky Endpoint Security can block the app or generate the report titled A blocked app has been installed (see section "Configuring app startup settings" on page 67). CONFIGURING THE INSTALLED APPS REPORT You can view information about apps installed on the user's mobile device using the report on installed apps. To configure creation of the report on apps installed on the user's mobile device: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <policy name> window, select the App Control section. 3. In the List of installed apps section, select the Request list of installed apps check box. During synchronization of the user's mobile device with the Administration Server, Kaspersky Endpoint Security generates the List of installed apps report. The report is generated with each change of the list of apps installed on the user's mobile device. 4. Click Apply to save the changes you have made. As a result, once the policy is applied, creation of the report on installed apps will be enabled on the user's mobile device. The report that has been generated can be viewed in the Administration Console of Kaspersky Endpoint Security in the Reports and notifications node or in the local properties of the application (see the Kaspersky Security Center Administrator's Guide). 68

69 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S MANAGING THIRD-PARTY MOBILE APPS This section describes the ways to install third-party mobile apps used for corporate purposes on mobile devices of users. IN THIS SECTION About containers ABOUT CONTAINERS You can use containers to monitor the activity of mobile applications launched on the user's device. A container is a special shell for mobile apps which makes it possible to control the activity of the containerized app, thereby protecting personal and corporate user data on the device. You can place only third-party apps into a container. To place an application into a container, create a mobile app package in Administration Console (see section "Creating containers" on page 70). As a result, the containerized distribution kit of the app is automatically saved on the web server of the Kaspersky Security Center. Containers are supported by Android and ios devices only. To be able to use a containerized app on ios devices, the container created must be signed. Containers are signed by the same certificate that is used to sign the Kaspersky Endpoint Security for ios distribution kit. Container operation settings on devices are determined by the policy applicable to that group of mobile devices. You can configure the following container settings via the policy properties: Possibility to automatically encrypt the data of a containerized app on the user's device. User authorization at the launch of a containerized app. You can configure the following types of authorization for user identification: Domain login and password. The user enters the Active Directory login and password when launching a containerized app on the device. The user password specified by the user at the first launch of the containerized app. Restriction of data storage by a containerized app on the user's device. Restriction of data transmission from a containerized app to other mobile apps. Restriction of Internet access by a containerized app. Monitoring of text messages sent by a containerized app on Android devices. Monitoring of calls made by a containerized app on Android devices. You can install a containerized app on the user's device in one of the following ways: By sending the user an with a link to the distribution kit of the containerized app. By specifying a containerized app as a required or allowed app in the App Control section of the policy properties window. After the mobile device is synchronized with the Administration Server, the app distribution kit in the container is automatically copied to the user device. 69

70 A D M I N I S T R A T O R ' S G U I D E CREATING CONTAINERS To create a container, follow the steps below: 1. In the console tree, in the Remote installation folder, select the Installation packages subfolder. 2. In the workspace of the Installation packages window, click the Manage mobile app packages link to open the Management of mobile app packages window. 3. In the Management of mobile app packages window, click the New button. The Mobile App Package Creation Wizard starts. 4. In the Specify installation package name window of the Wizard, enter the container name in the Name field. 5. In the Settings window of the Wizard, in the Select app field specify the file of the mobile app that you want to place into the container: To create a container to be used on Android devices, select the app distribution kit with the.apk extension. To create a container to be used on ios devices, select the app file with the.ipa extension or the app distribution kit in an archive with the.zip extension (with the.app extension for Mac OS). 6. Select the Create container with the selected app check box. Application adds the created container to the list of standalone packages in the Management of mobile app packages window. The Path field in this window shows the path in which the container is automatically stored on the Administration Server. The URL field in this window contains a link to the Kaspersky Security Center web server where the container is automatically published. If you want the container to be published on the Kaspersky Security Center web server, click the Cancel publication button. To immediately send a link for downloading the containerized app to the user's mobile device via , click the Send by button. To save the containerized app locally on your workstation or on the network, click the Save as button. Using the container on Android devices does not require signing the containerized app. Using the container on ios devices requires signing the containerized app (see section "Signing apps in a container to be used on ios devices" on page 70). SIGNING APPS IN A CONTAINER TO BE USED ON IOS DEVICES Containerized apps are signed using the make_container utility. This utility is included in the SigningUtility.zip archive that is part of the Kaspersky Endpoint Security distribution kit. A Mac OS computer is required to start the make_container utility. The make_container utility is a console application. To launch it, use the terminal by selecting the following: Applications Utility Terminal. Example of command usage for signing the Kaspersky Endpoint Security distribution kit: Command text:./make_container -s --sign d6d2b595a9e345fe4d8c bede2 ksm.cnt.com.atebits.tweetie2./developprof.mobileprovision -o./output.ipa./input.app which specifies the following parameters: d6d2b595a9e345fe4d8c bede2 hash of the developer certificate that you use. The hash is displayed in the properties of the developer certificate imported into Key Chain Access. 70

71 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S ksm.cnt.com.atebits.tweetie2 application ID../DevelopProf.mobileprovision path to the folder where the provisioning profile is saved../output.ipa path to the destination folder for saving the signed distribution kit of the application../input.app path to the folder where the unsigned application file is saved. To sign a containerized app, follow the steps below: 1. Create a container in Administration Console (see section "Creating containers" on page 70). 2. Open the folder with the distribution kit of the app that you want to sign. 3. On a Mac OS computer, start the terminal by selecting the following: Applications Utility Terminal. 4. In the command line of the terminal, type the command cd to open the folder with the make_container utility. 5. In the terminal command line, enter the command that starts the make_container utility, with the following required keys: -s --sign keys for signing the app distribution kit. The following settings should be specified for this key: hash of the developer certificate from Key Chain Access; Apple ID of the app from Kaspersky Security Center; It is not advisable to change the Apple ID of the signed app in the container; If you change the Apple ID, you will not be able to apply policies to the app on the mobile device. path to the file of the provisioning profile. -о designates the path to the file to be created and signed. The following settings should be specified for this key: path where the signed app distribution kit with the ipa extension will be saved; path to the unsigned distribution kit of the app with the app / app.zip / ipa/ extension. After the command is executed, a signed distribution kit of the containerized app is created. 6. To create a manifest file together with the signed container, executed the aforementioned command with the -m key: -m key for creating the manifest file. The following settings should be specified for this key: short name of the app to be recorded in the manifest file; long name of the app to be recorded in the manifest file; full path to an external server where the signed app distribution kit will be published, to be recorded in the manifest file; a link to the file of the small app icon (optional parameter). a link to the file of the large app icon (optional parameter). 71

72 A D M I N I S T R A T O R ' S G U I D E CONFIGURING GROUP POLICY COMPLIANCE CONTROL FOR MOBILE DEVICES This section describes how to use the Compliance control component of the app. You can monitor mobile apps for compliance with the group policy using the Compliance control component. Compliance control checks mobile apps for compliance with the policy and, if necessary, changes the device operation settings with the use of the check rules. You can perform regular checks of users' mobile devices for compliance with a group policy. Check results are saved in reports. You can monitor only Android devices for compliance with the group policy. IN THIS SECTION About Compliance control Creating compliance check rules ABOUT COMPLIANCE CONTROL Compliance control of KES devices for compliance with a group policy is performed with the use of check rules. Check rules contain: Criteria of device compliance with a group policy. A certain parameter of the group policy acts as a criterion. Actions that the app takes on the device if the device does not satisfy the criteria of compliance with the group policy. The time limit is the period of time after the device check during which the device user can personally fix any detected violations of the group policy on the device. Until the time limit expires, the app applies the action specified in the rule to the device. You can create a mobile device check rule in the properties of a group policy using the Check Rule Wizard (see section "Creating a group policy" on page 54). The check rule that has been created can be enabled or disabled in the Compliance control section under Check rules (see section "Creating compliance check rules" on page 74). You can enable one or several check rules. Enabled check rules are applied every time mobile devices are synchronized with the Administration Server. Device check criteria A device check criterion is a certain parameter of the group policy. You can specify check criteria at the first step of the Check Rule Wizard. User devices can be checked for compliance with a group policy against the following criteria: Real-time protection enabled. The application checks whether anti-virus protection is used on the device. Anti-Virus databases are up to date. The application checks whether the Anti-Virus databases of Kaspersky Endpoint Security for Android are up to date. By default, the threshold value beyond which Anti-Virus databases are considered outdated is 10 days. No blocked apps. The application checks the device for any blocked apps. You can create a list of blocked apps in the policy properties in the App Control section. 72

73 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S No apps in blocked categories. The application checks the device for any installed apps from blocked categories. You can create a list of blocked categories in the policy properties in the App Control section. All required apps are installed. The application checks the mobile device to verify that all required apps are installed. You can create a list of required apps in the policy properties in the App Control section. Current version of the operating system is installed. The application checks the version of the operating system on the mobile device. In the Check Rule Wizard, you can specify a range of operating system version allowed for use on the user device. Device is synchronized regularly. The application checks whether the device is regularly synchronized with the Administration Server. You can specify the maximum interval between synchronizations in the Check Rule Wizard. Operating system is not rooted. The application checks the integrity of the operating system on the mobile device. Device password meets corporate requirements. The application checks the number of characters in the user's system password. You can specify the minimum length of the user password in the policy properties on the Device management tab. Actions and time limits You can restrict usage of mobile devices that do not satisfy the check criteria and delete personal and corporate data from such devices. To this end, in the Check Rule Wizard create a list of actions to be performed on the devices and specify a time limit for each action. The time limit is the amount of time after the device check during which the device user can personally fix any violations of the requirements. If the user fails to fix the violations after this time, the application performs the actions specified by you in the check rule on the device. You can specify the following actions: Block access to corporate (TouchDown). Kaspersky Endpoint Security for Android blocks the TouchDown client on the user's device; it also blocks access to the corporate . Block startup of all applications. Kaspersky Endpoint Security for Android blocks the startup of all mobile apps on the user device. Lock. Kaspersky Endpoint Security for Android locks the user device. Wipe corporate data. Kaspersky Endpoint Security for Android removes the following corporate data from the user device: Container data Corporate Wi-Fi settings Corporate access point (APN, VPN) settings Wipe all data. Kaspersky Endpoint Security for Android wipes all data from the user's device (such as memory card data, container data, certificates, and Wi-Fi access points). If the same actions are specified in several check rules, the application performs each action only once. If different time limits are specified in several check rules for one and the same action, the application uses the shortest of the time limits. If device settings are found to meet the criteria after another check of the device, the application removes the previously imposed restrictions. 73

74 A D M I N I S T R A T O R ' S G U I D E CREATING COMPLIANCE CHECK RULES To create a check rule for checking devices for compliance with a group policy of Kaspersky Endpoint Security for Mobile: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <policy name> window that opens, select the Compliance control section. 3. To receive notifications about detection of devices that do not comply with the policy, in the Notifications section select the Notify administrator check box. If a mobile device is found to violate a policy during mobile device synchronization with the Administration Server, Kaspersky Endpoint Security generates the report titled Violation detected: <name of the check criterion>. This report can be viewed in the Administration Console of Kaspersky Security Center or in the local properties of the app. 4. To notify a user that the settings of his mobile device and installed apps do not comply with the policy, in the Noncompliance notifications section select the Notify user check box. When the device is found to be in violation of the policy during device synchronization with the Administration Server, Kaspersky Endpoint Security notifies the user about this in the Status section of Corporate security. 5. In the Check rules section, compile a list of rules for checking the device for compliance with the policy. Follow the steps below: a. Click Add. The Check Rule Wizard starts. b. Follow the instructions of the Check Rule Wizard. When the wizard finishes, the new check rule for checking a device for compliance with the policy is displayed in the Check rules section in the list of check rules. You can modify or delete rules in the list of check rules using the Edit and Delete buttons at the top of the list. 6. To temporarily disable a check rule that you have created, use the toggle switch opposite the selected rule. 7. Click Apply to save the changes you have made. Kaspersky Endpoint Security checks mobile devices of users for compliance with the policy while synchronizing the devices with the Administration Server. When a policy violation is detected on the user's mobile device, the application applies the restrictions that you configured in the list of check rules. CONFIGURING APPLICATION ACTIVATION You can use the policy settings to configure activation of the app on the user's mobile device. To configure the application activation settings: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Licensing section. 74

75 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S 3. In the License section, open the Key drop-down list and select the required application activation key from the key storage of the Administration Server of Kaspersky Security Center. The details of the app for which the license has been purchased, the license expiry date, and license type are displayed in the field below. 4. To activate the app on the user's mobile device, block changes to settings. 5. Click Apply to save the changes you have made. As a result, Kaspersky Endpoint Security is activated on the user's mobile device after the policy is applied. CONFIGURING MANAGEMENT OF SAMSUNG DEVICES This section describes how you can configure the settings for managing Samsung Android devices that support operation with Samsung KNOX. Settings can be configured in the properties of the group policy applied to Samsung mobile devices. IN THIS SECTION Configuring general settings for Samsung KNOX Configuring Firewall for Samsung KNOX Configuring a virtual private network for Samsung KNOX Configuring Microsoft Exchange settings for Samsung KNOX CONFIGURING GENERAL SETTINGS FOR SAMSUNG KNOX To enable data transmission on the user's mobile device, configure the access point (APN) settings. A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile telephony operator. Incorrect access point settings may result in additional mobile telephony charges. The access point (APN) settings can be configured on Samsung Android devices that support operation with Samsung KNOX of any version. To configure the access point (APN) settings for the user's mobile device: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Manage Samsung devices section. 3. In the Access point (APN) section, click the Configure button. The Access point (APN) settings window opens. 4. On the General settings tab, specify the following access point settings: a. In the Access point type drop-down list, select the type of access point. b. In the Access point name field, specify the name of the access point. 75

76 A D M I N I S T R A T O R ' S G U I D E c. In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed. d. In the MCC field, enter the mobile country code (MCC). e. In the MNC field, enter the mobile network code (MNC). f. If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS settings: In the MMS server field, specify the full domain name of the mobile carrier's server used for MMS exchange. In the MMS proxy server field, specify the network name or IP address of the proxy server and the port number of the mobile carrier's server used for MMS exchange. 5. On the Advanced tab, configure the Advanced Options of the access point (APN): a. In the Authorization type drop-down list, select the type of mobile device user's authorization on the mobile carrier's server for network access. b. In the Proxy server address field, specify the network name or IP address and port number of the mobile carrier's proxy server for network access. c. In the User name field, enter the user name for authorization on the mobile network. d. In the Password field, enter the password for user authorization on the mobile network. 6. Click Apply to save the changes you have made. As a result, once the policy is applied, general access point (APN) settings will be configured on the user's mobile device. CONFIGURING FIREWALL FOR SAMSUNG KNOX Configure Firewall settings to monitor network connections on the user's mobile device. Firewall settings can be configured on Samsung Android devices that support operation with Samsung KNOX of any version. To configure the Firewall mode on the mobile device: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Manage Samsung device section: If the mobile device supports Samsung KNOX ver. 1, select the KNOX 1 settings section. If the mobile device supports Samsung KNOX ver. 2, select the KNOX 2 settings section. 3. In the Firewall window, click Settings. The Firewall mode window opens. 4. Select the Firewall mode: To allow all inbound and outbound connections on the mobile device, move the slider down to Allow all. If you want the app to block all network activity except that of apps on the list of exclusions, move the slider up to Block all but exceptions. 76

77 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G K E S D E V I C E S 5. If you have set the Firewall mode to Block all but exceptions, create a list of exclusions: a. Click Add. The Exclusion window opens. In the App name field, enter the name of a mobile app. In the Package name field, enter the system name of the mobile app package. You can modify or delete apps on the list of exclusions using the Edit and Delete buttons at the top of the list. 6. Click Apply to save the changes you have made. As a result, once the policy is applied, the inbound and outbound network connection settings will be configured on the mobile device. CONFIGURING A VIRTUAL PRIVATE NETWORK FOR SAMSUNG KNOX 1 For a safe connection of the user's mobile device to a virtual private network, configure the settings of the device connection to the VPN. To configure the VPN connection on a user's mobile device: 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Manage Samsung devices section. 3. Select the KNOX 1 settings section. 4. In the Virtual Private Network (VPN) section, click the Configure button. The Virtual private network (VPN) settings window opens. 5. In the Network type drop-down list, select the type of VPN connection. 6. In the Name field, enter the name of the VPN tunnel. 7. In the Server address field, enter the network name or IP address of the VPN server. 8. In the DNS search domain(s) list, enter the DNS search domain to be automatically added to the DNS server name. You can specify several DNS search domains, separating them with blank spaces. 9. In the DNS server(s) field, enter the full domain name or IP address of the DNS server. You can specify several DNS servers, separating them with blank spaces. 10. In the Routing field, enter the range of network IP addresses with which data is exchanged via the VPN connection. If the range of IP addresses is not specified in the Routing field, all Internet traffic will pass through the VPN connection. 11. You can additionally configure the following settings for networks of IPSEC_XAUTH_PSK and L2TP_IPSEC_PSK types: a. In the IPSec shared key field, enter the password for the preset IPSec security key. b. In the IPSec ID field, enter the name of the mobile device user. 77

78 A D M I N I S T R A T O R ' S G U I D E 12. For an L2TP_IPSEC_PSK network, you can additionally specify the password for the L2TP key in the L2TP key field. 13. For a PPTP network, you can select the Use encryption key so that the app will use the MPPE method of data encryption to secure data transmission when the mobile device connects to the VPN server. 14. Click Apply to save the changes you have made. As a result, once the policy is applied, the VPN settings for Samsung KNOX 1 will be configured on the user's mobile device. The following requirements should be considered when using a virtual private network: The application that uses the VPN connection must be allowed in Firewall settings (see section "Configuring Firewall for Samsung KNOX" on page 76). Virtual private network settings configured in the policy cannot be applied to system applications. The VPN connection for system applications has to be configured manually. Some applications that use the VPN connection need to have additional settings configured at first startup. To configure settings, the VPN connection has to be allowed in application settings. CONFIGURING MICROSOFT EXCHANGE SETTINGS FOR SAMSUNG KNOX To ensure corporate security on the user's mobile device, configure the settings of the Microsoft Exchange mail server. Settings of the Microsoft Exchange mail server can be configured on Samsung Android devices that support operation with Samsung KNOX of any version. 1. Open the settings window of the Kaspersky Endpoint Security mobile app management policy (see section "Configuring a group policy for managing KES devices" on page 56). 2. In the Properties <Policy name> window, select the Manage Samsung devices section. If the mobile device supports Samsung KNOX ver. 1, select the KNOX 1 settings section. If the mobile device supports Samsung KNOX ver. 2, select the KNOX 2 settings section. 3. In the Exchange mail server section, click the Configure button. The Exchange mail server settings window opens. 4. In the Server address field, enter the IP address or DNS name of the server hosting the mail server. 5. In the Exchange Active Sync domain field, enter the name of the mobile device user's domain on the corporate network. 6. In the Synchronization interval drop-down list, select the desired interval of mobile device synchronization with the Microsoft Exchange server. 7. To use the SSL (Secure Sockets Layer) data transport protocol, select the Use encryption (SSL) check box. 8. To use digital certificates to protect transmission of messages between the mobile device and the Microsoft Exchange server, select the Verify server certificate check box. 9. Click Apply to save the changes you have made. As a result, once the policy is applied, the Microsoft Exchange mail server settings will be configured on the user's mobile device. 78

79 CONFIGURING A GROUP POLICY FOR MANAGING EAS DEVICES A management policy makes it possible to configure the operation settings of an EAS device: password strength, synchronization with the Microsoft Exchange server, mobile device feature restrictions, app activity restrictions. You can use policies to centrally set identical values of operation settings for mobile devices included in the administration group. To open the properties window of the EAS device management policy for configuring settings: 1. In the tree of the Administration Console of Kaspersky Security Center, select the administration group for which you want to configure the settings of EAS device operation. 2. In the workspace of the group, select the Policies tab. 3. In the list of policies, select the EAS device management policy. If needed, you can create a new group policy using the Policy Wizard (see section Group policies for managing mobile devices on page 51). 4. Open the properties window of the policy by double-clicking. The Properties <policy name> window appears. In this window you can configure the group policy settings. RESTRICTING CONFIGURATION RIGHTS Kaspersky Security Center administrators can configure the access rights of Administration Console users for different application functions, depending on the job duties of users. In the Administration Console interface, you can configure access rights in the Administration Server properties window on the Security and User roles tabs. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes. For Kaspersky Mobile Device Management, you can also configure user rights according to functional scopes. Below is a table that lists the functional scopes for managing EAS devices, and policy tabs belonging to these functional scopes. Table 3. Rights to access application functions FUNCTIONAL SCOPE Exchange ActiveSync policy POLICY TAB General, Password, Synchronization, Features restrictions, Applications restrictions For each functional area, the administrator can assign the following permissions: Permission to edit. The Administration Console user is allowed to change the policy settings in the properties window. Prohibition to edit. The Administration Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface. For more details on managing user rights and roles in the Administration Console of Kaspersky Security Center, see the Kaspersky Security Center Administrator's Guide. 79

80 A D M I N I S T R A T O R ' S G U I D E CONFIGURING UNLOCK PASSWORD STRENGTH Set a strong unlock password to protect EAS device data. By default, when a mobile device is powered on, Kaspersky Mobile Device Management does not prompt the user to enter or set an unlock password. To configure the strength settings for an EAS device unlock password: 1. Open the settings window of the EAS devices management policy (see section "Configuring a group policy for managing EAS devices" on page 79). 2. In the Properties <Policy name> window, select the Password section. 3. In the Password settings section, select the Prompt for password check box. 4. Configure unlock password strength settings: If you want to require the user to use both letters and numbers in the password, select the Prompt for alphanumeric value check box. In the Minimum number of character sets field, specify the strength level of the alphanumeric password. Available values: - from 1 to 4 The value "1" corresponds to the lowest strength level. To allow the user to use the password recovery function, select the Enable password recovery check box. If you want files to be encrypted in the memory of an EAS device, select the Require encryption on the device check box. If you want files to be encrypted on the memory card of an EAS device, select the Require encryption on the memory card check box. To allow the user to use a simple password that consists of numbers only, select the Allow simple password check box. To limit the number of attempts to enter the password for accessing the device, select the Maximum number of entering attempts check box. In the field on the right of the check box, specify the number of password entry attempts that the user can make to unlock the EAS device. If the user has failed to enter the correct password after the specified number of attempts in a row, Kaspersky Mobile Device Management wipes all device data. To specify the minimum length of the user password, select the Minimum password length check box. Specify the minimum number of password characters in the field on the right of the check box. Available values: 4 to 16 characters. If you want Kaspersky Mobile Device Management to prompt the user to enter the password after the device has been idle for some time, select the Idle time until new attempt of password entering (min) check box. In the field on the right of the check box, specify the idle time in minutes after which the app will prompt the user to enter the password. To limit the password validity period, select the Password validity period (days) check box. In the field to the right of the check box, specify the password validity period. When this period elapses, the application prompts the user to change the password. In the Password history field you can specify the number of the latest old passwords that cannot be reused. 5. Click the Apply button to save the changes you have made. As a result, once the policy is applied, Kaspersky Mobile Device Management checks if a password is set on the user's mobile device. If the unlock password has not be set on the device, the user is prompted to set it. The password should be set taking into account the policy settings. If the device unlock password is set but does not conform to the policy, the user is prompted to change the password. 80

81 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G E A S D E V I C E S CONFIGURING SYNCHRONIZATION SETTINGS Synchronization settings have to be configured in order to enable the user of an EAS device to access messages, calendar events, contacts, and tasks on the Microsoft Exchange server. After performing synchronization, the user can manage this data in offline mode. By default, calendar events and messages are stored on the EAS device for the entire period. The user can start synchronization with the Microsoft Exchange server without any restrictions. Downloads of attachments to the mobile device are blocked. To configure the settings of EAS device synchronization with the Microsoft Exchange server: 1. Open the settings window of the EAS devices management policy (see section "Configuring a group policy for managing EAS devices" on page 79). 2. In the Properties <Policy name> window, select the Synchronization section. 3. In the Synchronization settings section, open the Store calendar events drop-down list and select the duration of storage of calendar events on the EAS device. 4. In the Store messages drop-down list, select how long messages should be stored on the EAS device. 5. To limit the size of messages, select the Limit size (KB) check box. In the field below, specify the size of an message in kilobytes. 6. To allow synchronization with the Microsoft Exchange server in roaming using Direct Push technology, select the Allow Direct Push when in roaming check box. 7. To allow the user to view in HTML format, select the Allow in HTML format check box. 8. Configure the settings for downloading attachments: a. To allow the user to download files attached to an message to the EAS device, select the Allow attachments download check box. The Maximum attachment size (KB) check box becomes available. b. To limit the size of attachments in incoming messages, select the Maximum attachment size (KB) check box. In the field below, specify the size of attachments that may be uploaded on the device (in kilobytes). 9. Click the Apply button to save the changes you have made. As a result, once the policy is applied, the settings of synchronization with the Microsoft Exchange server will be configured on the user's mobile device. CONFIGURING DEVICE FEATURE RESTRICTIONS Configure restrictions of device features to keep an EAS device secure. By default, the user can use features of an EAS device without restrictions. To configure restrictions on EAS device features: 1. Open the settings window of the EAS devices management policy (see section "Configuring a group policy for managing EAS devices" on page 79). 2. In the Properties <policy name> window, select the Features restrictions section. 81

82 A D M I N I S T R A T O R ' S G U I D E 3. In the Features restriction settings section, allow or block usage of EAS device features: To allow the user to connect memory cards and other removable drives to an EAS device, select the Allow removable drives check box. To allow the user to use the EAS device camera, select the Allow camera check box. To allow the user to use the Wi-Fi connection on the EAS device, select the Allow wireless network check box. To allow the user to use the infrared connection port on the EAS device, select the Allow infrared connection check box. If you want to allow the user to use an EAS device as a Wi-Fi access point for creating a wireless network, select the Allow using the device as Wi-Fi access point check box. If you want to allow the user to connect to a remote desktop from the EAS device, select the Allow remote desktop connection from the device check box. If you want to allow the user to use the Desktop ActiveSync client on the EAS device, select the Allow desktop synchronization check box. In the Use of Bluetooth drop-down list, allow or block usage of Bluetooth on the EAS device: Allow. Use of Bluetooth on the mobile device is allowed. When using handsfree. Usage of Bluetooth is allowed when a wireless headset is connected to the mobile device. Block Use of Bluetooth on the mobile device is blocked. 4. Click the Apply button to save the changes you have made. As a result, once the policy is applied, restrictions on the features of the EAS device will be configured on the user's mobile device. CONFIGURING APP RESTRICTIONS To keep the EAS device secure, configure application activity restrictions (web browser, unsigned apps). By default, the user can use apps on the EAS device without restrictions. To configure restrictions on application activity on the EAS device: 1. Open the settings window of the EAS devices management policy (see section "Configuring a group policy for managing EAS devices" on page 79). 2. In the Properties <policy name> window, select the Restrictions for applications section. 3. In the Applications restriction settings section, configure the app activity restrictions: To allow the user to use the web browser, select the Allow use of browser check box. To allow the user to create personal accounts (POP3 or IMAP4), select the Allow user mail check box. To allow the user to start applications that have not been signed with an authentication certificate, select the Allow unsigned applications check box. To allow the user to install applications that have not been signed with an authentication certificate, select the Allow unsigned installation packages check box. 4. Click the Apply button to save the changes you have made. As a result, once the policy is applied, app activity will be restricted on the user's mobile device according to the policy. 82

83 CONFIGURING A GROUP POLICY FOR MANAGING IOS MDM DEVICES A management policy makes it possible to configure the operation settings of an ios MDM device: security settings, restrictions, VPN networks, wireless networks, accounts ( , calendar, LDAP), and other settings. You can use policies to centrally set identical values of operation settings for mobile devices included in the administration group. To open the properties window of the ios MDM device management policy for configuring settings: 1. In the tree of the Administration Console of Kaspersky Security Center, select the administration group for which you want to configure the settings of ios MDM device operation. 2. In the workspace of the group, select the Policies tab. 3. In the list of policies, select the ios MDM device management policy. If necessary, you can create a group policy using the Policy Wizard (see section Creating a group policy on page 54). 4. Open the properties window of the policy by double-clicking. The Properties <policy name> window appears. In this window you can configure the group policy settings. RESTRICTING CONFIGURATION RIGHTS Kaspersky Security Center administrators can configure the access rights of Administration Console users for different application functions, depending on the job duties of users. In the Administration Console interface, you can configure access rights in the Administration Server properties window on the Security and User roles tabs. The User roles tab lets you add standard user roles with a predefined set of rights. The Security section lets you configure rights for one user or a group of users or assign roles to one user or a group of users. User rights for each application are configured according to functional scopes. For Kaspersky Mobile Device Management, you can also configure user rights according to functional scopes. Below is a table that lists the functional scopes for managing ios MDM devices, and policy tabs belonging to these functional scopes. Table 4. Rights to access application functions FUNCTIONAL SCOPE POLICY TAB Managing ios MDM device settings Limitations and security General, Single Sign-On, Web Protection, Wireless networks (Wi-Fi), Access point (APN), Exchange ActiveSync, , Configuration settings Features restrictions, Applications restrictions, Media content restrictions, Password, Virtual private networks (VPN), Global HTTP proxy, Certificates, SCEP Synchronizing contacts and calendars LDAP, Calendar, Contacts, Calendar subscriptions Additional functionality Web clips, Fonts, AirPlay, AirPrint For each functional area, the administrator can assign the following permissions: Permission to edit. The Administration Console user is allowed to change the policy settings in the properties window. Prohibition to edit. The Administration Console user is prohibited from changing the policy settings in the properties window. Policy tabs belonging to the functional scope for which this right has been assigned are not displayed in the interface. 83

84 A D M I N I S T R A T O R ' S G U I D E For more details on managing user rights and roles in the Administration Console of Kaspersky Security Center, see the Kaspersky Security Center Administrator's Guide. CONFIGURING UNLOCK PASSWORD STRENGTH To protect ios MDM device data, configure the unlock password strength settings. By default, the user can use a simple password. A simple password is a password that contains successive or repetitive characters, such as "abcd" or "2222". The user is not required to enter an alphanumeric password that includes special symbols. By default, the password validity period and the number of password entry attempts are not limited. To configure the strength settings for an ios MDM device unlock password: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Password section. 3. In the Password settings section, select the Apply settings on device check box. 4. Configure unlock password strength settings: To allow the user to use a simple password, select the Allow simple password check box. If you want to require the user to use both letters and numbers in the password, select the Prompt for alphanumeric value check box. In the Minimum number of characters list, select the minimum password length in characters. In the Minimum number of special characters list, select the minimum number of special characters in the password (such as "$", "&", "!"). In the Maximum password lifetime field, specify the period of time in days during which the password will stay current. When this period expires, Kaspersky Mobile Device Management prompts the user to change the password. In the Enable Auto-Lock in list, select the amount of time after which ios MDM device Auto-Lock should be enabled. In the Password history field, specify the number of passwords used (including the current password) which Kaspersky Mobile Device Management compares with the new password when the user changes the old password. If passwords match, the new password is rejected. In the Maximum time for unlock without password list, select the amount of time during which the user can unlock the ios MDM device without entering the password. In the Maximum number of entering attempts, select the number of access attempts that the user can make to enter the ios MDM device unlock password. 5. Click the Apply button to save the changes you have made. As a result, once the policy is applied, Kaspersky Mobile Device Management checks the strength of the password set on the user's mobile device. If the strength of the device unlock password does not conform to the policy, the user is prompted to change the password. CONFIGURING IOS MDM DEVICE FEATURE RESTRICTIONS To ensure compliance with corporate security requirements, configure restrictions on the operation of the ios MDM device. 84

85 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S To configure ios MDM device feature restrictions: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <policy name> window, select the Features restrictions section. 3. In the Features restriction settings section, select the Apply settings on device check box. 4. Configure ios MDM device feature restrictions. Restrictions are described in the Annex (see section "Annex. Restrictions for ios MDM-devices" on page 119). 5. Click the Apply button to save the changes you have made. 6. Select the Restrictions for applications section. 7. In the Applications restriction settings section, select the Apply settings on device check box. 8. Configure restrictions for apps on the ios MDM device. Restrictions are described in the Annex (see section "Annex. Restrictions for ios MDM-devices" on page 119). 9. Click the Apply button to save the changes you have made. 10. Select the Restrictions for Media Content section. 11. In the Media content restriction settings section, select the Apply settings on device check box. 12. Configure restrictions for media content on the ios MDM device. Restrictions are described in the Annex (see section "Annex. Restrictions for ios MDM-devices" on page 119). 13. Click the Apply button to save the changes you have made. As a result, once the policy is applied, restrictions on features, apps, and media content will be configured on the user's mobile device. SETTING A GLOBAL HTTP PROXY To protect the user's Internet traffic, configure the connection of the ios MDM device to the Internet via a proxy server. Automatic connection to the Internet via a proxy server is available for controlled devices only. To configure global HTTP proxy settings on the user's ios MDM device: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <policy name> window, select the Global HTTP Proxy section. 3. In the Global HTTP proxy settings section, select the Apply settings on device check box. 4. Select the type of global HTTP proxy configuration. By default, the manual type of global HTTP proxy configuration is selected, and the user is prohibited from connecting to captive networks without connecting to a proxy server. Captive networks are wireless networks that require preliminary authentication on the mobile device without connecting to the proxy server. 85

86 A D M I N I S T R A T OR' S G U I D E To specify the proxy server connection settings manually: a. In the Proxy settings type drop-down list, select Manually. b. In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port. c. In the User name field, set the user account name for proxy server authorization. You can use macros from the Macros available drop-down list. d. In the Password field, set the user account password for proxy server authorization. e. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box. To configure the proxy server connection settings using a predefined PAC (Proxy Auto Configuration) file: a. In the Proxy settings type drop-down list, select Automatically. b. In the URL of PAC file field, enter the web address of the PAC file (for example: c. To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box. d. To allow the user to access captive networks, select the Allow access to captive networks without connecting to proxy check box. 5. Click the Apply button to save the changes you have made. As a result, once the policy is applied, the mobile device user will connect to the Internet via a proxy server. CONFIGURING SINGLE SIGN-ON To use the corporate system with Single Sign-On (SSO) technology, a Single Sign-On account needs to be configured on the ios MDM device. The Single Sign-On technology lets the user access the corporate applications and services after a single entry of the user's account credentials. The Single Sign-On technology uses the Kerberos authentication system. By default, the use of the Single Sign-On technology for signing on to websites and applications is not restricted. To configure a Single Sing-On account for an ios MDM device user: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Single Sign-On section. 3. In the Single Sign-On settings section, select the Apply settings on device check box. 4. In the Account name field, enter the account name for authorization on the Kerberos server. You can use macros from the Macros available drop-down list. 5. In the Kerberos user name field, enter the ios MDM device user's primary account name for Kerberos server authorization. The primary name is case-sensitive and must be specified in the primary/instance@realm format. For example: mycompany/admin@example or mycompany@example. You can use macros from the Macros available drop-down list. 86

87 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S 6. In the Kerberos scope, enter the name of the network to which Kerberos severs and ios MDM devices belong. The Kerberos scope must be entered using upper-case letters. 7. If you want the user to use the Single Sign-On account only on websites that have been added to the list of allowed web addresses: a. Select the Limit use of account for URLs check box. b. Click the Settings button on the right of the check box. The Allowed web addresses window opens. c. Create a list of websites on which automatic Single Sign On is allowed. If the list of web address templates is empty, the user can use a Single Sign-On account to sign in to all websites within the scope of the Single Sign On technology. d. Click OK to save the changes you have made. 8. If you want the user to use the Single Sign-On account only with apps that have been added to the list of app IDs: a. Select the Limit use of account for apps check box. b. Click the Settings button on the right of the check box. c. The App IDs window opens. d. In the App IDs window that has opened, create a list of apps in which automatic Single Sign On is allowed. If the list of app IDs is empty, the user can use a single account to sign in to all apps within the scope of the Single Sign On technology. e. Click OK to save the changes the list of apps. 9. Click the Apply button to save the changes you have made. As a result, the Single Sign-On account is configured on the user's mobile device after the policy is applied. CONFIGURING ACCESS TO WEBSITES Configure Web Protection settings to control ios MDM device user's access to websites. Web Protection control the user's access to websites based on predefined lists of allowed and blocked websites. Web Protection also lets you add website bookmarks on the bookmark panel in Safari. By default, access to the website is not restricted. Web Protection settings can be configured for controlled devices only. To configure access to websites on the user's ios MDM device: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Web Protection section. 3. In the Web Protection settings section, select the Apply settings on device check box. 4. To block access to blocked websites and allow access to allowed websites: a. In the Web Filter Mode drop-down list, select the Limit adult content mode. 87

88 A D M I N I S T R A T O R ' S G U I D E b. In the Allowed websites section, create a list of allowed websites. The website address should begin with " or " Kaspersky Mobile Device Management allows access to all websites in the domain. For example, if you have added to the list of allowed websites, access is allowed to and If the list of allowed websites is empty, the application allows access to all websites other than those included in the list of blocked websites. c. In the Blocked websites section, create a list of blocked websites. The website address should begin with " or " Kaspersky Mobile Device Management blocks access to all websites in the domain. 5. To block access to all websites other than allowed websites on the tab list: a. In the Web Filter Mode drop-down list, select the Allow bookmarked websites only mode. b. In the Bookmarks section, create a list of bookmarks of allowed websites. The website address should begin with " or " Kaspersky Mobile Device Management allows access to all websites in the domain. If the bookmark list is empty, the application allows access to all websites. Kaspersky Mobile Device Management adds websites from the list of bookmarks on the bookmarks tab in Safari in the user's mobile device. 6. Click the Apply button to save the changes you have made. As a result, once the policy is applied, Web Filter will be configured on the user's mobile device according to the mode selected and lists created. CONNECTION TO A WIRELESS NETWORK For an ios MDM device to connect automatically to an available wireless network and protect data during the connection, configure the connection settings. To configure the connection of an ios MDM device to a wireless network: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Wireless networks (Wi-Fi) section. 3. Click the Add button in the Wireless networks settings section. The Wireless network window opens. 4. In the SSID field, enter the name of the wireless network that includes the access point (SSID). 5. If you want the ios MDM device to connect to the wireless network automatically, select the Automatic connection check box. 6. If you want a wireless network to be hidden in the list of available networks on the ios MDM device, select the Hidden Network check box. In this case, to connect to the network the user needs to manually enter the network SSID specified in the settings of the Wi-Fi router on the mobile device. 7. In the Network protection drop-down list, select the type of protection of the wireless network connection: Disabled. User authentication is not required. WEP. The network is protected using Wireless Encryption Protocol (WEP). 88

89 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S WPA/WPA2 Personal. The network is protected using WPA / WPA2 protocol (Wi-Fi Protected Access). Any (Personal). The network is protected using WEP or WPA / WPA2 protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication. WEP Dynamic. The network is protected using the WEP protocol with the use of a dynamic key. WPA/WPA2 Enterprise. The network is protected using the WPA / WPA2 protocol with the use of one key shared by all users. Any (Enterprise). The network is protected using WEP or WPA / WPA2 protocol depending on the type of Wi-Fi router. One encryption key shared by all users is used for authentication. If in the Network protection list you select WEP Dynamic, WPA/WPA2 Corporate, or Any (Corporate), in the Protocols list you can select the type of EAP protocol (Extensible Authentication Protocol) for user authentication on the wireless network. In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the ios MDM device user on trusted servers. 8. Configure the settings of the account for user authentication upon connection of the ios MDM device to a wireless network: a. In the Authentication section, click the Settings button. The Authentication window opens. b. In the User name field, enter the account name for user authentication upon connection to a wireless network. c. If you want the user to enter the password manually at each connection to a wireless network, select the Prompt for password at each connection check box. d. In the Password field, enter the password of the account for authentication on a wireless network. e. In the Authentication certificate drop-down list, select a certificate for user authentication on the wireless network. If there are no certificates in the list, you can add them in the Certificates section (see section "Adding security certificates" on page 107). f. In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name. The user ID is designed to make the authentication process more secure, as the user name is not displayed openly, but transmitted via an encrypted TLS tunnel. g. Click OK. As a result, the settings of the account for user authentication at the connection to a wireless network will be configured on the ios MDM device. 9. If necessary, configure the settings of the wireless network connection via a proxy server: a. In the Proxy server section, click the Settings button. b. In the Proxy server window that opens, select the proxy server configuration mode and specify the connection settings. c. Click OK. As a result, the settings of the device connection to a wireless network via a proxy server are configured on the ios MDM device. 10. Click OK. The new wireless Wi-Fi network is displayed in the list. 11. Click the Apply button to save the changes you have made. 89

90 A D M I N I S T R A T O R ' S G U I D E As a result, a Wi-Fi network connection will be configured on the user's ios MDM device once the policy is applied. The user's mobile device will automatically connect to available wireless networks. Data security during a Wi-Fi network connection is ensured by the authentication technology. CONFIGURING USER DATA PROTECTION WITH EAP PROTOCOLS If in the Network protection list you have selected the value WEP Dynamic, WPA/WPA2 Enterprise or Any (Enterprise) (see section "Connecting to a wireless network" on page 88), you should configure protection of user data using the EAP protocol (Extensible Authentication Protocol). To configure protection of user data using EAP protocols: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Wireless network (Wi-Fi) section. 3. Click the Add button in the Wireless networks settings section. The Wireless network window opens. 4. In the Protocols section, click the Settings button. The Protocols window opens. 5. In the EAP types section, select the types of EAP protocols: TLS. Transport Layer Security protocol. TTLS. Tunneled Transport Layer Security protocol. LEAP. Lightweight Extensible Authentication Protocol. This protocol supports interoperation with Cisco Aironet devices. PEAP. Protected Extensible Authentication Protocol through a TLS tunnel. EAP-FAST. Flexible Authentication via Secure Tunneling. EAP-SIM. Subscriber Identity Module protocol. EAP-AKA. Universal Subscriber Identity Module protocol. 6. In the EAP-FAST section, configure the settings of the Flexible Authentication via Secure Tunneling protocol. To use the PAC (Protected Access Credential) encryption key for user identification, select the Use Protected Access Credential (PAC) check box. To prepare the PAC key for user identification via the EAP-FAST protocol, select the Allow automatic delivery of PAC check box. To prepare an anonymous PAC key for user identification via the EAP-FAST protocol, select the Allow using PAC anonymously check box. 7. Click OK. As a result, user identification with the aid of EAP protocols will be configured on the ios MDM device. 90

91 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S CREATING A LIST OF TRUSTED CERTIFICATES If in the Network protection list you have selected the value WEP Dynamic, WPA/WPA2 Enterprise or Any (Enterprise) (see section "Connecting to a wireless network" on page 88), you should create a list of trusted certificates for authentication of the ios MDM device user on trusted servers. A trusted certificate is a certificate whose authenticity has been confirmed by the Certification Center. To create a list of trusted certificates: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Wireless networks (Wi-Fi) section. 3. Click the Add button in the Wireless networks settings section. The Wireless network window opens. 4. In the Trusted certificates section, click the Settings button. 5. The Trusted certificates window opens. 6. In the Trusted certificates section, create a list of trusted certificates. 7. In the Names of trusted servers section, compile a list of servers that require authentication using trusted certificates. You can specify the full name of a server, such as server.mycompany.com, or only a part of the server name, such as *.mycompany.com. 8. Click OK. As a result, a list of trusted certificates for user authentication on trusted servers is created on the ios MDM device. CONFIGURING THE VPN CONNECTION To connect an ios MDM device to a virtual private network and protect data during the connection to the VPN, configure the VPN connection settings. To configure the VPN connection on a user's ios MDM device: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 4. In the Network name field, enter the name of the VPN tunnel. 5. In the Connection type drop-down list, select the type of VPN connection: L2TP (Layer 2 Tunneling Protocol). The connection supports authentication of ios MDM mobile device user using MS-CHAP v2 passwords, two-factor authentication, and automatic authentication using a public key. PPTP (Point-to-Point Tunneling Protocol). The connection supports authentication of ios MDM mobile device user using MS-CHAP v2 passwords and two-factor authentication. 91

92 A D M I N I S T R A T O R ' S G UIDE IPSec (Cisco). The connection supports password-based user authentication, two-factor authentication, and automatic authentication using a public key and certificates. Cisco AnyConnect. The connection supports the Cisco Adaptive Security Appliance (ASA) firewall of version 8.0(3).1 or later. To configure the VPN connection, install the Cisco AnyConnect app from App Store on the ios MDM mobile device. Juniper SSL. The connection supports the Juniper Networks SSL VPN gateway, Series SA, of version 6.4 or later with the Juniper Networks IVE package of version 7.0 or later. To configure the VPN connection, install the JUNOS app from App Store on the ios MDM mobile device. F5 SSL. The connection supports F5 BIG-IP Edge Gateway, Access Policy Manager, and Fire SSL VPN solutions. To configure the VPN connection, install the F5 BIG-IP Edge Client app from App Store on the ios MDM mobile device. SonicWALL Mobile Connect. The connection supports SonicWALL Aventail E-Class Secure Remote Access devices of version or later, SonicWALL SRA devices of version 5.5 or later, as well as SonicWALL Next-Generation Firewall devices, including TZ, NSA, E-Class NSA with SonicOS of version or later. To configure the VPN connection, install the SonicWALL Mobile Connect app from App Store on the ios MDM mobile device. Aruba VIA. The connection supports Aruba Networks mobile access controllers. To configure them, install the Aruba Networks VIA app from App Store on the ios MDM mobile device. Custom SSL. The connection supports authentication of the ios MDM mobile device user using passwords and certificates and two-factor authentication. 6. In the Server address field, enter the network name or IP address of the VPN server. 7. In the Account name field, enter the account name for authorization on the VPN server. You can use macros from the Macros available drop-down list. 8. Configure the security settings for the VPN connection according to the selected type of virtual private network. Additional detailed instructions on configuring the VPN connection are provided in this section below. 9. If necessary, configure the settings of the VPN connection via a proxy server: a. Select the Proxy server settings tab. b. Select the proxy server configuration mode and specify the connection settings. c. Click OK. As a result, the settings of the device connection to a VPN via a proxy server are configured on the ios MDM device. 10. Click OK. The new VPN appears in the list. 11. Click the Apply button to save the changes you have made. As a result, a VPN connection will be configured on the user's ios MDM device once the policy is applied. CONFIGURING AN L2TP CONNECTION To configure the security settings for an L2TP connection to the VPN: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 92

93 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 4. In the Connection type drop-down list, select L2TP. 5. In the Authentication type section, select the method of authentication of the ios MDM device user on the virtual private network: RSA SecureID. Two-factor authentication of an ios MDM mobile device user ios MDM using the RSA SecureID token and a public key. Enter the key in the Shared Secret field for user authentication. Password. Password-based authentication of the ios MDM mobile device user. Enter the password in the field below for user authentication. 6. In the Shared key field, enter the password for the preset IPSec security key. 7. If you want to route all outbound traffic via the VPN connection even when a different network service is used (such as AirPort or Ethernet), select the Send all traffic via VPN connection check box. 8. Click OK. CONFIGURING A PPTP CONNECTION To configure the security settings for a PPTP connection to the VPN: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 4. In the Connection type drop-down list, select PPTP. 5. In the Authentication type section, select the method of authentication of the ios MDM device user on the virtual private network: RSA SecureID. Two-factor authentication of an ios MDM mobile device user ios MDM using the RSA SecureID token and a public key. Password. Password-based authentication of the ios MDM mobile device user. Enter the password in the field below for user authentication. 6. In the Encryption level drop-down list, select the level of encryption of data transmitted through the VPN connection via PPTP protocol: None. Encryption is disabled. Automatic. Kaspersky Mobile Device Management automatically specifies the data encryption algorithm. 128 bit maximum. A data encryption algorithm with a key no longer than 128 bits is used. 7. If you want to route all outbound traffic via the VPN connection even when a different network service is used (such as AirPort or Ethernet), select the Send all traffic via VPN connection check box. 8. Click OK. 93

94 A D M I N I S T R A T O R ' S G U I D E CONFIGURING AN IPSEC CONNECTION (CISCO) To configure the security settings for an IPSec (Cisco ) connection to the VPN: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 4. In the Connection type drop-down list, select IPSec (Cisco). 5. In the Authentication type section, select the type of authentication of the ios MDM device user on the virtual private network: Shared Secret / Group name authentication of a user that is a group member using a public key. Certificate user authentication by means of a certificate. 6. If the selected authentication type is Shared Secret / Group name, configure the following settings: Group name; Shared Secret; Use hybrid authentication; Prompt for password on device. 7. If the selected authentication type is Certificate, configure the following settings: On the General tab, select / clear the Prompt for PIN check box. On the Advanced Options tab: Certificates; Enable VPN on connection of domains; Idle time before disconnection. 8. Click OK. CONFIGURING A CONNECTION WITH CISCO ANYCONNECT To configure the security settings for Cisco AnyConnect connection to the VPN: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 94

95 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S 4. In the Connection type drop-down list, select Cisco AnyConnect. 5. In the Group field, enter the alias of the tunneling group for Cisco AnyConnect clients connecting to the VPN. 6. Select the Advanced Options tab. 7. In the User authentication drop-down list, choose the type of ios MDM mobile device user authentication upon connection to the VPN via the Cisco AnyConnect protocol: Password user authentication using a password. Enter the password in the Password field for user authentication on the virtual private network. Certificate user authentication by means of a certificate. For the purpose of user authentication on the virtual private network, configure the following settings on the Additional settings tab: Certificates; Enable VPN on connection of domains; Idle time before disconnection. 8. Click OK. CONFIGURING A JUNIPER SSL CONNECTION To configure the security settings for the Juniper SSL connection to the VPN: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 4. In the Connection type drop-down list, select Juniper SSL. 5. In the Scope field, enter the name of the network that includes VPN servers and ios MDM mobile devices for the VPN connection established using Juniper SSL. 6. In the Role field, enter the name of the user role according to which the user obtains access to resources using Juniper SSL. A role can combine several users performing similar functions. 7. Select the Advanced Options tab. 8. In the User authentication drop-down list, choose the type of ios MDM mobile device user authentication upon connection to the VPN via the Juniper SSL protocol: Password user authentication using a password. Enter the password in the Password field for user authentication on the virtual private network. Certificate user authentication by means of a certificate. For the purpose of user authentication on the virtual private network, configure the following settings: Certificates; Enable VPN on connection of domains; Idle time before disconnection. 9. Click OK. 95

96 A D M I N I S T R A T O R ' S G U I D E CONFIGURING AN F5 SSL CONNECTION To configure the security settings for the F5 SSL connection to the VPN: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 4. In the Connection type drop-down list, select F5 SSL. 5. Select the Advanced Options tab. 6. In the User authentication drop-down list, choose the type of ios MDM mobile device user authentication upon connection to the VPN via the F5 SSL protocol: Password user authentication using a password. Enter the password in the Password field for user authentication on the virtual private network. Certificate user authentication by means of a certificate. For the purpose of user authentication on the virtual private network, configure the following settings: Certificates; Enable VPN on connection of domains; Idle time before disconnection. Password + Certificate user authentication using a password and certificate. 7. Click OK. CONFIGURING A CONNECTION WITH SONICWALL MOBILE CONNECT To configure the security settings for a SonicWALL Mobile Connect connection to the VPN: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 4. In the Connection type drop-down list, select SonicWALL Mobile Connect. 5. In the Domain or Group field, enter the domain name of the SSL VPN server (example: vpn.company.com) or the name of a group of SonicWALL Mobile Connect users. 6. Select the Advanced Options tab. 96

97 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S 7. In the User authentication drop-down list, choose the type of ios MDM mobile device user authentication upon connection to the VPN via the SonicWALL Mobile Connect protocol: Password user authentication using a password. Enter the password in the Password field for user authentication on the virtual private network. Certificate user authentication by means of a certificate. For the purpose of user authentication on the virtual private network, configure the following settings: Certificates; Enable VPN on connection of domains; Idle time before disconnection. 8. Click OK. CONFIGURING A CONNECTION WITH ARUBA VIA To configure the security settings for the Aruba VIA connection to the VPN: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 4. In the Connection type drop-down list, select Aruba VIA. 5. Select the Advanced Options tab. 6. In the User authentication drop-down list, choose the type of ios MDM device user authentication upon connection to the VPN via the Aruba VIA protocol: Password user authentication using a password. Enter the password in the Password field for user authentication on the virtual private network. Certificate user authentication by means of a certificate. For the purpose of user authentication on the virtual private network, configure the following settings: Certificates; Enable VPN on connection of domains; Idle time before disconnection. 7. Click OK. CONFIGURING A CUSTOM SSL CONNECTION To configure the security settings for the Custom SSL connection to the VPN: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Virtual private networks (VPN) section. 97

98 A D M I N I S T R A T O R ' S G U I D E 3. Click the Add button in the Settings of virtual private networks section. The Settings of virtual private networks (VPN) window opens. 4. In the Connection type drop-down list, select Custom SSL. 5. In the ID (reverse-dns record) field, enter the DNS name of the ios MDM mobile device for the Custom SSL VPN connection (for example: сom.example.vpn). 6. In the Custom data section, create a list with the key / value pairs with additional settings for the Custom SSL connection. 7. Select the Advanced Options tab. 8. In the User authentication drop-down list, choose the type of ios MDM mobile device user authentication upon connection to the VPN via the Custom SSL protocol: Password user authentication using a password. Enter the password in the Password field for user authentication on the virtual private network. Certificate user authentication by means of a certificate. For the purpose of user authentication on the virtual private network, configure the following settings: Certificates; Enable VPN on connection of domains; Idle time before disconnection. 9. Click OK. CONNECTING TO AIRPLAY DEVICES Configure the connection to AirPlay devices to enable streaming of music, photos, and videos from the ios MDM device to AirPlay devices. To be able to use AirPlay technology, the mobile device and AirPlay devices must be connected to the same wireless network. AirPlay devices include Apple TV devices (of the second and third generations), AirPort Express devices, speakers or radio sets with AirPlay support. Automatic connection to AirPlay devices is available for controlled devices only. To configure the connection of an ios MDM device to AirPlay devices: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the AirPlay section. 3. In the AirPlay settings section, select the Apply settings on device check box. 4. Click the Add button in the Passwords section. An empty row is added in the password table. 5. In the Device name column, enter the name of the AirPlay device on the wireless network. 6. In the Password column, enter the password to the AirPlay device. 98

99 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S 7. To restrict access of ios MDM devices to AirPlay devices, create a list of allowed devices in the Allowed devices section. To do so, add the MAC addresses of AirPlay devices to the list of allowed devices. Access to AirPlay devices that are not on the list of allowed devices is blocked. If the list of allowed devices is left blank, Kaspersky Mobile Device Management allows access to all AirPlay devices. 8. Click the Apply button to save the changes you have made. As a result, once the policy is applied, the user's mobile device will automatically connect to AirPlay devices to stream media content. CONNECTING TO AN AIRPRINT PRINTER To enable printing of documents from the ios MDM device wirelessly using AirPrint technology, configure automatic connection to AirPrint printers. To be able to use AirPrint technology, the mobile device and printer must be connected to the same mobile network. Shared access for all users has to be configured on the AirPrint printer. To configure the connection of an ios MDM device to an AirPrint printer: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the AirPrint section. 3. Click the Add button in the Printers section. The Printers window opens. 4. In the IP address field, enter the IP address of the AirPrint printer. 5. In the Resource Path field, enter the path to the AirPrint printer. The path to the printer corresponds to the rp (resource path) key of the Bonjour protocol. For example: printers/canon_mg5300_series; ipp/print; Epson_IPP_Printer. 6. Click OK. The newly added AirPrint printer appears on the list. 7. Click the Apply button to save the changes you have made. As a result, once the policy is applied, the mobile device user can wirelessly print documents on the AirPrint printer. ADDING AN ACCOUNT To enable the ios MDM device user to use , add the user's account. By default, the account is added with the following settings: protocol IMAP; The user can move messages between the user's accounts and synchronize account addresses; The user can use any clients (other than Mail) to use ; 99

100 A D M I N I S T R A T O R ' S G U I D E Outbound messages from the user's device are not S/MIME encrypted; The SSL connection is not used during transmission of messages. You can edit the specified settings when adding the account. To add an account of the ios MDM device user: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <policy name> window, select the section. 3. Click the Add button in the accounts section. The account window opens. 4. In the Account description field, enter a description of the user's account. 5. Select the protocol: POP; IMAP. 6. If necessary, specify the IMAP path prefix in the IMAP path prefix field. The IMAP path prefix must be entered using upper-case letters (for example: GMAIL for Google Mail ). This field is available if the IMAP account protocol is selected. 7. In the User name as displayed in messages field, enter the user name to be displayed in the From: field. for all outgoing messages. 8. In the address field, specify the address of the ios MDM device user. 9. Configure Advanced Options of the account: To allow the user to move messages between the user's accounts, select the Allow movement of messages between accounts check box. To allow the addresses used to be synchronized between user accounts, select the Allow sync of recent addresses check box. If you want the user to use only the standard ios client, select the Allow use of Mail only check box. If you want to use the S/MIME protocol for encrypting outgoing mail, select the Use S/MIME check box. 10. In the Inbound mail server and Outbound mail server sections, click the Settings button to configure the server connection settings: Server address and port: Names of hosts or IP addresses of inbound mail servers and outbound mail servers and server port numbers. Account name: Name of the user's account for inbound and outbound mail server authorization. Authentication type: Type of user's account authentication on inbound mail servers and outbound mail servers. Password: Account password for authentication on the inbound and outbound mail server protected using the selected authentication method. Use SSL connection: usage of the SSL (Secure Sockets Layer) data transport protocol that uses encryption and certificate-based authentication to secure data transmission. 100

101 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S 11. Click OK. The new account appears in the list. 12. Click the Apply button to save the changes you have made. As a result, once the policy is applied, accounts from the compiled list will be added on the user's mobile device. ADDING AN EXCHANGE ACTIVESYNC ACCOUNT To enable the ios MDM device user to use corporate , calendar, contacts, notes, and tasks, add the user's Exchange ActiveSync account on the Microsoft Exchange server. By default, an account with the following settings is added on the Microsoft Exchange server: is synchronized once per week; The user can move messages between the user's accounts and synchronize account addresses; The user can use any clients (other than Mail) to use ; Outbound messages from the user's device are not S/MIME encrypted; The SSL connection is not used during transmission of messages. You can edit the specified settings when adding the Exchange ActiveSync account. To add the Exchange ActiveSync account of the ios MDM device user: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <policy name> window, select the Exchange ActiveSync section. 3. Click the Add button in the Exchange ActiveSync accounts section. The Exchange ActiveSync account window opens on the General tab. 4. In the Account name field, enter the account name for authorization on the Microsoft Exchange server. You can use macros from the Macros available drop-down list. 5. In the Server address field, enter the network name or IP address of the Microsoft Exchange server. 6. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of data, select the Use SSL connection check box. 7. In the Domain field, enter the name of the ios MDM device user's domain. You can use macros from the Macros available drop-down list. 8. In the User Name field, enter the name of the ios MDM device user. If you leave this field blank, Kaspersky Mobile Device Management prompts the user to enter the user name when applying the policy on the ios MDM device. You can use macros from the Macros available drop-down list. 9. In the address field, specify the address of the ios MDM device user. You can use macros from the Macros available drop-down list. 10. In the Password field, enter the password of the Exchange ActiveSync account for authorization on the Microsoft Exchange server. 101

102 A D M I N I S T R A T O R ' S G U I D E 11. Select the Advanced Options tab and configure Advanced Options of the Exchange ActiveSync: Number of Days to Sync Mail for; Authentication type; Allow movement of messages between accounts; Allow sync of recent addresses; Allow use of Mail only; Use S/MIME; Signing certificate; Encryption certificate. 12. Click OK. The new Exchange ActiveSync account appears in the list. 13. Click the Apply button to save the changes you have made. As a result, once the policy is applied, Exchange ActiveSync accounts from the compiled list will be added on the user's mobile device. ADDING AN LDAP ACCOUNT To enable the ios MDM device user to access corporate contacts on the LDAP server, add the LDAP account. To add the LDAP account of the ios MDM device user: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the LDAP section. 3. Click the Add button in the LDAP accounts section. The LDAP Account and search settings window opens. 4. In the Account description field, enter a description of the user's LDAP account. You can use macros from the Macros available drop-down list. 5. In the Account name field, enter the account name for authorization on the LDAP server. You can use macros from the Macros available drop-down list. 6. In the Password field, enter the password of the LDAP account for authorization on the LDAP server. 7. In the Server address field, enter the name of the LDAP server domain. You can use macros from the Macros available drop-down list. 8. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of messages, select the Use SSL connection check box. 9. Compile a list of search queries for the ios MDM mobile device user access to corporate data on the LDAP server: a. Click the Add button in the Search settings section. A blank row appears in the table with search queries. 102

103 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S b. In the Name column, enter the name of a search query. c. In the Search scope column, select the nesting level of the folder for the corporate data search on the LDAP server: Base search in the base folder of the LDAP server. One level search in folders on the first nesting level counting from the base folder. Subtree search in folders on all nesting levels counting from the base folder. d. In the Search base column, enter the path to the folder on the LDAP server with which the search begins (for example: "ou=people", "o=example corp"). e. Repeat steps a-d for all search queries that you want to add to the ios MDM device. 10. Click OK. The new LDAP account appears in the list. 11. Click the Apply button to save the changes you have made. As a result, once the policy is applied, LDAP accounts from the compiled list will be added on the user's mobile device. The user can access corporate contacts in the standard ios apps: Contacts, Messages, and Mail. ADDING A CALENDAR ACCOUNT To enable the ios MDM device user to access the user's calendar events on the CalDAV server, add the CalDAV account. Synchronization with the CalDAV server enables the user to create and receive invitations, receive event updates, and synchronize tasks with the Reminders app. To add the CalDAV account of the ios MDM device user: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Calendar section. 3. Click the Add button in the CalDAV accounts section. The CalDAV account window opens. 4. In the Account description field, enter a description of the user's CalDAV account. You can use macros from the Macros available drop-down list. 5. In the Server address and port field, enter the name of a host or the IP address of a CalDAV server and the number of the CalDAV server port. 6. In the Main URL field, specify the URL of the CalDAV account of the ios MDM device user on the CalDAV server (for example: The URL should begin with " or " 7. In the Account name field, enter the account name for authorization on the CalDAV server. You can use macros from the Macros available drop-down list. 8. In the Account password field, set the CalDAV account password for authorization on the CalDAV server. 9. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box. 103

104 A D M I N I S T R A T O R ' S G U I D E 10. Click OK. The new CalDAV account appears in the list. 11. Click the Apply button to save the changes you have made. As a result, once the policy is applied, CalDAV accounts from the compiled list will be added on the user's mobile device. ADDING A CONTACTS ACCOUNT To enable the ios MDM device user to synchronize data with the CardDAV server, add the CardDAV account. Synchronization with the CardDAV server enables the user to access the contact details from any device. To add the CardDAV account of the ios MDM device user: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Contacts section. 3. Click the Add button in the CardDAV accounts section. The CardDAV account window opens. 4. In the Account description field, enter a description of the user's CardDAV account. You can use macros from the Macros available drop-down list. 5. In the Server address and port field, enter the name of a host or the IP address of a CardDAV server and the number of the CardDAV server port. 6. In the Main URL field, specify the URL of the CardDAV account of the ios MDM device user on the CardDAV server (for example: The URL should begin with " or " 7. In the Account name field, enter the account name for authorization on the CardDAV server. You can use macros from the Macros available drop-down list. 8. In the Account password field, set the CardDAV account password for authorization on the CardDAV server. 9. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of contacts between the CardDAV server and the mobile device, select the Use SSL connection check box. 10. Click OK. The new CardDAV account appears in the list. 11. Click the Apply button to save the changes you have made. As a result, once the policy is applied, CardDAV accounts from the compiled list will be added on the user's mobile device. CONFIGURING CALENDAR SUBSCRIPTION To enable the ios MDM device user to add events of shared calendars (such as the corporate calendar) to the user's calendar, add subscription to this calendar. Shared calendars are calendars of other users who have a CalDAV account, ical calendars, and other openly published calendars. 104

105 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S To add calendar subscription: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Calendar subscription section. 3. Click the Add button in the Subscription settings section. The Subscribed Calendar window opens. 4. In the Description field, enter a description of the calendar subscription. You can use macros from the Macros available drop-down list. 5. In the URL field, specify the URL of a shared calendar. In this field, you can enter the mail URL of the CalDAV account of the user to whose calendar you are subscribing. You can also specify the URL of an ical calendar or a different openly published calendar. 6. In the User name field, enter the name of the user's account for authorization on the shared calendar server. You can use macros from the Macros available drop-down list. 7. In the Password field, enter the calendar subscription password for authorization on the shared calendar server. 8. To use the SSL (Secure Sockets Layer) data transport protocol to secure the transmission of event data between the CalDAV server and the mobile device, select the Use SSL connection check box. 9. Click OK. The new calendar subscription appears in the list. 10. Click the Apply button to save the changes you have made. As a result, once the policy is applied, events from shared calendar on the list will be added to the calendar on the user's mobile device. ADDING WEB CLIPS A web clip is an app that opens a website from the Home screen of the mobile device. By clicking web clip icons on the home screen of the device, the user can quickly open websites (such as the corporate website). You can add web clips to user devices and configure the appearance of the web clip icon displayed on the screen. By default, the following restrictions on web clip usage apply: The user cannot manually remove web clips from the mobile device. Websites that open when the user clicks a web clip icon do not open in full-screen mode. The corner rounding, shadow, and gloss visual effects are applied to the web clip icon on the screen. To add a web clip on a user's ios MDM device: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Web Clips section. 3. Click the Add button in the Web Clip settings section. The Web Clips window opens. 105

106 A D M I N I S T R A T O R ' S G U I D E 4. In the Name field, enter the name of the web clip to be displayed on the home screen of the ios MDM device. 5. In the URL field, enter the web address of the website that will open when the web clip icon is clicked. The address should begin with " or " 6. To allow the user to remove a web clip from the ios MDM device, select the Allow removal check box. 7. Click the Select button and specify the file with the image for the web clip icon. The icon is displayed on the home screen of the ios MDM device. The image must meet the following requirements: Image size no greater than 400 х 400 pixels File format: GIF, JPEG, or PNG File size no greater than 1 MB The web clip icon is available for preview in the Icon field. If you do not select an image for the web clip, a white square is displayed as the icon. 8. If you want the web clip icon to be displayed without special visual effects (rounding of icon corners and gloss effect), select the Precomposed icon check box. 9. If you want the website to open in full-screen mode on the ios MDM device when you click the icon, select the Full screen Web Clip check box. 10. Click OK. The new web clip appears in the list. 11. Click the Apply button to save the changes you have made. As a result, once the policy is applied, web clip icons from the list you have created are added on the home screen of the user's mobile device. ADDING FONTS To add a font on a user's ios MDM device: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Fonts section. 3. Click the Add button in the Font settings section. The Font window opens. 4. In the File name field, specify the path to the font file (a file with the.ttf or.otf extension). Fonts with the ttc or otc extension are not supported. Fonts are identified using the PostScript name. Do not install fonts with the same PostScript name even if their content is different. Installing fonts with the same PostScript name will result in an undefined error. 5. Click Open. The new font appears in the list. 6. Click the Apply button to save the changes you have made. As a result, once the policy is applied, the user will be prompted to install fonts from the list that has been created. 106

107 C O N F I G U R I NG A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S ADDING SECURITY CERTIFICATES To simplify user authentication and ensure data security, add certificates on the user's ios MDM device. Data signed with a certificate is protected against modification during network exchange. Data encryption using a certificate provides an added level of security for data. The certificate can be also used to verify the user's identity. Kaspersky Mobile Device Management supports the following certificate standards: PKCS#1 encryption with a public key based on RSA algorithms. PKCS#12 storage and transmission of a certificate and a private key. To add a security certificate on a user's ios MDM device: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Certificates section. 3. Click the Add button in the Certificate settings section. The Certificate window opens. 4. In the File name field, specify the path to the certificate: Files of PKCS#1 certificates have the cer, crt, or der extensions. Files of PKCS#12 certificates have the p12 or pfx extensions. 5. Click Open. If the certificate is password-protected, specify the password. The new certificate appears in the list. 6. Click the Apply button to save the changes you have made. As a result, once the policy is applied, the user will be prompted to install certificates from the list that has been created. CONFIGURING THE SCEP PROFILE You have to add a SCEP profile to enable the ios MDM device user to automatically receive certificates from the Certification Center via the Internet. The SCEP profile enables support of the Simple Certificate Enrollment Protocol. A SCEP profile with the following settings is added by default: The alternative subject name is not used for registering certificates. Three attempts 10 seconds apart are made to poll the SCEP server. If all attempts to sign the certificate have failed, you have to generate a new certificate signing request. The certificate that has been received cannot be used for data signing or encryption. You can edit the specified settings when adding the SCEP profile. To add a SCEP profile: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the SCEP section. 107

108 A D M I N I S T R A T O R ' S G U I D E 3. Click the Add button in the SCEP profiles section. The SCEP profile window opens. 4. In the URL field, enter the web address of the SCEP server on which the Certification Center is deployed. The URL can contain the IP address or the full domain name (FQDN). For example, 5. In the Name field, enter the name of the Certification Center deployed on the SCEP server. 6. In the Subject field, enter a string with the attributes of the ios MDM device user that are contained in the X.500 certificate. Attributes can contain details of the country (С), organization (O), and common user name (CN). For example: /C=RU/O=MyCompany/CN=User/. You can also use other attributes specified in RFC In the Type of alternative name of subject drop-down list, select the type of alternative name of the subject of the SCEP server: No alternative name identification is not used. RFC 822 name identification using the address. The address must be specified according to RFC 822. DNS name identification using the domain name. URI identification using the IP address or address in FQDN format. You can use an alternative name of the subject for identifying the user of the ios MDM mobile device. 8. In the Subject Alternative Name field, enter the alternative name of the subject of the X.500 certificate. The value of the subject alternative name depends on the subject type: user address, domain, or URL. 9. In the NT subject name field, enter the DNS name of the ios MDM mobile device user on the Windows NT network. The NT subject name is contained in the certificate request sent to the SCEP server. 10. In the Number of polling attempts on SCEP server field, specify the maximum number of attempts to poll the SCEP server to get the certificate signed. 11. In the Frequency of attempts (sec) field, specify the period of time in seconds between attempts to poll the SCEP server to get the certificate signed. 12. In the Registration request field, enter a pre-published registration key. Before signing a certificate, the SCEP server requests the mobile device user to supply a key. If this field is left blank, the SCEP does not request the key. 13. In the Key Size drop-down list, select the size of the registration key in bits: 1024 or If you want to allow the user to use a certificate received from the SCEP server as a signing certificate, select the Use for signing check box. 15. If you want to allow the user to use a certificate received from the SCEP server for data encryption, select the Use for encryption check box. It is prohibited to use the SCEP server certificate as a data signing certificate and a data encryption certificate at the same time. 108

109 C O N F I G U R I N G A G R O U P P O L I C Y F O R M A N A G I N G I OS M D M D E V I C E S 16. In the Certificate fingerprint field, enter a unique certificate fingerprint for verifying the authenticity of the response from the Certification Center. You can use certificate fingerprints with the SHA-1 or MD5 hashing algorithm. You can copy the certificate fingerprint manually or select a certificate using the Create from certificate button. When the fingerprint is created using the Create from certificate button, the fingerprint is added to the field automatically. The certificate fingerprint has to be specified if data exchange between the mobile device and the Certification Center takes place via the HTTP protocol. 17. Click OK. The new SCEP profile appears in the list. 18. Click the Apply button to save the changes you have made. As a result, once the policy is applied, the user's mobile device is configured to automatically receive a certificate from the Certification Center via the Internet. CONFIGURING THE ACCESS POINT (APN) The access point (APN) has to be configured in order to enable the mobile network data transmission service on the user's ios MDM device. To configure an access point on a user's ios MDM device: 1. Open the properties window of the ios MDM device management policy (see section "Configuring a group policy for managing ios MDM devices" on page 83). 2. In the Properties <Policy name> window, select the Access point (APN) section. 3. In the Access point settings section, select the Apply settings on device check box. 4. In the APN name field, specify the name of the access point. 5. In the User name field, enter the user name for authorization on the mobile network. 6. In the Password field, enter the password for user authorization on the mobile network. 7. In the Proxy server address and port field, enter the name of a host or the IP address of a proxy server and the number of the proxy server port. 8. Click the Apply button to save the changes you have made. As a result, the access point (APN) is configured on the user's mobile device after the policy is applied. 109

110 REMOVING A GROUP POLICY To remove a group policy: 1. From the Kaspersky Security Center console tree, select an administration group for which you want to remove a policy. 2. In the workspace of the administration group on the Policies tab select the policy you want to remove. 3. Remove the policy in one of the following ways: In the context menu of the policy, select Delete. Click the Delete policy link in the workspace on the right, in the section for managing the selected policy. As a result, the group policy is deleted. Before the new group policy is applied, mobile devices belonging to the administration group continue to work with the settings specified in the policy that has been deleted. 110

111 REMOVING OF KASPERSKY ENDPOINT SECURITY MOBILE APPS FROM DEVICES This section describes how to remove Kaspersky Endpoint Security 10 mobile apps from user devices. IN THIS SECTION Removing of Kaspersky Endpoint Security for Android mobile app Removing of Kaspersky Safe Browser for ios mobile app Removing of Kaspersky Safe Browser for Windows Phone mobile app REMOVING OF KASPERSKY ENDPOINT SECURITY FOR ANDROID MOBILE APP The user can personally remove Kaspersky Endpoint Security for Android from the device, unless the group policy prohibits app removal. If the group policy allows app removal, the user can personally remove Kaspersky Endpoint Security for Android from the device using the app interface or settings of the Android device. If according to the policy the user is not permitted to remove Kaspersky Endpoint Security for Android app, the user shall contact the administrator. You can either remotely remove the app from the device using Kaspersky Security Center tools or allow removal of the app through local properties of the app or through a policy applied to the given device. PERMITTING USERS TO REMOVE THE APP You can allow or block users from removing Kaspersky Endpoint Security for Android from their mobile devices using the group policy. You can allow or block the user of a single device from removing Kaspersky Endpoint Security for Android from his device via local settings of the application in Administration Console. If you want to allow users to remove the app from all devices in the group, you can permit this action in the properties of the policy that was previously created for this group. If you want to allow users to remove the application only on some devices in the group, you have to create a new group policy and apply it to the relevant devices. At the next synchronization of mobile devices with the Administration Server, the option of the application removing will be available. To allow removal of Kaspersky Endpoint Security for Android on several devices: 1. In the tree of the Administration Console of Kaspersky Security Center, select the Administration Server to which the mobile devices are connected. 2. In the console tree, open the Managed computers folder. 3. In the Managed computers folder, select the group of devices whose users should be allowed to remove the application. 4. Create a new subgroup using one of the following method: In the context menu of the Managed computers folder in the console tree, or in the context menu of the subfolder, select Create Group; 111

112 A D M I N I S T R A T O R ' S G U I D E In the workspace of the folder, select the Groups tab and open the window by clicking the Create subgroup link. 5. In the Group name window type the group name and click OK. 6. Start the procedure for adding to the group the devices on which you want to allow application removal, in one of the following ways: Click the Add computers to the group link in the Groups tab of the Administration Console workspace; Click the Add computers link in the Computers tab of the Administration Console workspace. The wizard that adds client computers will be launched. Follow the instructions of the Wizard. 7. In the workspace of the created group, click the Policies tab and click the Create a policy link to start the wizard and create a policy. Follow the wizard's instructions. Change the settings at the following steps: At the Select an application for which you want to create a group policy step, select Kaspersky Endpoint Security 10 Service Pack 1 for Mobile Devices to create a group policy. At the Advanced Options step, in the Application managing section, select the Allow removal of Kaspersky Endpoint Security for Android check box. At the Create a group policy step, in the Policy status settings, select Active policy. As a result the created policy is active for the selected administration group. After synchronization of mobile devices from this group with the Administration Server, Kaspersky Endpoint Security for Android app will become available for manual removal by the user. To allow removal of Kaspersky Endpoint Security for Android on an individual device: 1. In the tree of the Administration Console of Kaspersky Security Center, select the Administration Server to which the mobile devices are connected. 2. In the console tree, open the Managed computers folder. 3. In the Managed computers folder choose the group of devices to which you want to permit the application removing. 4. In the workspace of the group, select the Policies tab. 5. In the list of objects, select the active policy that manages devices included in the selected group. 6. Open the properties window of the active policy by double-clicking. 7. In the Properties <policy name> window that opens, select the Advanced Options section. 8. In the Application management section, make sure that the "lock" attribute looks like this, meaning that the settings of this section can be edited in the local settings of the application. If necessary, click the button to make the settings of the Application management section editable in the local settings of the application. 9. In the workspace of the administration group, select the Computers tab. 10. Select the user's device in the list of managed devices. 11. Double-click the selected device to open the device properties window. 12. In the Properties: <Device name> window that opens, select the Applications section. 112

113 R E M O V I N G O F K A S P E R S K Y E N D P O I N T S E C U R I T Y M O B I L E A P P S F R O M D E V I C E S 13. In the Applications section, select Kaspersky Endpoint Security 10 Service Pack 1 for Mobile. 14. Double-click the selected app to open the app properties window. 15. In the Advanced Options section, under Application managing select the Allow removing Kaspersky Endpoint Security for Android check box. As a result, at the next synchronization of this mobile device with Administration Server, Kaspersky Endpoint Security for Android app will become available for manual removal by the user. REMOVING THE APPLICATION FROM A DEVICE You can remove Kaspersky Endpoint Security for Android in the remote mode from the users' devices that are connected to the Kaspersky Security Center Administration Server. If you want to remove the application from all devices in the group, you can do so in the properties of the policy that was previously created for this group. If you want to remove the application only on some devices, you have to create a new group policy and apply it to the relevant devices. At the next synchronization of mobile devices with Administration Server, the application will be removed. To remove Kaspersky Endpoint Security from several devices without the users' involvement: 1. In the tree of the Administration Console of Kaspersky Security Center, select the Administration Server to which the mobile devices are connected. 2. In the console tree, open the Managed computers folder. 3. In the Managed computers folder choose the group of devices in which you want to remove the app. 4. Create a new subgroup using one of the following method: In the context menu of the Managed computers folder in the console tree, or in the context menu of the subfolder, select Create Group; In the workspace of the folder, select the Groups tab and open the window by clicking the Create subgroup link. 5. In the Group name window type the group name and click OK. 6. Add the devices from which you want to remove the application to the group using one of the following method: Click the Add computers to the group link in the Groups tab of the Administration Console workspace; Click the Add computers link in the Computers tab of the Administration Console workspace. The wizard that adds client computers will be launched. Follow the instructions of the Wizard. 7. In the workspace of the group, click the Policies tab and click the Create a policy link to start the wizard and create a policy. The wizard that creates the policies will be started. Follow the instructions of the Wizard. For the policy applied to remove the application, change the settings at the following steps: At the Select an application for which you want to create a group policy step, select Kaspersky Endpoint Security 10 Service Pack 1 for Mobile Devices to create a group policy. At the Advanced Options step, in the Application managing section, select the Remove Kaspersky Endpoint Security for Android from device check box. A dialog box with the warning that the operation cannot be undone will appear. Confirm removing. At the Create a group policy for application step, in the Policy status settings, select Active policy. 113

114 A D M I N I S T R A T O R ' S G U I D E As a result the created policy is active for the selected administration group. After synchronization of mobile devices from this group with the Administration Server, Kaspersky Endpoint Security for Android app will become available for manual removal by the user. If the user agrees, Kaspersky Endpoint Security for Android will be removed from the mobile device. If the user does not agree, the request for removal of Kaspersky Endpoint Security for Android will be displayed on the mobile device's screen at each synchronization with Administration Server. To remove Kaspersky Endpoint Security for Android from one mobile device, follow the steps below: 1. In the tree of the Administration Console of Kaspersky Security Center, select the Administration Server to which the mobile devices are connected. 2. In the console tree, open the Managed computers folder. 3. In the Managed computers folder, select the group of the devices that includes the device from which you want to remove the application. 4. In the workspace of the group, select the Policies tab. 5. In the list of objects, select the active policy that manages devices included in the selected group. 6. Open the properties window of the active policy by double-clicking. 7. In the Properties <policy name> window that opens, select the Advanced Options section. 8. In the Application management section, make sure that the "lock" attribute looks like this, meaning that the settings of this section can be edited in the local settings of the application. If necessary, click the button to make the settings of the Application management section editable in the local settings of the application. 9. In the workspace of the group, select the Computers tab. 10. Select the user's device in the list of managed devices. 11. Double-click the selected device to open the device properties window. 12. In the Properties: <Device name> window that opens, select the Applications section. 13. In the Applications section, select Kaspersky Endpoint Security 10 Service Pack 1 for Mobile. 14. Double-click the selected app to open the app properties window. 15. In the Advanced Options section, under Application managing select the Remove Kaspersky Endpoint Security for Android from device check box. As a result, when synchronizing the mobile device with Administration Server, Kaspersky Endpoint Security for Android will prompt the user to confirm removal. If the user agrees, Kaspersky Endpoint Security for Android will be removed from the mobile device. If the user does not agree, the request for removal of Kaspersky Endpoint Security for Android will be displayed on the mobile device's screen at each synchronization with Administration Server. REMOVING OF KASPERSKY SAFE BROWSER FOR IOS MOBILE APP The user can remove Kaspersky Safe Browser for ios from his mobile device using the standard ios tools. To remove Kaspersky Safe Browser for ios from an ios device, click the application icon on the device screen and hold it until it "bounces". Then, click the close icon. 114

115 R E M O V I N G O F K A S P E R S K Y E N D P O I N T S E C U R I T Y M O B I L E A P P S F R O M D E V I C E S REMOVING OF KASPERSKY SAFE BROWSER FOR WINDOWS PHONE MOBILE APP The user can remove Kaspersky Safe Browser for Windows Phone from the device manually using the standard Windows Phone tools. To remove Kaspersky Safe Browser for Windows Phone from a device, the user has to do the following: 1. Press and hold the app icon on the mobile device screen. 2. Select Remove in the menu that appears. A confirmation prompt appears on the screen. 3. Press Yes. 115

116 INFORMATION EXCHANGE WITH KASPERSKY SECURITY NETWORK The Kaspersky Security Network cloud service is the special on-line service provided by Kaspersky Lab. It provides information on reliability of files, programs, mobile apps and Internet resources. Kaspersky Endpoint Security 10 for Mobile uses the Kaspersky Security Network cloud service for the following components: Scan: Scan: Kaspersky Endpoint Security mobile apps run an additional scan of apps installed on mobile devices before they are launched for the first time. This scan detects new threats that have not been added to the Anti-Virus databases. Web Filter: Kaspersky Endpoint Security mobile apps perform additional scanning of websites before they are opened. Information on the type of data relayed to Kaspersky Lab when Kaspersky Endpoint Security mobile apps on mobile devices use the cloud service is available in the License Agreement. By accepting the terms and conditions of the License Agreement, you agree to transfer the following information: Checksums for the processed files (MD5, SHA256) Names of mobile app packages started on user devices, to determine the app categories. Information about applications being installed for verifying the security of applications. The function of automatic transmission of data on apps that are installed can be enabled or disabled during operation of Kaspersky Endpoint Security. Address of the visited website to check the websites' reputation. Settings of the Wi-Fi access point in use. Data on the software and hardware configuration of the mobile device. Statistical data on the detected threats. All information transferred to the cloud service does not include personal data and other user's confidential information The information received by the Kaspersky Security Network cloud service is protected by Kaspersky Lab according to the legislation. Kaspersky Lab uses any retrieved information as general statistics only. General statistics are automatically generated using original retrieved information and do not contain any personal data or other confidential information. Original retrieved information is stored in encrypted form; it is cleared as it is accumulated (twice per year). General statistics are stored indefinitely. More details about the Kaspersky Security Network cloud service are available on the website 116

117 CONTACTING THE TECHNICAL SUPPORT SERVICE This section describes the ways to get technical support and the terms on which it is available. IN THIS SECTION About Technical Support Technical support by phone Technical Support via Kaspersky CompanyAccount Electronic Certificate Signing Request ABOUT TECHNICAL SUPPORT If you could not find a solution to your problem in the documentation or in one of the sources of information about the application (see the section "Sources of information about the application" on page 10), we recommend that you contact Kaspersky Lab Technical Support. Technical Support specialists will answer your questions about installing and using the application. Technical support is available only to users who have purchased a commercial license for the application. Users who have received a trial license are not entitled to technical support. Before contacting Technical Support, we recommend that you read through the support rules ( You can contact Technical Support in one of the following ways: By calling Kaspersky Lab Technical Support. By sending a request to Technical Support through the Kaspersky CompanyAccount web service. TECHNICAL SUPPORT BY PHONE If an urgent issue arises, you can call Kaspersky Lab Technical Support representatives ( Before contacting Technical Support, you are advised to read the technical support rules ( These rules contain information about the working hours of Kaspersky Lab Technical Support and about the information that you must provide so that Kaspersky Lab Technical Support specialists can help you. 117

118 A D M I N I S T R A T O R ' S G U I D E TECHNICAL SUPPORT VIA KASPERSKY COMPANYACCOUNT Kaspersky CompanyAccount ( is a web service for companies that use Kaspersky Lab applications. The Kaspersky CompanyAccount web service is designed to facilitate interaction between users and Kaspersky Lab specialists via online requests. The Kaspersky CompanyAccount web service lets you monitor the progress of electronic request processing by Kaspersky Lab specialists and store a history of electronic requests. You can register all of your organization's employees under a single account on Kaspersky CompanyAccount. A single account lets you centrally manage electronic requests from registered employees to Kaspersky Lab and also manage the privileges of these employees via Kaspersky CompanyAccount. The Kaspersky CompanyAccount web service is available in the following languages: English Spanish Italian German Polish Portuguese Russian French Japanese To learn more about Kaspersky CompanyAccount, visit the Technical Support website ( ELECTRONIC CERTIFICATE SIGNING REQUEST You can send an electronic Certificate Signing Request (CSR request) to Technical Support to be signed. For this purpose, you need to specify the CSR request file in the electronic request form After the automatic processing of your electronic request is completed, you will receive the CSR request file signed by Kaspersky Lab that can be sent to Apple. You can view the processed request in the list of inactive requests of your account. 118

119 ANNEX. RESTRICTIONS FOR IOS MDM DEVICES Kaspersky Mobile Device Management can manage settings for ios MDM-devices that can be configured in accordance with the corporate security policy. Restrictions for Features: Allow use of camera Allow FaceTime Allow screenshots Allow AirDrop (only for managed devices) Allow imessage (only for managed devices) Allow voice dialing Allow use of Siri Allow profanity filter (only for managed devices) Allow when device is locked Show user data (only for managed devices) Allow ibooks Store (only for managed devices) Allow installing apps Allow app removal (only for managed devices) Allow In-App Purchase Prompt for password for each purchase through itunes Store Allow backup in icloud Allow storing documents and data in icloud Allow icloud Keychain Allow sharing access to photos in icloud Allow My Photo Stream Allow automatic sync when in roaming Enable encryption of backup copies Limit ad tracking Allow users to accept untrusted TLS certificates Allow automatic updates of trusted certificates Allow installation of configuration profiles (only for managed devices) 119

120 A D M I N I S T R A T OR' S G U I D E Allow editing account settings (for supervised only) Allow editing Find My Friends settings (for supervised only) Allow pairing with non-configurator hosts Allow non-managed apps to use documents from managed apps Allow managed apps to use documents from non-managed apps Allow sending diagnostic and usage-related data to Apple Allow unlocking device through Touch ID Prompt for password on first connection to AirPlay Allow Passbook on-screen notifications when screen is locked Show Control Center when screen is locked Show Notification Center when screen is locked Show Today when screen is locked Restrictions for applications: Allow use of YouTube Allows use of itunes Store Allow use of Game Center Allow adding friends Allow multiplayer mode Allow use of Safari Enable autofill option Enable notification of fraudulent websites Enable JavaScript Block pop-up windows Accept cookies Restrictions for Media Content: Region Movies TV Shows Applications Allow playback of music videos, podcasts and media files with explicit content in itunes U Allow adult content in ibook Store 120

121 GLOSSARY A A P P L E P U S H N O T I F I C A T I O N S E R V I C E ( A P N S ) C E R T I F I C A T E A certificate signed by Apple that lets you use the functionality of the Apple Push Notification service. With the aid of the Apple Push Notification service, ios MDM mobile device server can manage ios devices. E E A S D E V I C E A mobile device connected to Administration Server via Exchange ActiveSync protocol. I I OS MDM P R O F I L E A profile with a set of settings for connecting ios mobile devices to the Administration Server. An ios MDM profile makes it possible to distribute ios configuration profiles in background mode using the ios MDM server, and also receive extended diagnostic information about mobile devices. A link to the ios MDM profile needs to be sent to a user in order to enable the ios MDM server to discover and connect the user's ios mobile device. I OS MDM D E V I C E An ios mobile device controlled by the ios MDM Mobile Device Server. K K A S P E R S K Y S E C U R I T Y N E T W O R K ( K S N ) An infrastructure of online services that provides access to the online Knowledge Base of Kaspersky Lab which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Lab's applications to new threats, improves the performance of some protection components, and reduces the risk of false positives. M M A N I F E S T F I L E A file in PLIST format containing a link to the app file (ipa file) located on a web server. It is used by ios devices to locate, download, and install apps from a web server. P P R O V I S I O N I N G P R O F I L E A set of parameters that apps need to work on ios mobile devices. A provisioning profile includes license information and is linked to a specific app. A S T A N D A L O N E P A C K A G E The installation file of the mobile app Kaspersky Endpoint Security for Android, containing settings for connecting to an Administration Server. It is created on the basis of the installation package for this app and is a proprietary mobile app package. D E V I C E A D M I N I S T R A T O R A set of app rights on an Android device that enables the app to use device management policies. It is necessary to implement full functionality of Kaspersky Endpoint Security on Android devices. 121

122 A D M I N I S T R A T O R ' S G U I D E G A D M I N I S T R A T I O N G R O U P A set of managed devices, such as mobile devices grouped according to the functions they perform and the set of apps installed on them. Managed devices are grouped so that they can be managed as a single whole. For example, mobile devices running the same operating system can be combined into an administration group. A group may include other administration groups. It is possible to create group policies and group tasks for group devices. G R O U P T A S K A task intended for an administration group and performed on all managed devices included in the group. C C E R T I F I C A T E S I G N I N G R E Q U EST A file with Administration Server settings that, once confirmed by Kaspersky Lab, is sent to Apple for purposes of getting the APN certificate. AND I N S T A L L A T I O N P A C K A G E A set of files created for remote installation of a Kaspersky Lab application by using the remote administration system. An installation package is created based on special files that are included in the application distribution package; it contains a set of settings required for application setup and its configuration for normal functioning immediately after installation. The values of settings in the distribution kit correspond to default values of application settings. H C O N T A I N E R A special shell for mobile apps that lets you monitor the activity of an app within the container, thereby protecting personal and company data on the device. A container used on an ios device is signed by the same certificate that is used to sign Kaspersky Endpoint Security for ios devices. M A N A G E D D E V I C E An ios device whose configuration is monitored in Apple Configurator, an application for applying group settings to ios devices. A managed device has supervised status in Apple Configurator. Whenever you connect a managed device to a computer, Apple Configurator checks the configuration of the device for compliance with the specified settings and adjusts them when needed. A managed device cannot be synchronized with Apple Configurator installed on a different computer. More settings that can be configured with the aid of a Kaspersky Mobile Device Management policy are available on a managed device than on an unmanaged device. For example, a managed device can have an HTTP proxy to monitor Internet traffic on the device within a company network. By default, all mobile devices are not managed. C O M P L I A N C E C O N T R O L Checking of users' mobile devices for compliance to the group policy. Compliance control involves checking mobile device settings to verify that they meet corporate security requirements. M M O B I L E A P P P A C K A G E An installation file for the Android operating system (file with the.apk extension) uploaded to the Administration Server. Mobile app packages are stored on the Kaspersky Security Center web server or in the public folder of the Kaspersky Security Center administrator. Mobile app packages can be created for apps of third-party publishers. When creating a mobile app package, one can specify that the app will be containerized. A P P L I C A T I O N M A N A G E M E N T P L U G - IN A dedicated component that provides the interface for managing Kaspersky Lab applications through Administration Console. Each application that can be managed through Kaspersky Security Center SPE has its own plug-in. Plug-in is included in all Kaspersky Lab applications that can be managed by using Kaspersky Security Center. 122

123 G L O S S A R Y P O L I C Y A set of settings of the application and Kaspersky Endpoint Security mobile apps applied to devices in administration groups or to individual devices. Different policies can be applied to different administration groups. A policy includes the configured settings of all functions of Kaspersky Endpoint Security mobile apps. N A D M I N I S T R A T O R S W O R K S T A T I O N The computer hosting the Administration Console of Kaspersky Security Center. If the application management plug-in is installed on the administrator's workstation, the administrator can manage Kaspersky Endpoint Security mobile apps deployed on user devices. T H I R D - P A R T Y A P P A D D - ON A third-party component that makes it possible to configure the settings of a third-party app in the Administration Console of Kaspersky Security Center. S A D M I N I S T R A T I O N S E R V E R A component of Kaspersky Security Center that centrally stores information about all Kaspersky Lab applications that are installed within the corporate network. It can also be used to manage these applications. E X C H A N G E A C T I V E S Y N C M O B I L E D E V I C E S E R V E R A Kaspersky Endpoint Security component installed on the client computer, which makes it possible to connect Exchange ActiveSync mobile devices to Administration Server. I OS MDM M O B I L E D E V I C E S E R V E R A component of the Kaspersky Security Center administration system that makes it possible to connect ios mobile devices to the Administration Server and control them using ios MDM profiles. S Y N C H R O N I Z A T I O N A process during which a connection is established between a mobile device and a remote administration system and data is transmitted between them. Administrator-configured settings of Kaspersky Endpoint Security are transferred to the device during synchronization. Reports on the operation of mobile app components are relayed to the remote administration system. T H I R D - P A R T Y A P P An app developed by a third-party vendor (such as an client for a mobile device). K K A S P E R S K Y S M S B R O A D C A S T I N G U T I L I T Y A utility installed on the administrator's Android device to send out text messages to Android devices of users. 123

124 KASPERSKY LAB ZAO Kaspersky Lab software is internationally renowned for its protection against viruses, malware, spam, network and hacker attacks, and other threats. In 2008, Kaspersky Lab was rated among the world s top four leading vendors of information security software solutions for end users (IDC Worldwide Endpoint Security Revenue by Vendor). Kaspersky Lab is the preferred developer of computer protection systems among home users in Russia, according to the COMCON survey "TGI-Russia 2009". Kaspersky Lab was founded in Russia in Today, it is an international group of companies headquartered in Moscow with five regional divisions that manage the company's activity in Russia, Western and Eastern Europe, the Middle East, Africa, North and South America, Japan, China, and other countries in the Asia-Pacific region. The company employs more than 2000 qualified specialists. PRODUCTS. Kaspersky Lab s products provide protection for all systems from home computers to large corporate networks. The personal product range includes anti-virus applications for desktop, laptop, and tablet computers, and for smartphones and other mobile devices. Kaspersky Lab delivers applications and services to protect workstations, file and web servers, mail gateways, and firewalls. Used in conjunction with Kaspersky Lab s centralized management system, these solutions ensure effective automated protection for companies and organizations against computer threats. Kaspersky Lab's products are certified by the major test laboratories, are compatible with the software of many suppliers of computer applications, and are optimized to run on many hardware platforms. Kaspersky Lab s virus analysts work around the clock. Every day they uncover hundreds of new computer threats, create tools to detect and disinfect them, and include them in the databases used by Kaspersky Lab applications. Kaspersky Lab's Anti-Virus database is updated hourly; and the Anti-Spam database every five minutes. TECHNOLOGIES. Many technologies that are now part and parcel of modern anti-virus tools were originally developed by Kaspersky Lab. It is no coincidence that many other developers use the Kaspersky Anti-Virus kernel in their products, including: SafeNet (USA), Alt-N Technologies (USA), Blue Coat Systems (USA), Check Point Software Technologies (Israel), Clearswift (UK), CommuniGate Systems (USA), Openwave Messaging (Ireland), D-Link (Taiwan), M86 Security (USA), GFI Software (Malta), IBM (USA), Juniper Networks (USA), LANDesk (USA), Microsoft (USA), Netasq+Arkoon (France), NETGEAR (USA), Parallels (USA), SonicWALL (USA), WatchGuard Technologies (USA), ZyXEL Communications (Taiwan). Many of the company s innovative technologies are patented. ACHIEVEMENTS. Over the years, Kaspersky Lab has won hundreds of awards for its services in combating computer threats. In 2010, Kaspersky Anti-Virus received several highest awards Advanced + after the tests carried out by AV- Comparatives, an authoritative Austrian anti-virus laboratory. But Kaspersky Lab's main achievement is the loyalty of its users worldwide. The company s products and technologies protect more than 300 million users, and its corporate clients' number is more than 200,000. Kaspersky Lab s website: Virus encyclopedia: Virus Lab: Kaspersky Lab s web forum: [email protected] (to send probably infected files in the archived form only) 124

125 INFORMATION ABOUT THIRD-PARTY CODE Information about third-party code is contained in the file legal_notices.txt, in the application installation folder. On Android devices data from the legal_notices.txt file is displayed in the Additional Information window, in the About the app section. 125

126 TRADEMARK NOTIFICATIONS Registered trademarks and service marks are the property of their respective owners. Apple, iphone, Mac OS are registered trademarks of Apple Inc. The word mark Bluetooth and its logo are the property of Bluetooth SIG, Inc. Android, Google are trademarks owned by Google, Inc. Active Directory, ActiveSync, Microsoft, Windows, Windows Phone are trademarks owned by Microsoft Corporation and registered in the United States of America and elsewhere. Nokia, Series 60 are trademarks or registered trademarks of Nokia Corporation. The BlackBerry trademark is owned by Research In Motion Limited, registered in the USA, with registration pending or existing elsewhere. The Symbian trademark is owned by Symbian Foundation Ltd. 126

127 INDEX A Activating the application Additional Settings Call & Text Filter removing Administration Server certificate Anti-Theft... 60, 61, 62 Data Wipe Device Lock Sending commands to mobile device SIM Watch Anti-Virus protection Protecting the file system update APN certificate Retrieval App Control Allowed apps Blocked apps Installing third-party apps Report Starting apps Apple Store... 25, 47 C Call & Text Filter Certificate economy mail VPN Compliance control check rules Container creating signing D Developer certificate Device Control Bluetooth Camera system password TouchDown Wi-Fi Device Control G Google Play... 23, 42 K Kaspersky Lab ZAO Kaspersky Security Network

128 A D M I N I S T R A T O R ' S G U I D E M Management plug-in installation... 20, 37 Update Managing Samsung devices Firewall General settings KNOX KNOX Microsoft Exchange Mobile device management plug-in P Policies creating removing Policy for EAS devices for ios MDM devices for KES devices Provisioning R Removing the app S Signature a container for ios app distribution kit for ios Standalone package creating distribution... 38, 39 Synchronization... 57, 81 U Update W Web Protection Wireless networks... 66,