Kaspersky Security 10 for Mobile Implementation Guide

Transcription

1 Kaspersky Security 10 for Mobile Implementation Guide APPLICATION VERSION: 10.0 MAINTENANCE RELEASE 1

2 Dear User, Thank you for choosing our product. We hope that you will find this documentation useful and that it will answer any questions that you may have. Note: This document is the property of Kaspersky Lab ZAO (herein also referred to as Kaspersky Lab): all rights to this document are reserved by the copyright laws of the Russian Federation and by international treaties. Illegal reproduction or distribution of this document or parts hereof will result in civil, administrative, or criminal liability under applicable law. Any type of reproduction or distribution of any materials, including translations, may be allowed only with written permission from Kaspersky Lab. This document and related graphic images can be used for informational, non-commercial, or personal use exclusively. This document may be amended without prior notice. You can find the latest version of this document at the Kaspersky Lab website, at Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any third-party materials used herein, or for any potential harm associated with the use of such materials. Document revision date: 6/18/ Kaspersky Lab ZAO. All Rights Reserved

3 CONTENTS ABOUT THIS GUIDE... 6 In this document... 6 Document conventions... 8 SOURCES OF INFORMATION ABOUT THE APPLICATION... 9 Sources of information for independent research... 9 Discussing Kaspersky Lab applications on the Forum Contacting the Sales Department Contacting Technical Writing and Localization Unit by KASPERSKY SECURITY 10 FOR MOBILE What's new Distribution kit Hardware and software requirements COMMON APPLICATION DEPLOYMENT MODELS Application deployment models for Android devices Deployment via link Deployment via SMS link Deployment via workstations Deployment via Google Play Application deployment models for ios devices Application deployment model for ios devices Deployment via Apple Store Application deployment model for Blackberry, Symbian, and Windows Mobile devices PREPARING FOR APPLICATION INSTALLATION Installing the Mobile devices support component Upgrading the version of the Administration Server component Configuring the mobile device connection settings Installing the Administration Plug-in for Kaspersky Security for Mobile Creating a group Creating a rule for device automatic allocating to administration groups Creating a group policy for Kaspersky Security 10 for Mobile Step 1. Choose a group policy name for the application Step 2. Choose an application for creating a group policy Step 3. Configure device scan settings Step 4. Configuring Protection settings Step 5. Configuring Update settings Step 6. Configuring Anti-Theft settings Step 7. Configuring network settings Step 8. Configuring App Control Step 9. Configuring device control Step 10. Configuring additional settings Step 11. Activating the application Step 12. Setting the policy status Preparing for installation on Android devices Mailing settings

4 I M P L E M E N T A T I O N G U I D E Configuring text message delivery methods Creating an installation package Configuring installation package settings Preparing for installation on ios devices Configuring the interface of the Kaspersky Security Center Administration Console Getting the APN certificate Installing the APN certificate on the ios MDM server Creating and sending an ios MDM profile UPGRADING FROM A PREVIOUS VERSION OF THE APPLICATION USING CONTAINERS About containers Creating containers Signing a container to be used on ios devices INSTALLING THE APPLICATION ON ANDROID DEVICES Installing the application via link Creating a stand-alone installation package Sending s to users Installing the application on the mobile device after receiving the Installing the application via SMS Creating a stand-alone installation package Sending text messages to users Installing the application on the mobile device after receiving the text message Installation using the workstation Creating a remote installation task Delivering the application distribution kit to mobile devices using the workstation Application installation on mobile devices using the workstation Installing the application from Google Play INSTALLING THE APPLICATION ON IOS DEVICES Getting the developer certificate Creating a provisioning profile Signing the app distribution kit Installing the application on an ios mobile device Installing the application from Apple Store INSTALLING THE APPLICATION ON BLACKBERRY, SYMBIAN AND WINDOWS MOBILE DEVICES USING WORKSTATIONS PREPARING THE APPLICATION TO BE USED ON THE DEVICE ACTIVATION OF AN APPLICATION REMOVING THE APPLICATION Removing the application from Android devices Permitting users to remove the application Removing the application from the device without the user's involvement Removing the application from BlackBerry, Symbian, and Windows Mobile devices Removing the application from Android devices

5 C O N T E N T S INFORMATION EXCHANGE WITH KASPERSKY SECURITY NETWORK CONTACTING THE TECHNICAL SUPPORT SERVICE How to obtain technical support Technical support by phone Technical Support via Kaspersky CompanyAccount Technical Support by Electronic request to sign APN certificate Online request to the Virus Lab GLOSSARY KASPERSKY LAB ZAO INFORMATION ABOUT THIRD-PARTY CODE TRADEMARK NOTIFICATIONS INDEX

6 ABOUT THIS GUIDE This document represents the Kaspersky Security 10 for Mobile Implementation Guide. The Guide is addressed to the technical specialists whose responsibilities include Kaspersky Security 10 for Mobile (hereinafter referred to as Kaspersky Security) installation and administration, as well as support of the organizations that use the program. This Guide is intended to do the following: Provide the general description of the Kaspersky Security 10 operating principles, system requirements, typical deployment scenarios, the features of integration with other applications. Assist in planning of Kaspersky Security 10 for Mobile deployment across the enterprise network. Describe preparation for Kaspersky Security 10 for Mobile installation, the application installation and activation. Provide recommendations on Kaspersky Security 10 for Mobile support and administration after installation. Describe additional sources of information about the application and ways of receiving technical support. IN THIS SECTION In this document... 6 Document conventions... 8 IN THIS DOCUMENT This document comprises the following sections. Sources of information on the application (see page 9) This section describes sources of information about the application and lists websites that you can use to discuss the application. Kaspersky Security 10 for Mobile (see page 11) This section describes the purpose, key features and structure of Kaspersky Security 10 for Mobile. Typical deployment models for the application (see page 16) This section covers the common Kaspersky Security 10 for Mobile deployment models. Preparing for installation of the application (see page 23) This section describes how to configure mobile device management via Kaspersky Security Center for the Kaspersky Security application deployment. Updating the previous application version (see page 44) This section describes how to update the previous version of Kaspersky Security 10 for Mobile. 6

7 A B O U T T H I S G U I D E Using containers (see page 45) This section describes containers, how to create them, and how to sign them so they can be used on ios devices. Installing the application on Android devices (see page 48) This section describes the options for installing Kaspersky Security 10 for Mobile on Android devices. Installing the application on ios devices (see page 55) This section describes the process of installing Kaspersky Security 10 for Mobile on ios devices. Installing the application on BlackBerry, Symbian, and Windows Mobile devices via workstations (see page 59) This section describes how to install Kaspersky Security 10 for Mobile on BlackBerry, Symbian, and Windows Mobile devices. Preparing the application for use on the device (see page 60) This section describes the initial configuration of the Administration Server connection settings on user devices. Activating the application (see page 61) This section describes how to activate the application. Removing the application (see page 62) This section describes how to remove Kaspersky Security 10 for Mobile form the user mobile device. Information exchange with Kaspersky Security Network (see page 67) This section describes interaction of Kaspersky Security with the Kaspersky Security Network cloud service. Contacting the Technical Support service (see page 68) This section provides information about how to obtain technical support and the requirements for receiving help from Technical Support. Glossary This section contains a list of terms that are mentioned in the document and their definitions. Kaspersky Lab ZAO This section provides information about Kaspersky Lab ZAO. Information about third-party code This section provides information about the third-party code used in the application. Trademark notices This section lists trademarks of third-party manufacturers that were used in the document. 7

8 I M P L E M E N T A T I O N G U I D E Index This section allows you to quickly find required information within the document. DOCUMENT CONVENTIONS The document text is accompanied by semantic elements to which we recommend paying particular attention: warnings, hints, and examples. Document conventions are used to highlight semantic elements. The following table shows document conventions and examples of their use. Table 1. Document conventions SAMPLE TEXT Note that... We recommended that you use... Example: DESCRIPTION OF DOCUMENT CONVENTION Warnings are highlighted in red and boxed. Warnings provide information about possible unwanted actions that may lead to data loss, failures in equipment operation or operating system problems. Notes are boxed. Notes may contain useful hints, recommendations, specific values for settings, or important special cases in operation of the application. Examples are given on a yellow background under the heading "Example".... Update means... The Databases are out of date event occurs. Press ENTER. Press ALT+F4. Click the Enable button. To configure a task schedule: In the command line, type help. The following message appears: Specify the date in DD:MM:YY format. <User name> The following semantic elements are italicized in the text: New terms Names of application statuses and events Names of keyboard keys appear in bold and are capitalized. Names of keys that are connected by a + (plus) sign indicate the use of a key combination. Those keys must be pressed simultaneously. Names of application interface elements, such as entry fields, menu items, and buttons, are in bold. Introductory phrases of instructions are italicized and marked with the arrow sign. The following types of text content are marked with a special font: Text in the command line Text of messages that the application displays on the screen Data that the user must enter. Variables are in angle brackets. It is required to replace each variable by the corresponding value, omitting angle brackets. 8

9 SOURCES OF INFORMATION ABOUT THE APPLICATION This section describes sources of information about the application and lists websites that you can use to discuss the application. You can select the most suitable information source, depending on importance and urgency of the issue. IN THIS SECTION Sources of information for independent research... 9 Discussing Kaspersky Lab applications on the Forum Contacting the Sales Department Contacting Technical Writing and Localization Unit by SOURCES OF INFORMATION FOR INDEPENDENT RESEARCH You can use the following sources of information to research on your own: Application page on the Kaspersky Lab website Application page on the Technical Support website (Knowledge Base) Online help Documentation If you have not found a solution to your problem, we recommend you contacting Kaspersky Lab Technical Support (see the Technical Support by phone section on page 68). An Internet connection is required to use information sources on the Kaspersky Lab website. Application page on the Kaspersky Lab website The Kaspersky Lab website features an individual page for each application. On page ( you can find general information about the application, its features and operation parameters. The page contains a link to the estore. There you can purchase or renew the application. Application page on the Technical Support website (Knowledge Base) Knowledge Base is a section on the Technical Support website that provides advice on using Kaspersky Lab applications. The Knowledge Base consists of reference articles that are grouped by topic. 9

10 I M P L E M E N T A T I O N G U I D E On the application page in the Knowledge Base ( you can find articles that contain useful information, recommendations and answers to frequently asked questions on the application purchasing, installation, and use. The articles answer questions that refer not only to Kaspersky Security, but also to other Kaspersky Lab's applications, and contain news from Technical Support. Online help The online help of the application comprises help files. The Context Help contains information about each window of the application: the list and description of settings and links to the tasks for which these settings are used. Documentation The distribution kit includes documents that help you to install and activate the application on the computers of a local area network, configure its settings, and find information about the basic techniques for using the application. DISCUSSING KASPERSKY LAB APPLICATIONS ON THE FORUM If your question does not require an immediate answer, you can discuss it with the Kaspersky Lab experts and other users in our forum ( In this forum you can view existing topics, leave your comments, and create new discussion topics. CONTACTING THE SALES DEPARTMENT If you have any questions on how to select, purchase, or renew the application, you can contact our Sales Department specialists in one of the following ways: By calling our central office in Moscow by phone ( By sending your message with a question to [email protected]. Service is provided in Russian and in English. CONTACTING TECHNICAL WRITING AND LOCALIZATION UNIT BY To contact the Documentation Development Group, please send your message to [email protected]. Please specify: "Kaspersky Help Feedback: Kaspersky Security 10 for Mobile" in the message subject line. 10

11 KASPERSKY SECURITY 10 FOR MOBILE Kaspersky Security 10 for Mobile protects Android, ios, BlackBerry, Microsoft Windows Mobile, and Symbian mobile devices against viruses and other malware, unwanted calls and SMS messages, and web threats. The application lets you monitor user network activity and protect confidential information against unauthorized access. Different components are used to provide protection against each type of threat. The application settings can be configured flexibly depending on specific user needs. The availability of protection components listed below depends on the operating system of the mobile device. Kaspersky Security 10 for Mobile supports interaction with the remote Kaspersky Security Center administration system. Using this system, the corporate network administrator can: Install the application on mobile devices Configure the application settings to be used both for a group of devices and for an individual device Generate reports on the performance of components of the application installed on mobile devices Remove the application from Android devices Kaspersky Security 10 for Mobile includes the following protection components: Anti-Virus. It allows you to detect and neutralize threats on your device by using the Anti-Virus databases and the Kaspersky Security Network cloud service. Anti-Virus includes the following components: protection, scan, and update. Protection detects threats in open files, scans new applications, and prevents device infection in real time. Scan is performed on demand for the entire file system, the random access memory, or a folder. Full Scan scans the entire file system for the presence of malicious objects; Folder Scan scans a specific folder. Full Scan and Folder Scan detect threats in files that have been installed but not yet opened, as well as threats in files that are currently open. Memory Scan detects threats only in files that are currently open. Update allows you to download new Anti-Virus databases for the application. Privacy Protection. This allows you to hide confidential user information when other persons are using the device. The component hides or shows all information connected with the specified subscribers' addresses, for example, the contact list, the history of connections, and the SMS correspondence with the contacts. The component also allows you to hide delivery of incoming calls and SMS messages from the specified subscribers' numbers. Anti-Theft. This component protects information on the device against unauthorized access in case the device is lost or stolen. With the component, you can lock or locate the device or delete information from it via an SMS command or via Kaspersky Security Center. Call & SMS Filter. The component blocks unwanted messages and calls in accordance with the selected mode. Filtering messages and calls is carried out using the lists of allowed and blocked contacts. Depending on the settings, the component delivers calls and SMS messages from allowed contacts, and blocks calls and SMS messages from blocked contacts. In addition to the selected mode, using the component you can enable incoming events from all phone numbers in the device address book (Contacts) or block incoming events from the phone numbers that contain letters. Web Protection. This blocks malicious websites that distribute malicious code and fake (phishing) websites that can steal confidential user data, such as online banking passwords, online auction and e-money passwords, and access your financial accounts. The component scans websites before you open them using the Kaspersky Security Network cloud service. Depending on the scan results, Web Protection loads websites that are recognized as genuine, and blocks websites that are considered to be malicious. The component also supports website filtering by categories defined in Kaspersky Security Network. Thus, the administrator can restrict access to certain web pages, for example, the ones from the Gambling or Social Networks categories. 11

12 I M P L E M E N T A T I O N G U I D E Firewall. This component controls network connections on the mobile device. With the component, you can define the connections to be allowed or blocked. App Control. This allows you to modify the settings of application launch on the user mobile device via Kaspersky Security Center. The administrator can specify the applications that must be installed on the user device and can create the lists of allowed and blocked applications. The component blocks attempts to run the forbidden applications; information on the attempts is available in the Kaspersky Security Center reports. The component also lets you create and use the container, which is a special shell for mobile apps that allows you to control actions of the containerized application, thereby protecting corporate data on the device. Containerized apps can be used as allowed or even required applications. Device Management. This component allows you to configure the obligatory password to unlock the mobile device and the minimum password length. With this component, you can prohibit the use of Wi-Fi networks, the camera or Bluetooth functionality on the device. Encryption. This component protects data from being viewed by unauthorized users in the event of unauthorized access to the device. As soon as the device switches to the power-saving mode, the component encrypts the selected non-system folders stored in the device memory or on the memory card. The data in the encrypted folders is available only after the secret code is entered. IN THIS SECTION What's new Distribution kit Hardware and software requirements WHAT'S NEW Kaspersky Security 10 for Mobile differs from the previous application version in the following: The heuristic scan during protection operation has been added. The Call & SMS Filter functionality has been improved: for the lists of allowed and blocked contacts, an option to import data from the call log and SMS list has been added. The list of events recorded in the application performance reports has been added. Support of ios devices is now available: remote installation of the application on ios devices and administration via Kaspersky Security Center. Support of devices running Android 4.0 or later has been added. For devices with the Android operating system (hereinafter "Android devices"): The model of application deployment via Kaspersky Security Center has been added. In this model, an SMS link is sent to users' phone numbers or an link is sent to users' corporate addresses. The app distribution package with settings for connecting to the Administration Server is delivered to the user's device. When the app is installed using this distribution package, the user is not required to specify the connection settings manually. Newly installed apps are now scanned immediately after installation using the Kaspersky Security Network cloud service. Kaspersky Security 10 can now be activated as the Device Administrator. This provides advanced capabilities for the protection of Android devices. 12

13 K A S P E R S K Y S E C U R I T Y 10 F O R M O B I L E The application is now able to detect adware and applications that can be used by intruders to damage the device or corporate data of the user. The Anti-Theft functionality has been improved; now you can start Anti-Theft functions remotely and delete all data from the device by a command sent from Kaspersky Security Center. It is now possible to block websites by categories specified in Kaspersky Security Network, with the option to restrict access to web resources categorized as malicious, phishing or unwanted websites. Now via Kaspersky Security Center, you can specify applications allowed and blocked on the device and applications that must be installed on the user's device. The application now detects access to the device with administrator privileges (root access) and prompts the user for action. The option to create and use the container has been added. The container is a special frame for mobile applications that allows you to control actions of the wrapped application, thereby protecting the corporate data on the device. Containerized apps can be used as allowed or even required applications. You can configure user authorization to be used at the launch of a containerized app. You can now manage the user's device remotely via Kaspersky Security Center: impose restrictions on camera, Wi-Fi module, and Bluetooth usage by the device, and enable or disable the system password prompt when the device is powered on. It is now possible to configure the TouchDown client for user access to corporate . The feature for configuring wireless LANs for connecting the user s mobile devices has been added. The application can now be removed from the device remotely via Kaspersky Security Center. The user can now manually remove the application from the mobile device. For devices with the ios operating system (hereinafter "ios devices"): The option to create and use the container has been added. The container is a special frame for mobile applications that allows you to control actions of the wrapped application, thereby protecting any corporate data on the device. It is now possible to block specific categories of websites. The application now detects access to the ios device with administrator privileges (jailbreak) and prompts the user for action. DISTRIBUTION KIT The Kaspersky Security 10 for Mobile distribution kit includes the following components: The sc_package_en self-unpacking archive containing setup files for all supported systems: adb.exe, AdbWinApi.dll, AdbWinUsbApi.dll are the files required to install the application on Android devices. endpoint_8_0_0_37_en.cab is the application installation file for Windows Mobile. endpoint8_mobile_8_x_xx_en.sisx is the application installation file for Symbian. endpoint8_mobile_8_x_xx_en.zip is the application installation file for BlackBerry. installer.ini is the configuration file that contains the Administration Server connection setting. 13

14 I M P L E M E N T A T I O N G U I D E KSM_10_1_xx_en.apk is the application installation file for Android. kmlisten.exe is the tool for delivering the application installation package using the workstation. kmlisten.ini is the configuration file that contains the settings for the delivery tool of the installation package. kmlisten.kpd is the application description file. klcfginst_en.exe is the setup file of the Kaspersky Security 10 for Mobile plug-in for administering the application via the Kaspersky Security Center remote administration system. KSM_10_1_xx_en.apk is the Kaspersky Security 10 installation file for Android. KSM_10_1_xx_en.zip the Kaspersky Security 10 installation file for ios. endpoint_8_0_0_37_en.cab is the application installation file for Windows Mobile. endpoint8_mobile_8_x_xx_en.sisx is the application installation file for Symbian. blackberry a folder containing a set of files needed to install the app on BlackBerry devices, including the app setup file endpoint8_mobile_8_x_xx_en.zip. sms_utility_ en.apk the Kaspersky SMS Broadcasting utility. SigningUtility.zip an archive containing a utility for signing the app distribution package and containers for ios devices. Documentation: Kaspersky Security 10 for Mobile Implementation Guide Context Help for the Administration Plug-in of Kaspersky Security 10 for Mobile Context Help for Android Context Help for Microsoft Windows Mobile Context Help for Symbian Context Help for BlackBerry Context Help for ios HARDWARE AND SOFTWARE REQUIREMENTS To run Kaspersky Security 10 for Mobile on user mobile devices, the device must meet the following software requirements: Android 2.2, 2.3, 3.0, 3.1, 3.2, 4.0, 4.1, 4.2 Apple ios 4.3, 5.0, 5.1, 6.0, 6.1 BlackBerry 4.5, 4.6, 4.7, 5.0, 6.0, 7.0, 7.1 Symbian OS 9.1, 9.2, 9.3, 9.4 Series 60 UI Symbian^3, Symbian Anna, Symbian Belle (only for Nokia mobile devices) Windows Mobile 5.0, 6.0, 6.1,

15 K A S P E R S K Y S E C U R I T Y 10 F O R M O B I L E To deploy Kaspersky Security 10 for Mobile on Android devices, the administrator's computer must meet the following software requirements: Kaspersky Security Center 10.0 Kaspersky SMS Broadcasting utility To deploy Kaspersky Security 10 for Mobile on ios devices, the administrator's computer must meet the following hardware requirements: Mac OS X or later, Mac OS X 10.7, OS X 10.8 iphone Configuration Utility 3.5 or later for Maс, or iphone Configuration Utility or later for Windows To deploy Kaspersky Security 10 for Mobile on ios devices, the administrator's computer must meet the following software requirements: Kaspersky Security Center 10.0 ios Mobile Device Management (MDM) server Kaspersky SMS Broadcasting utility Key Chain Access utility To install the app on ios devices, you need participant status in the Apple Developer Program or the Apple Developer Enterprise Program. Participants of the Apple Developer Program can install Kaspersky Security 10 for Mobile on no more than 100 devices a year. You need to obtain a separate AppleID to get an Apple Push Notification service (APNs) certificate. To deploy Kaspersky Security 10 for Mobile on Windows Mobile, Blackberry, and Symbian devices, the administrator's computer must meet the following software requirements: Kaspersky Security Center version 9.0 or later. To manage mobile devices via the Exchange ActiveSync protocol, the administrator's computer must meet the following software requirements: Kaspersky Security Center 10.0 Exchange ActiveSync mobile device server component. 15

16 COMMON APPLICATION DEPLOYMENT MODELS This section covers the common Kaspersky Security 10 for Mobile deployment models. The Kaspersky Security deployment model depends on the operating system installed on the user device. IN THIS SECTION Application deployment models for Android devices Application deployment models for ios devices Application deployment model for Blackberry, Symbian, and Windows Mobile devices APPLICATION DEPLOYMENT MODELS FOR ANDROID DEVICES The application can be installed on Android devices in one of the following ways: By ing the link to the application distribution to users (see the section Deployment via links on page 16). By texting the link to the application distribution package to users (via SMS) (see section "Deployment via SMS links" on page 17). Through workstations to which users connect their mobile devices (see section "Deployment via workstations" on page 18). Users can also install the Kaspersky Security distribution package on their mobile devices without the involvement of the administrator (see section "Deployment via Google Play" on page 19) as a standard Android application. IN THIS SECTION Deployment via link Deployment via SMS link Deployment via workstations Deployment via Google Play DEPLOYMENT VIA LINK In the case of application deployment model via , users are provided with a specially configured application distribution package containing the settings of the connection to Administration Server. When the application is installed using this distribution package, users are not required to specify the connection settings manually. This distribution package is known as the standalone installation package. If mobile devices of users are managed by the Exchange Active Sync mobile device server deployed as part of Kaspersky Security Center and mailboxes of such users are connected to a Microsoft Exchange server, you can also install Kaspersky Security using the model described below. 16

17 C O M M O N A P P L I C A T I O N D E P L O Y M E N T M O D E L S This deployment model consists of the following steps: 1. Preparing for application installation: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step (see page 23). b. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server (see page 24). c. Installing the Administration Plug-in of Kaspersky Security 10 for Mobile on the administrator's workstation (see page 24). d. Creating groups of mobile devices as part of managed computers in the system of Kaspersky Security Center (see page 25). Devices with Kaspersky Security 10 for Mobile installed are moved to these groups either manually or according to automatic transfer rules. e. Creating a rule for allocating mobile devices to a group automatically (see page 25). f. Creating a group policy for managing Kaspersky Security 10 for Mobile settings (see page 27). g. Configuring the Administration Server mailing settings (see page 38). h. Creating the installation package of Kaspersky Security 10 for Mobile (see page 40). i. Configuring the settings of the installation package of Kaspersky Security 10 for Mobile (see page 41). 2. Installing the application on devices: a. Creating a standalone installation package of Kaspersky Security 10 for Mobile (see page 48). At this step, the standalone package contains the settings of the connection to Administration Server and is available in the public folder on the Kaspersky Security Center web server. When creating an , you can select any of the resources and specify the link to the right resource, or attach the standalone installation package to the . b. Creating and sending an with the link to the standalone installation package to users of mobile devices (see section "Sending s to users" on page 49). c. Downloading the standalone installation package to the mobile device. At this step, the user downloads the pre-configured distribution package from the attachment or a public resource. d. Installing the application on a mobile device (see page 50). 3. Preparing the application for use on devices: Activating the application on mobile devices of users (see page 61). This model of application deployment on Android devices is suitable for Kaspersky Security 10 only. The Kaspersky Security Center control plug-in of Kaspersky Security 10 for Mobile also supports management of devices with an older version of the application. Kaspersky Lab recommends upgrading from the older version of the application to be able to use the full functionality of the application (see section "Upgrading from an older version of the application" on page 44). DEPLOYMENT VIA SMS LINK In the case of application deployment model via SMS link, users are provided with a specially configured application distribution package containing the settings of the connection to Administration Server. When the application is installed using this distribution package, users are not required to specify the connection settings manually. This distribution package is known as the standalone installation package. Text messages (SMS) with a link to the standalone installation package can be sent to devices that support transmission of text messages. 17

18 I M P L E M E N T A T I O N G U I D E This deployment model consists of the following steps: 1. Preparing for application installation: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step (see page 23). b. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server (see page 24). c. Installing the Administration Plug-in of Kaspersky Security 10 for Mobile on the administrator's workstation (see page 24). d. Creating groups of mobile devices as part of managed computers in the system of Kaspersky Security Center (see page 25). Devices with Kaspersky Security 10 for Mobile installed are moved to these groups either manually or according to automatic transfer rules. e. Creating a rule for allocating mobile devices to a group automatically (see page 25). f. Creating a group policy for managing Kaspersky Security 10 for Mobile settings (see page 27). g. Configuring the method of text message (SMS) delivery to users (see page 39). h. Creating the installation package of Kaspersky Security 10 for Mobile (see page 40). i. Configuring the settings of the installation package of Kaspersky Security 10 for Mobile (see page 41). 2. Installing the application on devices: a. Creating a standalone installation package of Kaspersky Security 10 for Mobile (see page 50). At this step, the standalone package contains the settings of the connection to Administration Server and is available in the public folder on the Kaspersky Security Center web server. When creating a text message, you have to select a path to the Kaspersky Security Center web server. b. Creating and sending a text message with the link to the standalone installation package to mobile device users (see page 51). c. Downloading the standalone installation package to the mobile device. At this step, the user downloads the prepared distribution package of the application from the Kaspersky Security Center web server. d. Installing the application on a mobile device (see page 51). 3. Preparing the application for use on devices: Activating the application on mobile devices of users (see page 61). The model of application deployment on Android devices described above is suitable for installation of Kaspersky Security 10 for Mobile only. The Kaspersky Security Center control plug-in of Kaspersky Security 10 for Mobile also supports management of devices with an older version of the application. Kaspersky Lab recommends upgrading from the older version of the application on the device to be able to use the full functionality of the application (see section "Upgrading from an older version of the application" on page 44). DEPLOYMENT VIA WORKSTATIONS Application deployment via workstations is used when users connect their mobile devices to their workstations. This deployment model consists of the following steps: 1. Preparing for application installation: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step (see page 23). b. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server (see page 24). 18

19 C O M M O N A P P L I C A T I O N D E P L O Y M E N T M O D E L S c. Installing the Administration Plug-in of Kaspersky Security 10 for Mobile on the administrator's workstation (see page 24). d. Creating groups of mobile devices as part of managed computers in the system of Kaspersky Security Center (see page 25). Devices with Kaspersky Security 10 for Mobile installed are moved to these groups either manually or according to automatic transfer rules. e. Creating a rule for allocating mobile devices to a group automatically (see page 25). f. Creating a group policy for managing Kaspersky Security 10 for Mobile settings (see page 27). g. Creating the installation package for the Kaspersky Security 10 for Mobile remote installation task (see page 40). h. Configuring the settings of the installation package for the Kaspersky Security 10 for Mobile remote installation task (see page 41). 2. Installing the application on devices: a. Creating a remote installation task (see page 52) for delivering the Kaspersky Security 10 for Mobile distribution package to users' workstations and installing the utility for uploading the distribution package to mobile devices. b. Uploading the application distribution package to the mobile device. At this step, the user uses the kmlisten.exe utility to copy the application distribution package to the mobile device (see section "Delivering the application distribution kit to mobile devices using the workstation" on page 54). c. Installing the application on the mobile device. At this stage, the user installs the application on the mobile device (see page 54). 3. Preparing the application for use on devices: Activating the application on mobile devices of users (see page 61). DEPLOYMENT VIA GOOGLE PLAY Direct download of the installation file to the device can be used when users find it more convenient to install the application on their own, for example by downloading the installation file from Google Play. In this case, you do not have to prepare the application distribution file, as users specify the settings of the connection to Administration Server on their own at first application startup (see section "Preparing the application for use on the device" on page 60). This deployment model consists of the following steps: 1. Preparing for application installation: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step (see page 23). b. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server (see page 24). c. Installing the Administration Plug-in of Kaspersky Security 10 for Mobile on the administrator's workstation (see page 24). d. Creating groups of mobile devices as part of managed computers in the system of Kaspersky Security Center (see page 25). Devices with Kaspersky Security 10 for Mobile installed are moved to these groups either manually or according to automatic transfer rules. e. Creating a rule for allocating mobile devices to a group automatically (see page 25). f. Creating a group policy for managing Kaspersky Security 10 for Mobile settings (see page 27). 19

20 I M P L E M E N T A T I O N G U I D E 2. Installing the application on devices: installing the application on a mobile device. At this stage, the user installs the application on the mobile device (see page 54). 3. Preparing the application for use on devices: a. Performing initial configuration of the application. At this step, the user specifies the settings of the mobile device connection to Administration Server (see section "Preparing the application for use on the device" on page 60). b. Activating the application on mobile devices of users (see page 61). APPLICATION DEPLOYMENT MODELS FOR IOS DEVICES The application can be installed on ios devices either by the administrator when connecting such ios devices to the ios MDM server (see section "Application deployment model for ios devices" on page 20) or by users, who can download the app directly from Apple Store (see section "Deployment via Apple Store" on page 21). IN THIS SECTION Application deployment model for ios devices Deployment via Apple Store APPLICATION DEPLOYMENT MODEL FOR IOS DEVICES To install Kaspersky Security on users' ios mobile devices, the ios MDM server must be deployed at Kaspersky Security Center. The ios MDM server is included in the Administration Server installation packages if a license covering the Mobile device management functionality has been purchased. See the Kaspersky Security Center Deployment Guide for details on installing the ios MDM server. Administration Server controls ios mobile devices by means of the ios MDM mobile device server. Centralized management of the app settings is performed using polices applied to groups of managed devices. This deployment model consists of the following steps: 1. Preparing for application installation: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step (see page 23). b. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server (see page 24). c. Installing the Administration Plug-in of Kaspersky Security 10 for Mobile on the administrator's workstation (see page 24). d. Creating groups of mobile devices as part of managed computers in the system of Kaspersky Security Center (see page 25). Devices with Kaspersky Security 10 for Mobile installed are moved to these groups either manually or according to automatic transfer rules. e. Creating a rule for allocating mobile devices to a group automatically (see page 25). f. Creating a group policy for managing Kaspersky Security 10 for Mobile settings (see page 27). g. Configuring the Kaspersky Security Center interface for managing mobile devices (see page 41). 20

21 C O M M O N A P P L I C A T I O N D E P L O Y M E N T M O D E L S h. Getting the Apple Push Notification Certificate (hereinafter the "APN certificate") (see page 42). i. Installing the APN certificate on the ios MDM server (see page 42). Data from the APN certificate is required to create a correct MDM profile. Only after installing the APN certificate can you be sure that commands will be delivered to devices in a timely manner. j. Creating an ios MDM profile and delivering it to user devices (see page 42). 2. Installing the application on devices: a. Getting a Developer Certificate (see page 55). b. Creating a provisioning profile (see page 55) that allows installation of third-party apps on devices. c. Signing the application distribution kit (see page 56). d. Installing the application on a user's ios device (see page 57). 3. Preparing the application for use on devices: a. Performing initial configuration of the application on user devices. At this step, the user specifies the settings of the connection to Administration Server (see section "Preparing the application for use on the device" on page 60). b. Activating the application on mobile devices of users (see page 61). DEPLOYMENT VIA APPLE STORE Direct download of the installation file to the device can be used when users find it more convenient to install the application on their own, for example by copying the installation file from Apple Store. In this case, the administrator does not prepare the distribution kit, and the user independently configures the connection to Administration Server at first launch of the application. This deployment model consists of the following steps: 1. Preparing for application installation: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step (see page 23). b. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server (see page 24). c. Installing the Administration Plug-in of Kaspersky Security 10 for Mobile on the administrator's workstation (see page 24). d. Creating groups of mobile devices as part of managed computers in the system of Kaspersky Security Center (see page 25). Devices with Kaspersky Security 10 for Mobile installed are moved to these groups either manually or according to automatic transfer rules. e. Creating a rule for allocating mobile devices to a group automatically (see page 25). f. Creating a group policy for managing Kaspersky Security 10 for Mobile settings (see page 27). 2. Installing the application on devices: installing the application on a mobile device. At this stage, the user installs the application on the mobile device (see page 58). 21

22 I M P L E M E N T A T I O N G U I D E 3. Preparing the application for use on devices: a. Performing initial configuration of the application. At this stage, the user specifies the settings of the mobile device connection to Administration Server (see page 60). b. Activating the application on mobile devices of users (see page 61). APPLICATION DEPLOYMENT MODEL FOR BLACKBERRY, SYMBIAN, AND WINDOWS MOBILE DEVICES Kaspersky Security 10 for Mobile distribution kit contains application distribution packages for different operating systems (see the Distribution kit section on page 13). Version for the BlackBerry, Symbian and Windows Mobile platforms includes Kaspersky Endpoint Security 8.0 for Smartphone distribution packages. The Kaspersky Security 10 for Mobile control plug-in installed in the remote administration system of Kaspersky Security Center supports management of devices with Kaspersky Endpoint Security 8.0 for Smartphone. The application deployment model for Blackberry, Symbian, and Windows Mobile devices consists of the following steps: This deployment model consists of the following steps: 1. Preparing for application installation: a. Installing the Mobile devices support component in Kaspersky Security Center. The certificate of Administration Server for mobile devices is created at this step (see page 23). b. Configuring the mobile device connection settings. At this step, the mobile device connection settings are configured in the properties of Administration Server to ensure synchronization of mobile devices with Administration Server (see page 24). c. Installing the Administration Plug-in of Kaspersky Security 10 for Mobile on the administrator's workstation (see page 24). d. Creating groups of mobile devices as part of managed computers in the system of Kaspersky Security Center (see page 25). Devices with Kaspersky Security 10 for Mobile installed are moved to these groups either manually or according to automatic transfer rules. e. Creating a rule for allocating mobile devices to a group automatically (see page 25). f. Creating a group policy for managing Kaspersky Security 10 for Mobile settings (see page 27). g. Creating the installation package for the Kaspersky Security 10 for Mobile remote installation task (see page 40). h. Configuring the settings of the installation package for the Kaspersky Security 10 for Mobile remote installation task (see page 41). 2. Installing the application on devices: a. Creating a remote installation task for delivering the Kaspersky Endpoint Security 8.0 for Smartphone distribution package to users' workstations and installing the utility for uploading the distribution package to mobile devices. b. Delivery of the application distribution package to the mobile device. At this stage, the user copies the application distribution package to the mobile device by using the utility kmlisten.exe. c. Installing the application on the mobile device. At this stage, the user installs the application on the mobile device. 3. Preparing the application for use on devices: Activating the application on mobile devices of users (see page 61). 22

23 PREPARING FOR APPLICATION INSTALLATION Before deploying Kaspersky Security, you need to configure mobile device management via Kaspersky Security Center. To configure mobile device management, follow the steps below: 1. Install or check that the following Kaspersky Security Center components are installed on the corporate network: Administration Server and Management Console (see the Kaspersky Security Center Deployment Guide). 2. Check that the installed components meet the software requirements for Kaspersky Security 10 for Mobile installation (see the Hardware and software requirements section on page 14). When installing Administration Server (see section Installing the Mobile devices support component on page 23), the Mobile devices support component must be enabled. It is used for managing the protection of mobile devices via Kaspersky Security Center. If this component has not been installed or the Administration Server version does not meet the requirements for installation of Kaspersky Security 10 for Mobile, the administrator must delete the old component version and install the version that is specified in the software requirements after backing up Administration Server data. IN THIS SECTION Installing the Mobile devices support component Upgrading the version of the Administration Server component Configuring the mobile device connection settings Installation of Administration Plug-in for Kaspersky Security for Mobile Creating groups Creating a rule for device automatic allocating to administration groups Creating a group policy for Kaspersky Security 10 for Mobile Preparing for installation on Android devices Preparing for installation on ios devices INSTALLING THE MOBILE DEVICES SUPPORT COMPONENT To manage the protection of mobile devices via Kaspersky Security Center, select the Mobile devices support check box at the Component selection stage during Administration Server deployment. When installing Support of Mobile Devices, the Administration Server certificate for mobile devices is created. The certificate is used to authenticate mobile devices during data exchange with the Administration Server. The SSL (Secure Socket Layer) protocol is used for data exchange. Connection between the Administration Server and mobile devices cannot be established without the certificate for mobile devices on the Administration Server. The certificate for mobile devices is stored in the Cert subfolder, in the Kaspersky Security Center installation folder. When the mobile device is synchronized with the Administration Server for the first time, the copy of the certificate is delivered to the device and is stored locally. 23

24 I M P L E M E N T A T I O N G U I D E UPGRADING THE VERSION OF THE ADMINISTRATION SERVER COMPONENT If the Support of Mobile Devices check box was not selected during Administration Server installation or an outdated Kaspersky Security Center version that does not support interaction with the Kaspersky Security 10 for Mobile application was installed, you need to upgrade the installed version of Administration Server. To upgrade the installed version of Administration Server, follow the steps below: 1. Back up the Administration Server data (see Kaspersky Security Center Administrator's Guide). 2. Install the Administration Server version that is specified in the software requirements for the Kaspersky Security 10 for Mobile installation (see the Hardware and software requirements section on page 14). 3. At the Selecting components step, select the Support of Mobile Devices check box. You cannot administer mobile device protection via Kaspersky Security Center if the Administration Server does not support mobile devices. 4. Restore the Administration Server data from the backup copy (see Kaspersky Security Center Administrator's Guide). CONFIGURING THE MOBILE DEVICE CONNECTION SETTINGS To ensure synchronization of mobile devices with the Administration Server before the Kaspersky Security 10 for Mobile installation, you need to configure the connection settings for mobile devices in the Administration Server properties. To configure connection settings for mobile devices in the Administration Server properties, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices will be connected. 2. Open the context menu and select the Properties command. The Administration Server settings window opens. 3. Open the Settings section. 4. In the Administration Server connection settings section, select the Open port for mobile devices check box. 5. In the Port for mobile devices field, specify the port which will be used by the Administration Server for connection of mobile devices. Port is used by default. If the check box is cleared or the port is specified incorrectly, devices will be unable to connect to the server and transmit or receive data. INSTALLING THE ADMINISTRATION PLUG-IN FOR KASPERSKY SECURITY FOR MOBILE To gain access to the application administration interface via Kaspersky Security Center, you need to install the administration plug-in for Kaspersky Security 10 for Mobile on the administrator's workstation. 24

25 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N To install the administration plug-in for Kaspersky Security 10 for Mobile, copy klcfinst.exe, the plug-in installation file, from the application distribution kit and run it on the administrator's workstation. The installation is performed by the wizard, and you do not need to configure the settings. To check that the plug-in for Kaspersky Security 10 for Mobile is installed, you can view the list of the installed application administration plug-ins in the Advanced section in the Administration Server Properties window. CREATING A GROUP To perform centralized configuration of the Kaspersky Security application installed on the users' mobile devices, the group policies must be applied to the devices. To apply the policy to a device group, you are advised to create a separate group for the devices in the Managed computers folder before Kaspersky Security is installed on users' devices. Then, you need to configure the option to allocate devices on which you want to install Kaspersky Security to this group automatically (see the Creating a rule to allocate devices to administration groups automatically section on page 25). Then configure settings that are common to all devices using a group policy (see page 27). To create a group, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, select the Managed computers folder. 3. If you want to create a subgroup of the existing group, in the Managed computers folder, select a subfolder in which you want to create a subgroup. 4. Create the group using one of the following methods: In the context menu of the Managed computers folder, or in the context menu of the subfolder, select Create Group; In the workspace of the Managed computers folder or in the subfolder, select the Groups tab and open the window by clicking the Create subgroup link. 5. In the Group name window type the group name and click OK. A new administration group folder with the specified name appears in the console tree. If you use workstations to install Kaspersky Security on mobile devices, you can create a group for workstations on Administration Server. To do so, select the workstations to which users connect their mobile devices for installation, create an administration group, and move the selected workstations to this group. You can then create a group task for this group in order to perform remote installation of Kaspersky Security. In this way, you can install the application through all workstations belonging to the group at once. For more detailed information on use of administration groups, see Kaspersky Security Center Administrator's Guide. CREATING A RULE FOR DEVICE AUTOMATIC ALLOCATING TO ADMINISTRATION GROUPS You can administrate the settings of Kaspersky Security installed on users' mobile devices centrally only if the devices belong to a previously created administration group (see page 25) in the Managed computers node, for which a group policy has been configured (see page 27). 25

26 I M P L E M E N T A T I O N G U I D E If the rule to allocate mobile devices detected on the network to groups automatically is not defined, during the first synchronization of the device with the Administration Server, it is automatically sent to the KSM10 subfolder of the Domains folder that is included in the Unassigned computers folder. A group policy (see page 27) does not apply to this device. The administrator can configure automatic allocating of mobile devices from the Unassigned computers folder to the specified group of the Managed computers folder. To create the rule for automatic allocating of mobile devices to groups, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, select the Unassigned computers folder. 3. Open the Settings for the Unassigned computers folder using one of the following methods: In the context menu of the Unassigned computers folder, select Properties. Open the window by clicking the Configure rules of computer allocation to administration groups link in the workspace of the folder. The Properties: Unassigned computers window appears. 4. In the Computer relocation section, click Add to start the process of creating the rule for automatic allocating of devices to administration groups. The New rule window appears. 5. In the General section, provide the following data: Type the rule name. Specify the group to which mobile devices should be allocated after Kaspersky Security has been installed on them. To do so, click Select to the right of the Group to move computers to field and select the group from the window that appears. In the Rule application section, select Run once for each computer. Select the Move only computers not added to administration groups check box to prevent allocating to the selected group the mobile devices that were allocated to other administration groups when applying the rule. Select the Enable rule check box, so that the rule can be applied to newly detected devices. 6. In the Applications section, select one or several types of operating systems of the devices to be allocated to the specified group: Android, BlackBerry, ios, Symbian, or Windows Mobile. 7. Press the OK button. The rule has been created, enabled and is shown in the list of device allocating rules (see the Computer relocation section in the Properties window of the Unassigned computers folder). According to the rule, the application allocates all devices that meet the specified requirements from the Unassigned computers folder to the selected group. The mobile devices which were earlier allocated to the Unassigned computers folder can also be allocated to the required group of the Managed computers node manually. For more detailed information on administration groups management and actions with undistributed devices, see Kaspersky Security Center Administrator's Guide. 26

27 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N CREATING A GROUP POLICY FOR KASPERSKY SECURITY 10 FOR MOBILE This section describes how to create a policy for devices with Kaspersky Security 10 for Mobile. The procedure for creating a policy and configuring its settings for BlackBerry, Symbian, and Windows Mobile devices are described in the Guide to Deploying Kaspersky Endpoint Security 8 for Smartphone. All settings for Kaspersky Security use on devices, including data for the application activation, the application bases update schedule, the device scan schedule, and filtering settings are defined by the group policy or by local application settings on the device. Using policies, you can centrally set identical settings values for all mobile devices in the administration group. For detailed information on policies and groups, see Kaspersky Security Center Administrator's Guide. The lock attribute indicates whether or not the settings can be edited in the local application settings via the Administration Console and via the application interface on the mobile device. If the lock attribute appears as settings can be edited in local application settings., the Information on the application settings defined in policy is stored on the Administration Server and is transferred to mobile devices during synchronization. The user can edit settings defined by policies on the mobile device if it is allowed by policies. When a policy expires or is removed, the application settings configured in the policy do not change. Further the user can change the settings manually. Policies created for the devices in the administration group are shown in the work area of the group on the Policies tab. The icon indicating the policy status appears before the policy name. You can create several policies applied to one group for Kaspersky Security 10 for Mobile, as well as for other apps, but only one of them can be active. When a new active policy is created, the previous active policy becomes inactive. When creating a policy, you configure the minimum set of settings without which the application cannot be used. Other settings values are set by default and correspond to default values for the local application installation. You can modify a policy after it is created. To create a policy for Kaspersky Security 10 for Mobile, follow the steps below: 1. From the console tree, select an administration group for which you want to create a policy. 2. In the workspace of the group, select the Policies tab. 3. Click the Create policy link. This starts the Policy Wizard. Follow the instructions of the Wizard. Use the Next button to navigate the windows of the wizard. Click Cancel to exit the Wizard and close the policy window. Policy creation is aborted. STEP 1. CHOOSE A GROUP POLICY NAME FOR THE APPLICATION At this step, type the name for the new policy in the Name field. If you specify the name of an existing policy, it will have (1) added at the end automatically. Proceed to the next step of the Policy Wizard. STEP 2. CHOOSE AN APPLICATION FOR CREATING A GROUP POLICY At this step, select Kaspersky Security 10 for Mobile in the list of applications. 27

28 I M P L E M E N T A T I O N G U I D E A policy for Kaspersky Security can only be created if the management plug-in for this application is installed on the administrator's workstation. If the plug-in is not installed, the application name will not appear in the list of applications. Proceed to the next step of the Policy Wizard. STEP 3. CONFIGURE DEVICE SCAN SETTINGS At this step, the Wizard offers you to specify the device scan settings: the type of files to be scanned, the action to be taken on detection of an infected object, and the scan schedule. Device scan settings can be configured only on Android, Symbian, and Windows Mobile devices. By default, Kaspersky Security scans all files stored in device memory and on the memory expansion card, including the contents of archives. On detecting an infected object, the application attempts to disinfect it. If disinfection fails, the application moves the object to Quarantine. The scheduled full scan is not performed. If necessary, you can edit the device scan settings. Configure the following settings in the Device scan settings section: Scan executable files only Scanning of executable files only. If this check box is selected, Kaspersky Security scans only executable files of the following formats: EXE, DLL, MDL, APP, APK, RDL, PRT, PXT, LDD, PDD, CLASS, SO, ELF. If the check box is cleared, Kaspersky Security scans all types of files. This check box is selected by default. Scan archives Scanning of files in archives. If the check box is selected, Kaspersky Security scans all files, including the contents of archives. Depending on the operating system, the application can scan archives in the following formats: For Windows Mobile ZIP, JAR, JAD, and CAB For Symbian OS ZIP, JAR, JAD, SIS, and SISX For Android OS ZIP, JAR, JAD, SIS, SISX, CAB, and APK If the check box is cleared, Kaspersky Security does not unpack and scan archives. This check box is selected by default. Disinfect files, if possible Automatic disinfection of malicious objects detected. If the check box is selected, Kaspersky Security attempts to disinfect a malicious object. If disinfection fails, the application performs the action that is specified in the Device scan settings section for objects that cannot be disinfected. If the check box is cleared, on detecting a threat Kaspersky Security performs the action selected in the Device scan settings section. This check box is selected by default. The Scheduled scan section lets you configure the settings of the automatic launch of the full scan of the device file system. To do so, click the Schedule button and specify the frequency of the full scan in the Schedule window. Proceed to the next step of the Policy Wizard. 28

29 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N STEP 4. CONFIGURING PROTECTION SETTINGS At this step, the Wizard prompts you to configure the protection of the device file system. Device protection settings can be configured only on Android, Symbian, and Windows Mobile devices. Protection is enabled by default. Additional features for Android devices include additional scanning of new apps using the Kaspersky Security Network cloud service as well as detection of adware and legitimate apps that can be exploited by intruders to harm the device or user data. On detecting an infected object, Kaspersky Security attempts to disinfect it. If disinfection fails, the application moves the object to Quarantine. If necessary, you can edit the real-time protection settings. Configure the following settings in the Protection section: Enable Protection; Constant protection of the user's mobile device against threats. If the check box is selected, depending on the operating system of the device Kaspersky Security scans the following objects: On Windows Mobile and Symbian devices all apps that are started and files opened or saved by the user on the device. On Android devices new apps only. Kaspersky Security scans new apps only once, immediately after their installation. Select the Extended protection mode check box to enable protection of the file system of an Android device. If the check box is cleared, protection of the mobile device is disabled. This check box is selected by default. Extended protection mode; Enables the extended protection mode on Android devices. If the check box is selected, the application scans all files that the user opens, modifies, moves, copies, starts, or saves on the device, as well as newly installed apps. If the check box is cleared, Kaspersky Security does not scan the file system and newly installed apps. This check box is cleared by default. Use Kaspersky Security Network for scanning; Additional scanning of newly installed applications before their first launch on the user's device using the Kaspersky Security Network cloud service (a dedicated Kaspersky Lab online service that contains information about the reliability of files, applications, and web resources). Cloud-enabled scanning protects data against new and unknown threats. If the check box is selected, Kaspersky Security carries out additional checks on newly installed programs before they are run for the first time using the Kaspersky Security Network cloud service. If this check box is cleared, Kaspersky Security does not carry out additional checks. This check box is selected by default. Adware, dialers, and other. Detection of adware and legal apps that can be used by criminals for damaging your computer or personal data. This category may include apps that request access to identity data, attempt to send SMS messages or determine device coordinates. If the check box is selected, Kaspersky Security detects and blocks the activity of applications in these categories. If the check box is cleared, Kaspersky Security skips applications in these categories. This check box is selected by default. 29

30 I M P L E M E N T A T I O N G U I D E To enable the scanning of executable files, select the Scan executable files only check box in the Protection settings section. Scanning of executable files only. If this check box is selected, Kaspersky Security scans only executable files of the following formats: EXE, DLL, MDL, APP, APK, RDL, PRT, PXT, LDD, PDD, CLASS, SO, ELF. If the check box is cleared, Kaspersky Security scans all types of files. This check box is selected by default. Choose one of the following options in the Action if disinfection fails list: Delete. Kaspersky Security deletes malicious objects without notifying the user. Skip. Kaspersky Security keeps malicious objects unchanged and records information about their detection in the application log. The application blocks access to an object when an attempt to access it (such as copying or opening) is made. The application performs the Skip action on Android devices: it skips malicious objects without deleting them from the device. Quarantine Kaspersky Security blocks and quarantines malicious objects that have been detected. This action is selected by default. Proceed to the next step of the Policy Wizard. STEP 5. CONFIGURING UPDATE SETTINGS At this step, the Wizard prompts you to configure the settings of anti-virus database updates on the user's device: specify the update source, schedule updates, and configure database update settings for when the device is roaming. Application database update settings can be configured only on Android, Symbian, and Windows Mobile devices. By default, application database updates are disabled for when the device is roaming. Scheduled updates of application databases are not performed. If necessary, you can edit the update settings. If you want Kaspersky Security to download database updates according to the update schedule when the device is roaming, select the Allow updating in roaming check box in the Update in roaming section. Whichever value is set, the user can manually start an anti-virus database update when the device is roaming. This setting does not apply to Android devices, as Anti-Virus database updates are unavailable on Android devices in roaming mode. In the Update source section, specify the value of the Update server address setting. Source of application database updates from which Kaspersky Security receives updates to be propagated to mobile devices of users. You can use the following update sources: Kaspersky Lab update servers. To this end, specify KLServers. A different update server. To this end, specify the address of the HTTP server, such as The folder structure of the source of updates must be the same as that of the Kaspersky Lab update servers. In the Scheduled update section, configure the settings of the anti-virus database update launch on the user's device. To do so, click the Schedule button and specify the frequency of updates in the Schedule window. Proceed to the next step of the Policy Wizard. 30

31 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N STEP 6. CONFIGURING ANTI-THEFT SETTINGS At this step, the Wizard prompts the user to configure the settings of the Anti-Theft feature that protects data on the user's mobile device if it gets lost or stolen. The Anti-Theft component implements the following functions: Data Wipe, Device Lock, SIM Watch, and Locate. The settings of all functions apply to Android, BlackBerry, Symbian, and Windows Mobile devices. All functions of the Anti-Theft component are enabled by default. If necessary, you can edit the settings of Anti-Theft functions or disable them. To use the Locate function, select the Locate check box. Usage of the Locate function. If the check box is selected, Kaspersky Security makes it possible to remotely determine the geographic coordinates of the device and receive them via SMS or sent to the specified address. By default, the application sends the device's coordinates in an SMS to the telephone number from which the special SMS command was sent. This function is engaged on the user's device by the administrator's command received via SMS or during synchronization with Administration Server. When engaging the function via SMS, the administrator has to specify a one-time code. The one-time code appears in the local properties of the application in the Anti-Theft section. An SMS with the following text should be sent: locate:<one-time code>. If the check box is cleared, the Locate feature is disabled. This check box is selected by default. Proceed to configure the settings of the Locate function. To this end, in the field below specify the address to which the application will send a message containing the current phone number when the SIM card is replaced. To use the SIM Watch function, select the Enable SIM Watch check box. Usage of SIM Watch feature. If the check box is selected, Kaspersky Security makes it possible to lock the mobile device remotely when the SIM card is replaced or when the device is switched on without a SIM card. The user can specify a telephone number and/or address to which the new telephone number will be sent, as well as enable a feature that locks the device when the SIM card is replaced. If the check box is cleared, the SIM Watch function is disabled. This check box is selected by default. Proceed to configure the settings of the SIM Watch function. To do so, configure the following settings in the fields below: Send message to address address to which the application sends a message containing the current phone number in the event the SIM card is replaced. Send SMS to phone number Telephone number to which the application sends an SMS with the new telephone number if the SIM card is replaced. The phone number may begin with a digit or with a "+", and must contain digits only. It is recommended to specify the number in the format used by the administrator's cellular operator. To use the Device Lock function, select the Enable Device Lock check box. Proceed to configure the settings of the Device Lock function. To do so, configure the following settings in the fields below: 31

32 I M P L E M E N T A T I O N G U I D E Lock when SIM card replaced The mobile device is locked if the SIM card is replaced or if the device is turned on without a SIM card. To unlock the device, the user must enter the one-time code received from the administrator. If the check box is checked, Kaspersky Security will block the device if the SIM card is replaced. You can specify the text to be displayed on the device screen when it is locked. A standard message is displayed by default. If the check box is unselected, the application does not lock the device if the SIM card is replaced. This check box is cleared by default. Text when locked To use the Data Wipe function, select the Enable Data Wipe check box. Usage of the Data Wipe feature. If the check box is selected, Kaspersky Security makes it possible to remove personal and corporate data from the device or wipe all data remotely. Data is deleted permanently. This function is engaged on the user's device by the administrator's command received via SMS or during synchronization with Administration Server. When engaging the function via SMS, the administrator has to specify a one-time code. The one-time code appears in the local properties of the application in the Anti-Theft section. An SMS with the following text has to be sent: fullreset:<one-time code> to wipe all data wipe:<one-time code> to wipe personal and corporate data If the check box is cleared, the Data Wipe function is disabled. This check box is selected by default. Proceed to configure the following settings: To delete personal and corporate data from the user's mobile device remotely, select the Delete corporate data check box. To delete all data from the user's mobile device remotely, select the Delete all data check box. Proceed to the next step of the Policy Wizard. STEP 7. CONFIGURING NETWORK SETTINGS At this step, the Wizard prompts you to configure the settings of device synchronization with the Administration Server and the filter settings for inbound and outbound connection. By default, mobile devices are synchronized with the Administration Server automatically every 6 hours. Automatic synchronization is enabled for when the device is roaming. Firewall is disabled for Windows and Symbian devices: network activity is unrestricted. Web Protection is enabled for Android and ios devices: user access to websites in the Phishing and Malware categories is blocked. If necessary, you can edit the network settings. The settings of the connection to the Administration Server can be configured on Android, Symbian, Windows Mobile, and ios devices. Configure the following settings in the Administration Server connection settings section: Synchronize; Drop-down list that lets you specify the frequency of mobile device synchronization with the Administration Server. The connection is established via HTTP. Available values: Every 15 minutes. Every hour. 32

33 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N Every 3 hours. Every 6 hours. Every 12 hours. Every day. Every week. A synchronization period of Every 6 hours is selected by default. To block automatic synchronization with the Administration Server when the device is roaming, select the Do not synchronize in roaming check box. The option to block synchronization in roaming mode is unavailable for Android devices. Firewall settings can be configured only on Windows Mobile and Symbian devices. Configure the following settings in the Firewall section: Firewall mode. A drop-down list showing the security modes of Firewall. The Firewall determines the permitted and blocked connections according to the mode. Available values: Off any network activity allowed. The Firewall is switched off. Minimum protection: incoming connections only are blocked. Outgoing connections are allowed. Maximum protection: all incoming connections are blocked. The user can check s, view websites and download files. Outgoing connections can only be established using SSH, HTTP, HTTPS, IMAP, SMTP, POP3 ports. Block all: blocks any network activity except anti-virus database updates and connections to the Administration Server. By default, Firewall is disabled. If you want the application to notify the user about blocked connections on the user's mobile device, select the Notify user about blocked connections check box. Web Protection settings can be configured only on Android and ios devices. Configure the following settings in the Web Protection section: To lift content-based restrictions on user access to websites, clear the Enable Web Protection check box. Click the Categories button, and in the Website categories to be blocked window that opens select the categories of websites that the application will block. Proceed to the next step of the Policy Wizard. STEP 8. CONFIGURING APP CONTROL At this step, the Wizard prompts you to configure App Control: specify the app launch settings and select the action to be performed by Kaspersky Security at an attempt to hack into the user's device. App Control settings can be configured only on Android devices. By default, the app launch restriction mode is set to Blocked apps. On detecting that the system of the user's device has been accessed with administrator privileges, Kaspersky Security generates the report Administrator privileges have been granted on the device. Reports on attempts to launch blocked apps and reports on apps installed on the user's mobile device are disabled. If necessary, you can edit the App Control settings. 33

34 I M P L E M E N T A T I O N G U I D E You can perform the following in the App Control section: Configure the Mode setting. Drop-down list to select the restriction mode for applications launched on the user's device. Available values: Blocked apps. The user can launch all apps except the ones that are designated as Blocked in the App list. Allowed apps. The user can launch only those apps that are designated as Allowed in the App list. The Blocked apps mode is selected by default. If you want the application to generate the Blocked app installed report during device synchronization with the Administration Server, select the Do not block prohibited applications, report only check box. Click the Add button to create a list of apps. Specify the following settings in the App window that opens: App type. Drop-down list that lets you select the type of application. Available values: Blocked. The application is blocked from launching on the user's mobile device. Only non-system applications can be blocked from launching. Allowed. The application is allowed to launch on the user's mobile device. Required. The application that the user is advised to install on the mobile device. Kaspersky Security automatically copies the setup package of the mobile app to the user's device using the link or path specified in the Link to APK file field. Application package; System name of a mobile app package. You can specify a mobile app package using the Select button. This is a required field. Application name; Name of the mobile app package that is shown in the Application list on the user's device. Link to APK file; Web address of the HTTP server in the format. The administrator posts the mobile app package at this web address for the user to download. The administrator can specify the web address of the Kaspersky Security Center server or a different HTTP server. To edit the settings of a black-listed app, click the Edit button. To remove an app from the list, click the Delete button. Perform the following in the Action in case of root detection section: Configure the Action in case of root detection setting. Drop-down list that lets you select the action to be taken by Kaspersky Security when the user's mobile device is hacked. Available values: Report only. The application generates the Device accessed with administrator privileges report that can be viewed in the Administration Console of Kaspersky Security Center or in local properties of the application. This setting applies to Android and ios devices. Block containers. The application blocks the launch of containers. This setting applies to Android and ios devices. Clear corporate data. The application clears all data of the container. This setting applies to Android devices only. Clear all data from the device. The application wipes all data and resets the settings of the user's mobile device. This setting applies to Android devices only. If you want the application to generate the List of installed apps report during device synchronization with the Administration Server, select the Request list of apps installed on device check box. Proceed to the next step of the Policy Wizard. 34

35 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N STEP 9. CONFIGURING DEVICE CONTROL At this step, the Wizard prompts you to configure device control settings: use of the system password when the device is powered on, use of mobile device functions, and settings of the TouchDown client for accessing corporate on the mobile device. Device control settings can be configured on Android devices only. By default, Kaspersky Security prompts the user to enter or specify the system password when the mobile device is powered on. The password must contain at least eight characters. The user can use mobile device functions (Wi-Fi module, camera, Bluetooth) without restrictions. Settings of the TouchDown client are not configured. If necessary, you can edit the device control settings. Perform the following in the Security section: If you want the application to check if the system password has been set when the user's mobile device is powered on, select the Require to set device unlock password check box. If the application detects that no system password has been set on the device, it prompts the user to set it. The password should be set taking into account the settings configured by the administrator. Specify the minimum number of characters in the password. The minimum number of characters in the user password. The default minimum number of characters is 8. Configure the following settings in the Restrictions section: To disable the Wi-Fi module on the user's mobile device, select the Disable Wi-Fi check box. To disable the camera on the user's mobile device, select the Disable camera check box. The camera can be disabled on Android devices with operating system versions higher than 4.0. To disable Bluetooth on the user's mobile device, select the Disable Bluetooth check box. Configure the following settings in the TouchDown profile section: Server address; IP address or DNS name of the server that hosts the mail server. Domain. Name of the Active Directory domain in which the user account is registered. Proceed to the next step of the Policy Wizard. STEP 10. CONFIGURING ADDITIONAL SETTINGS At this step, the Wizard prompts you to configure the settings of the following application components: Call&Text Filter, Privacy Protection, and Encryption, as well as configure application management settings on Android devices. By default, the user is allowed to use the Call&Text Filter and Privacy Protection components on the mobile device. The user's device is locked as soon as it switches to power saving mode. List of folders for encryption is not specified. The user cannot remove the application manually on Android devices. If necessary, you can edit the additional settings. The settings of Call & Text Filter and Encryption can be configured on Android, Symbian, Windows Mobile, and ios devices. Privacy Protection settings can be configured only on Windows Mobile and Symbian devices. 35

36 I M P L E M E N T A T I O N G U I D E To allow the user to use the Call&Text Filter component on the device, select the Allow Call&Text Filter check box. The user will be able to edit the Call&SMS Filter settings via the application interface and view the log of events that have occurred during the operation of the component. To allow the user to use the Privacy Protection component on the device, select the Allow Privacy Protection check box. The user will be able to edit the Privacy Protection settings via the application interface and view the log of events that have occurred during the operation of the component. Configure the following settings in the Encryption section: Block access to folders; Drop-down list that lets you select the time interval after which access to encrypted data is blocked automatically. The function is automatically activated after the mobile device switches to energy-saving mode. Available values: Immediately After 1 minute After 5 minutes After 15 minutes After 1 hour By default, access to encrypted folders is blocked as soon as the device switches to power saving mode. Encrypt folders on Windows Mobile devices; List of folders in which data must be encrypted on devices with Windows Mobile. The list contains full paths to folders. Use ";" as a separator. By default, the list of folders to be encrypted is empty. When creating a list of folders, you can use the following macros: For Windows Mobile devices: %DOCS% My Documents; %CARD% all available memory cards in the system. For Symbian devices: %DOCS% C:\Data; %CARD% all available memory cards in the system. The user cannot cancel the encryption of folders specified by the administrator, but can select additional folders to be encrypted by the application on the mobile device. If the administrator has not specified folders to be encrypted, Kaspersky Security encrypts only folders selected by the user. The Encryption component allows encrypting all kinds of folders other than system folders. There is support for encryption of folders stored either in the device's memory or on a memory card. You can encrypt any amount of non-system folders. You can also form a list of folders to encrypt in the Folders to encrypt window. To open the Select folders to encrypt window, click the Select button on the right of the entry field. Encrypt folders on Symbian devices; List of folders whose data must be encrypted on devices running the Symbian operating system. The list contains full paths to folders. Use ";" as a separator. By default, the list of folders to be encrypted is empty. When creating a list of folders, you can use the following macros: For Windows Mobile devices: %DOCS% My Documents; %CARD% all available memory cards in the system. 36

37 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N For Symbian devices: %DOCS% C:\Data; %CARD% all available memory cards in the system. The user cannot cancel the encryption of folders specified by the administrator, but can select additional folders to be encrypted by the application on the mobile device. If the administrator has not specified folders to be encrypted, Kaspersky Security encrypts only folders selected by the user. The Encryption component allows encrypting all kinds of folders other than system folders. There is support for encryption of folders stored either in the device's memory or on a memory card. You can encrypt any amount of non-system folders. You can also form a list of folders to encrypt in the Folders to encrypt window. To open the Select folders to encrypt window, click the Select button on the right of the entry field. Application management settings can be configured only on Android devices. Configure the following settings in the Application management section: To allow the user to remove the application from the mobile device manually, select the Allow removal of Kaspersky Security for Mobile check box. To remove the application from the mobile device during the next synchronization with the Administration Server, select the Remove Kaspersky Security for Mobile from device check box. Proceed to the next step of the Policy Wizard. STEP 11. ACTIVATING THE APPLICATION At this step, the Wizard prompts you to activate the commercial version of the application on the user's device. To activate the application on mobile devices, make sure that modification of the listed settings is blocked in the policy. To activate the application, in the Key drop-down list select a key from the list of keys that are stored in the key store of the Kaspersky Security Center Administration Server and support the Mobile device management functionality. Using this key, the application license information will be sent to user devices. After the key has been selected, the details of the following parameters appear in the License section: About the app. Information about the application for which the license has been purchased. Valid until. The date of license expiration. Type. The type of the license: commercial or trial. Licensing limit. The number of mobile devices to which the license is distributed. Proceed to the next step of the Policy Wizard. 37

38 I M P L E M E N T A T I O N G U I D E STEP 12. SETTING THE POLICY STATUS At this step, the Wizard prompts you to specify the status of the policy. To do so, select one of the options below: Active policy. The Wizard saves the created policy on the Administration Server. This policy will be used as the active policy for Kaspersky Security. Inactive policy. The Wizard saves the created policy on the Administration Server as a backup policy. This policy can be activated in the future after a specific event. Offline user policy. This policy is engaged when a controlled device is disconnected from the corporate network. The offline user policy is available only for Kaspersky Anti-Virus for Workstations (running Microsoft Windows). Several policies can be created for one application in the group, but only one of them can be active. When a new active policy is created, the previous active policy automatically becomes inactive. Exit the Wizard. PREPARING FOR INSTALLATION ON ANDROID DEVICES This section covers the preparations to be made before installing Kaspersky Security on Android devices. MAILING SETTINGS If you plan to use corporate mailing during the application deployment: If you use the Deployment via link model (see the Deployment via link section on page 16) for Android mobile devices. If you send the ios MDM profile (see page 42) to users' corporate addresses during connection of their devices to the Administration Server (see the Application deployment model for ios devices section on page 20), you need to check that the Administration Server mailing settings are specified correctly. To configure notifications, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices will be connected. 2. Open the Properties window of the Reports and notifications folder using one of the following methods: In the Reports and notifications console tree folder, select Properties from the context menu. Select the Reports and notifications folder. In the workspace of the folder, select the Notifications tab and click the Modify notification delivery settings link to open the window. 3. In the Notification section, select as the notification method in the drop-down list. 4. In the SMTP server field, specify the server address. You can use the IP address or computer name on the Windows network (NetBIOS name) as the address. 5. In the SMTP server port field, specify the SMTP server communication port number. Port 25 is used by default. 6. To apply the changes, click Apply. 38

39 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N CONFIGURING TEXT MESSAGE DELIVERY METHODS If you plan to send text messages to users' phone numbers during the application deployment: If you use the Deployment via link model (see the Deployment via link section on page 16) for Android mobile devices, If you send a link to the ios MDM profile (see page 42) via SMS messages to users' corporate phone numbers during connection of their devices to the Administration Server (see the Application deployment model for ios devices section on page 20), you need to check that the Administration Server mailing settings for text messages are specified correctly. To send text messages to users using mass mailing via Kaspersky Security Center, you have to options: For mailing via the mail gateway, you need to specify the SMTP server and the port in the Kaspersky Security Center settings. For more detailed information on using Kaspersky Security Center for notification mailing to users, see Kaspersky Security Center Administrator's Guide. You can send messages notifying on Kaspersky Security Center events via the selected Android mobile device that acts as the SMS sender. To assign a mobile device as the sender of all text messages on behalf of Kaspersky Security Center, you need to install a special tool called Kaspersky SMS Broadcasting on the device. The Kaspersky SMS Broadcasting tool is installed on mobile devices as a standard Android application. After installation, the Kaspersky SMS Broadcasting tool requests the Kaspersky Security Center Administration Server address and the port, and after synchronization, the device appears in the SMS Senders section of the Reports and notifications folder Properties as a sending device in the list of sending devices. We recommend using a mobile device with Kaspersky SMS Broadcasting as the SMS sender, for example, if you want to receive text message delivery reports. See the Kaspersky Security Center Deployment Guide for details on obtaining the Kaspersky SMS Broadcasting utility and installing it on a mobile device. To configure mailing of text messages, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. Open the Properties window of the Reports and notifications folder using one of the following methods: In the Reports and notifications console tree folder, select Properties from the context menu. Select the Reports and notifications folder. In the workspace of the folder, select the Notifications tab and click the Modify notification delivery settings link to open the window. 3. In the Notifications section, select SMS as the notification method. 4. Specify the preferred method of text message mailing: Click Send SMS via mail gateway and specify its settings if you want to send messages via the SMS center. Click Send SMS via Kaspersky SMS Broadcasting utility and select the sending mobile device in the SMS Senders section if you want to send text messages to users from the mobile device with the installed Kaspersky SMS Broadcasting tool. For more detailed information on using Kaspersky Security Center for notification mailing to users, see Kaspersky Security Center Administrator's Guide. 39

40 I M P L E M E N T A T I O N G U I D E CREATING AN INSTALLATION PACKAGE The installation package of Kaspersky Security 10 for Mobile is a self-extracting archive, ak_package.exe, that contains the following files required to install the application on mobile devices: endpoint_8_0_0_37_en.cab is the application installation file for Windows Mobile endpoint8_mobile_8_1_44_en.sisx is the application installation file for Symbian Endpoint8_Mobile_8_1_29_en.zip is the application installation file for BlackBerry ksm_10_1_70_en.apk is the application installation file for Android installer.ini is the configuration file that contain the Administration Server connection setting kmlisten.ini is the configuration file that contain the settings for the installation package delivery tool kmlisten.kpd is the application description file AdbWinUsbApi.dll, AdbWinApi.dll, adb.exe are the files required to install the application on Android devices kmlisten.exe is the tool for delivering the application distribution kit using the workstation To create the installation package for Kaspersky Security 10 for Mobile, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, in the Remote installation folder, select the Installation packages subfolder. 3. Create the installation package using one of the following methods: From the context menu in the Installation packages folder, select New Installation package. In the installation package list, select New Installation package in the context menu. Click the Create installation package link in the control block for installation package list. The wizard that creates the installation package will be started. Follow the instructions of the Wizard. Note that you must to configure the following settings: In the Select installation package type window, click the Create installation package for a Kaspersky Lab application. In the Selecting the distribution package for installation, click the Select button to open the folder where you stored the application distribution kit and select the ak_package.exe self-extracting archive. If you have already unpacked the archive, choose the application description file, kmlisten.kpd In the entry field, the application name and the version number will appear. After the wizard finishes, the created installation package will appear in the Installation packages folder workspace. The installation packages are stored in the Packages folder, in the public shared folder on the Administration Server. Before using the created installation package to install the application, configure the installation package settings (see page 41). 40

41 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N CONFIGURING INSTALLATION PACKAGE SETTINGS You must configure the installation package settings for Kaspersky Security 10 for Mobile, so that your mobile device uses the correct Administration Server connection setting. To configure the installation package settings, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices will be connected. 2. In the console tree, in the Remote installation folder, select the Installation packages subfolder. 3. Select Properties from the context menu of the Kaspersky Security installation package. 4. On the Settings tab, specify the Administration Server connection settings for mobile devices or the group to which the mobile devices will be added automatically after the first synchronization with the Administration Server. Follow the steps below: In the Connection to the Administration Server section, in the Server address field, type the name of the Administration Server for mobile devices in the format that was used for installing Mobile devices support during the Administration Server deployment. Regardless of the name format for the Administration Server for Mobile devices support, specify the DNS name or the IP address of the Administration Server. In the SSL port name field, specify the number of the port open on the Administration Server for connecting mobile devices. Port is used by default. In the Allocation of computers to groups section, in the Group name field, type the name of the group to which mobile devices will be added after the first synchronization with the Administration Server (KSM10 is used by default). The specified group will be automatically created in the Unassigned computers folder. In the Actions during installation section, select the Request address check box, thus, at the first launch, the application will ask the user to provide the corporate address. The user's address is used to form the name of the mobile device when it is added to the administration group. The name of an Android mobile device is formed using the following template: <user's address (device model number device ID)>. 5. To apply the specified settings, click Apply. PREPARING FOR INSTALLATION ON IOS DEVICES This section covers the preparations to be made before installing Kaspersky Security on ios devices. CONFIGURING THE INTERFACE OF THE KASPERSKY SECURITY CENTER ADMINISTRATION CONSOLE To configure the interface of Administration Console of Kaspersky Security Center to display the Mobile devices folder: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the context menu of the Administration Server folder, select View Configuring interface. 3. In the Configuring interface window, select Display mobile device management. 4. Press the OK button. 5. Restart the Administration Console to apply the changes. 41

42 I MPL E M E N T A T I O N G U I D E GETTING THE APN CERTIFICATE To create the APN certificate: 1. Create a Certificate Signing Request (hereinafter "CSR request") for the APN certificate by any means available. For example, you can use the OpenSSl application to this end. In the CSR request, specify the domain name of the ios MDM server in FQDN (Fully Qualified Domain Name) format, the details of your company, and your address. The domain name of the ios MDM server specified in the CSR request should match the domain name of the ios MDM server specified during its installation in Administration Server. 2. Send the CSR request to Kaspersky Lab for signing (see page 70) via your CompanyAccount. 3. After receiving the signed CSR request file, send it to Apple 4. After the CSR request has been processed by Apple, you will get an Apple Push Notification Certificate (APN certificate). 5. Export the APN certificate together with the private key that was created when you generated the CSR request, in PFX format. 6. Specify the password for the private key while exporting the APN certificate. For details on creating the CSR request file and sending it to Apple to get an APN certificate, see the Knowledge Base article on the Support website at: INSTALLING THE APN CERTIFICATE ON THE IOS MDM SERVER To install the APN certificate on the ios MDM server: 1. In the console tree, in the Mobile devices folder, select the Mobile device servers subfolder. 2. In the workspace of the Mobile device servers folder, select the ios MDM server. 3. In the context menu of the ios MDM server, select Properties. A properties window of the ios MDM server will then open. 4. In the properties window of the ios MDM server, select the Certificates section. 5. In the Certificates section, under Apple Push Notification certificate, click on the Install button. 6. Enter the password for the private key specified during APN certificate export. As a result, the APN certificate is installed on the ios MDM server. CREATING AND SENDING AN IOS MDM PROFILE To enable the ios MDM server to control the ios devices of users, you have to create an ios MDM profile and install it on devices. The ios MDM profile is used to send ios configuration profiles in background mode via the MDM server and to receive extended diagnostic information about mobile devices. The ios MDM profile is created by Kaspersky Security Center automatically when it is requested via the User accounts node. The ios MDM profile is generated and signed with a certificate individually for each user. 42

43 P R E P A R I N G F O R A P P L I C A T I O N I N S T A L L A T I O N To create an ios MDM profile and install it on a mobile device: 1. Select the User accounts folder in the console tree. 2. Select the account of the user on whose mobile device you want to install the ios MDM profile. 3. Select Install ios MDM profile in the context menu of the user account. The Installation of ios MDM profile installation window opens. 4. In the List of available ios MDM Mobile device servers field of the ios MDM profile installation window, select the ios MDM mobile device server for which you want to create the ios MDM profile. 5. In the ios MDM profile installation window, specify the way to deliver the notification about the ios MDM profile installation to the user's device: To send a notification to the user via SMS, select the By SMS check box. The SMS text field below contains the standard text of the message to be sent to the user and the %URL% variable. Check the text of your message for the %URL% variable. The %URL% variable contains a link through which the user can download the ios MDM profile to the user's device. Changing the name is not recommended! You can edit the standard message text. To do so, enter your message in the SMS text field. If necessary, add the %URL% variable by clicking the button with an arrow and selecting One-time link in the drop-down menu. A link to the ios MDM profile can be sent via SMS if the following conditions are met: user devices have a GSM module, SMS texting is configured in Kaspersky Security Center by means of the Kaspersky SMS Broadcasting utility, and phone numbers of users are specified in their accounts. For details, see the Kaspersky Security Center Deployment Guide. To send a notification to the user via , select the By check box. Enter the subject in the Subject field below. The Notification text field contains the standard text of the message to be sent to the user and the %URL% variable. Check the text of your message for the %URL% variable. The %URL% variable contains a link through which the user can download the ios MDM profile to the user's device. Changing the name is not recommended! You can edit the standard message text. To do so, enter your message in the SMS text field. If necessary, add the %URL% variable by clicking the button with an arrow and selecting One-time link in the drop-down menu. 6. Press the OK button. The mobile device user receives a notification with a link for downloading the ios MDM profile from the web portal of Kaspersky Security Center. The user then visits the link received. The device operating system prompts the user for consent to the installation of the ios MDM profile. If the user consents to the installation, the ios MDM profile is downloaded to the device. The user's mobile device should have port 8061 open for connection to the Administration Server to be able to visit the Kaspersky Security Center web portal via the link received. After the ios MDM profile has been downloaded and synchronization with the Administration Server has been completed, the ios device appears in the ios MDM mobile devices subfolder in the Mobile devices folder. 43

44 UPGRADING FROM A PREVIOUS VERSION OF THE APPLICATION When updating the previous application version, note that Kaspersky Security is delivered with the plug-in to administer Kaspersky Security via Kaspersky Security Center. Before installing the Kaspersky Security 10 administration plug-in, you must delete the previous plug-in version. Thus the existing administration groups created for centralized management of Kaspersky Security settings are stored in the Managed computers folder; and rules for the automatic allocation of devices from the folder to the groups are stored in Unassigned computers. Group policies created for the previous application version are stored as well. New policy settings that provide the new features of Kaspersky Security 10 will be added to the existing policies and will have the default values. You can install Kaspersky Security 10 on your mobile device with a pre-installed copy of Kaspersky Endpoint Security 8 for Smartphone. At the first launch of Kaspersky Security 10, you will be advised to delete any previous versions of the application. You are advised to delete any previous application versions. Note that the Kaspersky Security 10 distribution kit for Blackberry, Symbian and Windows Mobile includes files from the previous version of the application. The new features are not supported for these platforms. 44

45 USING CONTAINERS This section provides information on containers, including how to create them and how to sign them so that they can be used on ios devices. IN THIS SECTION About containers Creating containers Signing a container to be used on ios devices ABOUT CONTAINERS You can use containers to monitor the activity of applications launched on the user's mobile device. A container is a special shell for mobile apps which makes it possible to control the activity of the containerized app, thereby protecting personal and corporate user data on the device. You can place both third-party apps and the Kaspersky Security distribution kit into a container. To place an application into a container, create a mobile app package in the Administration Console (see the section "Creating containers" on page 46). In this case, the containerized distribution kit of the app is automatically saved on the web server of the Kaspersky Security Center. Containers are supported by Android and ios devices only. To be able to use a containerized app on ios devices, the container created must be signed. Containers are signed using the same certificate that is used to sign the Kaspersky Security distribution kit for ios devices (see the section "Signing the application distribution kit" on page 56). Container operation settings on devices are determined by the policy applicable to that group of mobile devices. You can configure the following container settings via the policy properties: Possibility to automatically encrypt the data of a containerized app on the user's device. User authorization at the launch of a containerized app. You can configure the following types of authorization for user identification: Domain login and password. The user enters the Active Directory login and password when launching a containerized app on the device. The user password specified by the user at the first launch of the containerized app. Restriction of data storage by a containerized app on the user's device. Restriction of data transmission from a containerized app to other apps. Restriction of Internet access by a containerized app. Monitoring of text messages sent by a containerized app on Android devices. Monitoring of calls made by a containerized app on Android devices. 45

46 I M P L E M E N T A T I O N G U I D E You can install a containerized app on the user's device in one of the following ways: By sending the user an with a link to the distribution kit of the containerized app. By specifying a containerized app as required or allowed for installation in the Application Control section of the policy properties. CREATING CONTAINERS To create a container: 1. In the console tree, in the Remote installation folder, select the Installation packages subfolder. 2. In the workspace of the Installation packages window, click the Manage mobile app packages link to open the Management of mobile app packages window. 3. In the Management of mobile app packages window, click the New button. The Mobile App Package Creation Wizard starts. 4. In the Specify installation package name window of the Wizard, enter the container name in the Name field. 5. In the Settings window of the Wizard, in the Select app field specify the file of the app that you want to place into the container: To create a container to be used on Android devices, select the app distribution kit with the.apk extension. To create a container to be used on ios devices, select the app file with the.ipa extension or the app distribution kit in an archive with the.zip extension (with the.app extension for Mac OS). 6. Select the Create container with the selected app check box. The container created is added to the list of standalone packages in the Management of mobile app packages window. The Path field in this window shows the path in which the container is automatically stored on the Administration Server. The URL field in this window contains a link to the Kaspersky Security Center web server where the container is automatically published. If you want the container to be published on the Kaspersky Security Center web server, click the Cancel publication button. To immediately send a link for downloading the containerized app to the user's mobile device via , click the Send by button. To save the containerized app locally on your workstation or on the network, click the Save as button. Using the container on Android devices does not require signing the containerized app. Using the container on ios devices does require signing the containerized app (see the section "Signing a container to be used on ios devices" on page 46). SIGNING A CONTAINER TO BE USED ON IOS DEVICES Containerized apps are signed using the make_container utility. This utility is included in the SigningUtility.zip archive that is part of the Kaspersky Security distribution kit. A Mac OS computer is required to start the make_container utility. The make_container utility is a console application. To launch it, use the terminal by selecting the following: Applications Utility Terminal. 46

47 U S I N G C O N T A I N E R S Example of command usage for signing the Kaspersky Security distribution kit: Command text:./make_container -s --sign d6d2b595a9e345fe4d8c bede2 ksm.cnt.com.atebits.tweetie2./developprof.mobileprovision -o./output.ipa./input.app which specifies the following parameters: d6d2b595a9e345fe4d8c bede2 hash of the developer certificate that you use. The hash is displayed in the properties of the developer certificate imported into Key Chain Access. ksm.cnt.com.atebits.tweetie2 application ID../DevelopProf.mobileprovision path to the folder where the provisioning profile is saved../output.ipa path to the destination folder for saving the signed distribution kit of the application../input.app path to the folder where the unsigned application file is saved. To sign a containerized app: 1. Create a container in Administration Console (see section "Creating containers" on page 46). 2. Open the folder with the distribution kit of the app that you want to sign. 3. On a Mac OS computer, start the terminal by selecting the following: Applications Utility Terminal. 4. In the command line of the terminal, type the command cd to open the folder with the make_container utility. 5. In the terminal command line, enter the command that starts the make_container utility, with the following required keys: -s --sign keys for signing the app distribution kit. The following settings should be specified for this key: hash of the developer certificate from Key Chain Access. Apple ID of the app from Kaspersky Security Center. It is not advisable to change the Apple ID of the signed app in the container. If you change the Apple ID, you will not be able to apply policies to the app on the device. path to the file of the provisioning profile. -о designates the path to the file to be created and signed. The following settings should be specified for this key: path where the signed app distribution kit with the ipa extension will be saved. path to the unsigned distribution kit of the app with the app / app.zip / ipa/ extension. After the command is executed, a signed distribution kit of the containerized app is created. To create a manifest file together with the signed container, executed the aforementioned command with the -m key: -m key for creating the manifest file. The following settings should be specified for this key: short name of the app to be recorded in the manifest file. long name of the app to be recorded in the manifest file. path to an external server where the signed app distribution kit will be published, to be recorded in the manifest file. link to the file of the small icon of the app. This parameter is optional. link to the file of the large icon of the app. This parameter is optional. 47

48 INSTALLING THE APPLICATION ON ANDROID DEVICES This section describes the options for installing Kaspersky Security 10 for Mobile on Android devices. IN THIS SECTION Installing the application via link Installation via SMS link Installation using the workstation Installing the application from Google Play INSTALLING THE APPLICATION VIA LINK To install Kaspersky Security via link, you must create the installation package for the application and configure the Administration Server connection settings. Using the created installation package, you must create a standalone installation package and distribute it among mobile device users via messages that contain either the package itself or a link to the Kaspersky Security Center web server, to a shared administrator folder, or to another source where you want to keep the application installation package. The user downloads the application distribution kit on the mobile device without assistance. When the download is complete, the application installation wizard will be launched. Following the wizard's instructions, the user installs Kaspersky Security 10 for Mobile on the mobile device. IN THIS SECTION Creating a standalone installation package Sending s to users Installing the application on the mobile device after receiving the CREATING A STAND-ALONE INSTALLATION PACKAGE To create a standalone installation package, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, in the Remote installation folder, select the Installation packages subfolder. 3. Choose the installation package of Kaspersky Security 10 for Mobile. 4. Create the standalone installation package using one of the following methods: In the context menu of the installation package list, select Create a standalone installation package. Click the Create a stand-alone installation package link in the control block for installation package list. 48

49 I N S T A L L I N G T H E A P P L I C A T I O N O N A N D R O I D D E V I C E S The wizard that creates the standalone installation package will be started. Follow the instructions of the Wizard. Note that while creating the standalone installation package you do not need to specify that you create a package to install the Administration Agent. If you selected the Open the stand-alone packages list check box at the last step of installation, after the wizard finishes, the window with the list of all available standalone packages will appear. When a package is selected the application shows the file location on the Kaspersky Security Center web server (in the URL field) and in the specified shared administrator folder (in the Path field). At this stage, the installation file for Kaspersky Security 10 for Mobile is ready to be distributed among users. For the link you can use both the URL (the address of the package on the Kaspersky Security Center web server) and the Path (network path to the public shared folder). You are advised to copy the address of the created standalone package to the buffer and then to add the link to the required installation package to the user . SENDING S TO USERS Before sending s to users, make sure that notifications are configured in Administration Console of Kaspersky Security Center (see page 38). To send s containing the download link to the standalone installation package of Kaspersky Security 10 for Mobile, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. Select the User accounts folder in the console tree. 3. Select one or several users. You are advised to verify user accounts to make sure they contain addresses. 4. Select Notify by from the context menu. mail. The window to create an will appear. 5. Specify the following: Type the subject. Type the massage and add the link to the standalone installation package on the Kaspersky Security Center web server or specify the path to it in your public shared folder. To choose between main or additional users' s, select the Use main or Use additional check box. To create QR codes for the links, select the Create graphic QR codes for each link from the text and send by check box. 6. Click OK to start ing. 49

50 I M P L E M E N T A T I O N G U I D E INSTALLING THE APPLICATION ON THE MOBILE DEVICE AFTER RECEIVING THE After the user receives the with the link to the standalone package from the administrator, the user downloads the distribution kit to the device using one of available methods. The standalone package contains the installation file for Android with the pre-configured Administration Server connection settings. After the download completes, the user opens the installation file on the device. The application installation wizard will start. The user follows the installation wizard's instructions. If all Administration Server connection settings were configured while creating the installation package, the user do not need to perform the initial configuring of the application (see the Preparing the application to be used on the device section at 60). By default, the Android operating system does not allow installing applications that are not purchased on the Google Play. If the application installation is suspended, the user needs to allow installing applications from external sources in the Android device settings. INSTALLING THE APPLICATION VIA SMS To install Kaspersky Security via SMS link, you must create the installation package for the application and configure the Administration Server connection settings. Using the created installation package, you must create a standalone installation package and distribute it among mobile device users via text messages that contain the link to the Kaspersky Security Center web server or to another source where you want to upload the application installation package. The user downloads the application distribution kit on the mobile device from the network source specified in the message. When the download is complete, the application installation wizard will be launched. Following the wizard's instructions, the user installs Kaspersky Security 10 for Mobile on the mobile device. IN THIS SECTION Creating a standalone installation package Sending text messages to users Installing the application on the mobile device after receiving the text message CREATING A STAND-ALONE INSTALLATION PACKAGE To create a standalone installation package, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, in the Remote installation folder, select the Installation packages subfolder. 3. Choose the installation package of Kaspersky Security 10 for Mobile. 4. Create the standalone installation package using one of the following methods: In the context menu of the installation package list, select Create a standalone installation package. Click the Create a stand-alone installation package link in the control block for installation package list. The wizard that creates the standalone installation package will be started. Follow the instructions of the Wizard. 50

51 I N S T A L L I N G T H E A P P L I C A T I O N O N A N D R O I D D E V I C E S Note that while creating the standalone installation package you do not need to specify that you create a package to install the Administration Agent. If you selected the Open the stand-alone packages list check box at the last step of installation, after the wizard finishes, the window with the list of all available standalone packages will appear. When a package is selected the application shows the file location on the Kaspersky Security Center web server (in the URL field) and in the specified shared administrator folder (in the Path field). At this stage, the installation file for Kaspersky Security 10 for Mobile is ready to be distributed among users. For the link you can use both the URL (the address of the package on the Kaspersky Security Center web server) and the Path (network path to the public shared folder). You are advised to copy the address of the created standalone package to the buffer and then to add the link to the required installation package to the user . SENDING TEXT MESSAGES TO USERS Before sending text messages (SMS) to users, make sure that sending of text messages is configured in Administration Console of Kaspersky Security Center (see page 39). To send text messages containing the download link to the standalone installation package of Kaspersky Security, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. Select the User accounts folder in the console tree. 3. Select one or several users. You are advised to verify user accounts to make sure they contain phone numbers. 4. Select Notify by SMS from the context menu. The window to create a text message will appear. 5. Select the type of user's phone number to which the message will be sent and select one or several check boxes next to Use mobile, Use additional phone number or Use the main phone number. 6. Type the message and add the link to the standalone installation package stored on the web server. The selected users will receive the message. 7. To enable sending, click OK. INSTALLING THE APPLICATION ON THE MOBILE DEVICE AFTER RECEIVING THE TEXT MESSAGE After the user receives the text message with the link to the standalone package from the administrator, the user downloads the distribution to the device using one of available methods. The standalone package contains the installation file for Android with the pre-configured Administration Server connection settings. After the download completes, the user opens the installation file on the device. The application installation wizard will start. The user follows the installation wizard's instructions. 51

52 I M P L E M E N T A T I O N G U I D E If all Administration Server connection settings were configured while creating the installation package, the user do not need to perform the initial configuring of the application (see the Preparing the application to be used on the device section at 60). By default, the Android operating system does not allow installing applications that are not purchased on the Google Play. If the application installation is suspended, the user needs to allow installing applications from external sources in the Android device settings. INSTALLATION USING THE WORKSTATION To install Kaspersky Security via the workstation, you need to create the installation package and configure its settings. Then, you need to create and run a remote installation task for the workstations to which the user mobile devices are connected. To create the task, the administrator can on the methods provided in Kaspersky Security Center: Create a group remote installation task if the workstations are in the group. Create a task for a set of computers if workstations belong to different groups or are in the Unassigned computers group. Run the remote installation wizard. When the remote installation task is completed, the installation package containing the Kaspersky Security 10 for Mobile distribution kit is delivered to users' workstations, and the tool for delivering the application distribution kit to the mobile devices, kmlisten.exe, is installed and run automatically. The tool detects mobile device connection to the computer. When the user connects a device that meets the system requirements for the Kaspersky Security 10 for Mobile installation to the workstation, the tool shows the message offering to install the application on the connected mobile device. If the user agrees to install the application, the tool downloads the application distribution to the mobile device. When the download is complete, the application installation wizard will be launched. Following the wizard's instructions, the user installs Kaspersky Security 10 for Mobile on the mobile device. IN THIS SECTION Creating a remote installation task Delivering the application distribution kit to mobile devices using the workstation Application installation on mobile devices using the workstation CREATING A REMOTE INSTALLATION TASK To install the application remotely via Kaspersky Security Center, you must create a remote installation task. The created remote installation task will run according to the specified schedule. For more detailed information on remote installation of applications, see Kaspersky Security Center Deployment Guide. You can create a Kaspersky Security remote installation task for the selected administration group using one of the following methods: Using the wizard that creates remote installation tasks For the selected client computers to which mobile devices will connect For the computers from the administration group to which mobile devices will connect Using the remote installation wizard 52

53 I N S T A L L I N G T H E A P P L I C A T I O N O N A N D R O I D D E V I C E S Depending on the chosen installation method, the wizard steps and settings to be configured may vary. Note that you must to configure the following settings: Selecting the task type. At this step, specify that the remote installation task is created for Kaspersky Security Center and select the task type: Remote application installation. Choosing an installation package. Choose the created installation package that contain the distribution kit of Kaspersky Security 10 for Mobile and configure all Administration Server connection settings for mobile device with the installed application. You can also create an installation package at this stage, but it will not include the connection settings, and users will have to configure the initial application settings manually. If you are creating an installation package, you must specify the self-extracting archive, sc_package.exe. If you have already unpacked the archive, provide the application description file, kmlisten.kpd. Choosing an installation method. You can use one of the following two methods for remote installation of the application on workstations in the Kaspersky Security Center: using the forced installation or using the enter scenario. Forced installation is used to install the application on the selected workstations. The enter scenario is used to assign the remote installation task to a chosen user account (or several user accounts). This step is skipped for the remote installation wizard and for the wizard that creates group tasks, as the installation is performed on the selected workstations and the forced installation method is used. The administrator can use any of the available methods to install Kaspersky Security 10 for Mobile via the task for several computers. For more detailed information on remote installation methods, see Kaspersky Security Center Administrator Guide. Choosing computers for installation. At this stage, you need to create a list of workstations that will be used to install the application on mobile devices. You can choose one of the following options: Deploy to a group of managed computers. Use this option if you have created the administration group in the Managed computers folder and have moved the computers to which mobile devices will connect to this folder at the stage of preparing the application for the installation. Select computers for deployment. Use this option if you did not create the group. At the next step, the wizard will ask you to create a list of computers for the application installation. Choosing a method to download the installation package. At this step, you are asked to configure the settings for the installation package delivery to workstations. For the installation package delivery, the following methods are available: Using Network Agent. Use this method if the Administration Agent is installed on workstations used to install Kaspersky Security 10 for Mobile on mobile devices and is connected to the current Administration Server. If the Administration Agent is not installed, but you are planning to install it, you can use the combined installation that is offered at the next step. Using Microsoft Windows resources from shared folder. Use this method if the Administration Agent is not installed or connected to another Administration Server. In this case, files required for the application installation are transferred using the Windows tools through public shared folders. Choosing an additional installation package. At this step, you install the Administration Agent on the workstations. Use the combined installation if at the previous step you chose to download the package Using Network Agent, but the Administration Agent has not been installed on the workstations. In this case, the Administration Agent is installed on the workstations first, and then the application installation package is delivered. You do not need to perform the combined installation if the distribution kit is delivered using the Microsoft Windows tools of if the Administration Agent version required to install Kaspersky Security 10 for Mobile have been already installed. 53

54 I M P L E M E N T A T I O N G U I D E DELIVERING THE APPLICATION DISTRIBUTION KIT TO MOBILE DEVICES USING THE WORKSTATION The Kaspersky Security distribution kit is delivered to the mobile device using the kmlisten.exe tool that is installed on the workstation during the remote installation task. When a device that meets the software and hardware requirements is connected to the computer, the user will be offered to install Kaspersky Security 10 for Mobile on the device. To copy the distribution kit of Kaspersky Security 10 for Mobile from the workstation to the mobile device, you must to follow the steps below: 1. Connect the device to the workstation. If the device meets the system requirements, the kmlisten.exe tool window will open automatically. 2. In the list of detected devices, select one or several devices to which you want to install the application. 3. Click the Install button. The tool copies the application distribution kit to the selected devices and will report the operation results. If the distribution kit is downloaded successfully, the Kaspersky Security installation will be started automatically on the mobile device. The KSM 10 window of the kmlisten.exe tool opens each time the device is connected to the computer, and you are offered to install the application. 4. If you want to disable the KSM10 window of the kmlisten.exe tool that offers to install the application, select the Do not run the Kaspersky Security 10 for Mobile installation automatically check box in this window. APPLICATION INSTALLATION ON MOBILE DEVICES USING THE WORKSTATION After the installation package has been downloaded on the mobile device, the Kaspersky Security Installation Wizard starts automatically. The user follows the installation wizard's instructions. If all Administration Server connection settings were configured while creating the installation package, the user do not need to perform the initial configuring of the application (see the Preparing the application to be used on the device section at 60). By default, the Android operating system does not allow installing applications that are not purchased on the Google Play. If the application installation is suspended, the user needs to allow installing applications from external sources in the Android device settings. INSTALLING THE APPLICATION FROM GOOGLE PLAY Direct download of the installation file to the device can be used when users find it more convenient to install the application on their own, for example by copying the installation file from Google Play. In this case, you do not have to prepare the application distribution kit. The user goes directly to Google Play on the mobile device, selects Kaspersky Security 10 Mobile, and taps Install. After downloading the app to the mobile device, the user must configure the connection to Administration Server before launching the app for the first time (see section "Preparing the application for use on the device" on page 60). If the application installation is suspended, the user needs to allow installing applications from external sources in the Android device settings. 54

55 INSTALLING THE APPLICATION ON IOS DEVICES This section describes the process of installing Kaspersky Security 10 for Mobile on ios devices. IN THIS SECTION Getting the developer certificate Creating a provisioning profile Signing the app distribution kit Installing the application on an ios mobile device Installing the application from Apple Store GETTING THE DEVELOPER CERTIFICATE To get an ios Developer Certificate (hereinafter "the developer certificate"), one must be a participant of the Apple Developer Program on the Apple Developer Portal at and have an Apple ID. To get the developer certificate: 1. Go to the Apple Developer Portal and open the ios Dev Center section. 2. Select the Member Center section. 3. Go to the Certificates, Identifiers&Profiles section. 4. Create a developer certificate of the ios App Development format by following the instructions. 5. Save the developer certificate that you received in the folder with the Kaspersky Security distribution kit or import it into Key Chain Access if you are going to use the certificate hash. 6. hash of the developer certificate that you use. The hash is displayed in the properties of the developer certificate imported into Key Chain Access. The procedure for getting the developer certificate is described in more detail on the Apple Developer Portal CREATING A PROVISIONING PROFILE To create a provisioning profile on the Apple Developer Portal at one must be a participant of the Apple Developer Program and have an Apple ID. To get the developer certificate and create a provisioning profile: 1. Go to the Apple Developer Portal and open the ios Dev Center section. 2. Select the Member Center section. 55

56 I M P L E M E N T A T I O N G U I D E 3. Go to the Certificates, Identifiers&Profiles section. 4. Depending on the type of your account under which you are registered on the Apple Developer Portal do one of the following: If your account type is Developer, add a mobile device for which you want to create a provisioning profile. If your account type is Developer Enterprise, select the Distribution Profiles section. In this section you can create provisioning profiles for any number of devices. 5. Create a provisioning by following the instructions. 6. Save the received provisioning profile in the folder with the Kaspersky Security distribution kit. The procedure for getting the developer certificate and creating a provisioning profile is described in more detail on the Apple Developer Portal SIGNING THE APP DISTRIBUTION KIT The Kaspersky Security distribution kit is signed using the make_container utility. This utility is included in the SigningUtility.zip archive that is part of the application distribution kit. A Mac OS computer is required to start the make_container utility. The make_container utility is a console application. To launch it, use the terminal by selecting the following: Applications Utility Terminal. Example:./make_container -m 'KES' 'Kaspersky Endpoint Security' ' ' ' -s --sign 6ACE20618C570E56BB5F FF9ECEF3 com.kaspersky.kes-example./example.mobileprovision -o./kes-example.ipa./kes.app which specifies the following parameters:./make_container launches the make_container utility. 'KES' brief name of the application. 'Kaspersky Endpoint Security' long name of the application. ' link to an external server that will hosted the signed distribution kit of the application. ' link to the file of the large icon of the application. This icon is displayed while the application is being downloaded to the user's device. ' link to the file of the small icon of the application. This icon is displayed while the application is being downloaded to the user's device. 6ACE20618C570E56BB5F FF9ECEF3 hash of the developer certificate that you use. The hash is displayed in the properties of the developer certificate imported into Key Chain Access. com.kaspersky.kes-example application ID../example.mobileprovision path to the folder where the provisioning profile is saved../kes-example.ipa path to the destination folder for saving the signed distribution kit of the application../kes.app path to the folder where the unsigned application file is saved. 56

57 I N S T A L L I N G T H E A P P L I C A T I O N O N I OS D E V I C E S To sign the Kaspersky Security 10 distribution kit: 1. Open the folder with the application distribution kit. 2. On a Mac OS computer, start the terminal by selecting the following: Applications Utility Terminal. 3. In the command line of the terminal, type the command cd to open the folder with the make_container utility. 4. In the terminal command line, enter the command that starts the make_container utility, with the following required keys: -m key for creating the manifest file. The following settings should be specified for this key: short name of the app to be recorded in the manifest file. long name of the app to be recorded in the manifest file. full path to an external server where the signed app distribution kit will be published, to be recorded in the manifest file. link to the file of the small icon of the app. This parameter is optional. link to the file of the large icon of the app. This parameter is optional. -s --sign keys for signing the app distribution kit. The following settings should be specified for this key: hash of your developer certificate. ID of the app. path to the file of the provisioning profile. -о designates the path to the file to be created and signed. The following settings should be specified for this key: path where the signed app distribution kit with the ipa extension will be saved. path to the unsigned distribution kit of the app with the.app extension. The execution of the entered command creates a signed distribution kit of the app with the.ipa extension, as well as a manifest file with the.plist extension, which contains a link to the Kaspersky Security distribution kit for installation on mobile devices. 5. Save the created application distribution kit and manifest file on an external server at the path specified in the parameters of the make-container utility launch command. For example: INSTALLING THE APPLICATION ON AN IOS MOBILE DEVICE To install Kaspersky Security on an ios mobile device: 1. Select the Mobile devices folder in the console tree of Administration Server. 2. Select the ios MDM servers subfolder in the Mobile devices folder. 3. In the workspace of the folder, select the ios MDM server. 4. Select Properties in the context menu of the ios MDM server to open the <ios MDM server> window. 57

58 I M P L E M E N T A T I O N G U I D E 5. In the <ios MDM server> window, select the Managed applications section. 6. Click Add. 7. In the Add application window that opens, in the Application name field enter the name of the managed application. 8. In the Apple ID or link to application field, specify the link to the external server where the manifest file is published. 9. If you want Kaspersky Security to be removed from the mobile device after removal of the MDM profile, select the Remove applications after profile removal check box. 10. Select the ios MDM servers subfolder in the Mobile devices folder. 11. Select one or several devices in the list. 12. Start the process of application installation on the device in one of the following ways: In the context menu, select Install application to device. In the Select application to install window, select Kaspersky Security in the list of managed applications. Click the Install application to device link in the section with the selected devices. In the Select application to install window, select Kaspersky Security in the list of managed applications. The application then automatically downloads to the user's mobile device. The application prompts the user for consent to installation. If the user consents, the application is installed on the mobile device. The application is installed under the name Kaspersky Safe Browser. The icon of the Browser app appears on the device, showing the application download progress. After installing the app, the user must perform initial configuration of the app on the device (see section Preparing the application for use on the device on page 60). For this purpose, the user must specify the Administration Server connection settings provided by the administrator via and the user's address. At the next synchronization of the mobile device with Administration Server, the user's mobile device with Kaspersky Security installed is moved to the Unassigned computers folder in the group specified during installation of the application (the default group is KSM 10). You can copy a mobile device to the group you created in the Managed computers folder either manually or using automatic allocation rules (see page 25). INSTALLING THE APPLICATION FROM APPLE STORE Direct download of the installation file to the device can be used when users find it more convenient to install the application on their own, for example by copying the installation file from Apple Store. In this case, you do not have to prepare the application distribution kit. The user opens Apple Store directly on the device, selects Kaspersky Safe Browser, taps the Install button, and enters the password to the user's personal Apple ID in the window that opens. After downloading the app to the mobile device, the user must configure the connection to Administration Server at first launch of the app (see section "Preparing the application for use on the device" on page 60). 58

59 INSTALLING THE APPLICATION ON BLACKBERRY, SYMBIAN AND WINDOWS MOBILE DEVICES USING WORKSTATIONS Kaspersky Security 10 for Mobile distribution kit contains application distribution packages for different operating systems (see the Distribution kit section on page 13). Version for the BlackBerry, Symbian and Windows Mobile platforms includes Kaspersky Endpoint Security 8.0 for Smartphone distribution packages. The administration plug-in for Kaspersky Security 10 for Kaspersky Security Center supports administration of devices with Kaspersky Endpoint Security 8.0 for Smartphone. Installation of the application on BlackBerry, Symbian and Windows Mobile devices is similar to the installation on Android devices via the user workstations. 59

60 PREPARING THE APPLICATION TO BE USED ON THE DEVICE The initial configuring of the Administration Server connection settings can be skipped in the following situations: The standalone installation file or the pre-configured installation file is downloaded to the Android device (e.g., if the deployment is performed via link). The application is installed on the mobile device after it is connected to the workstation (the deployment is performed using the workstations for Android, Blackberry, Symbian, Windows Mobile). In all other cases, the user has to specify the settings of the connection to Administration Server received from the administrator only once: Server address If the IP address is specified in the Administration Server settings, the user must provide this IP address.. If the DNS name is specified in the Administration Server settings, the user must provide this name. SSL port number The user must specify the number of the port open on the Administration Server for connecting mobile devices. Port is used by default. The port number is provided in the Settings section of the Administration Server settings. Group The user has to specify the name of the administration group to which the user's device belongs. address The user has to specify his or her corporate address. 60

61 ACTIVATION OF AN APPLICATION In Kaspersky Security Center, the license can cover various groups of features. For full functionality of Kaspersky Security 10 administration plug-in and the application on mobile devices, the license for Kaspersky Security Center purchased by the company should cover mobile device management functionality. Mobile device management functionality is used to connect and administer mobile devices using the Exchange ActiveSync and ios MDM resources, and to administer mobile devices with Kaspersky Security 10 installed. For detailed information about licensing of Kaspersky Security Center and licensing options, see the Kaspersky Security Center Administrator's Guide. A specific feature of Kaspersky Security 10 for Mobile activation is that the license data is delivered to the mobile device with the policy during synchronization of the device with Administration Server (see page 27). After installation of the application, the device automatically connects to the Administration Server every three hours. After the policy is applied, the device is synchronized with the Administration Server with the frequency that was specified in the network settings for the created policy. The default synchronization frequency is 6 hours. To activate the application on the mobile device you need to create a group policy for the group (see page 27) in which the device is included, and specify for this policy the key from the Administration Server storage that was added using an activation code or key file. Next time, when the mobile device connects to the Administration Server, the license data will be downloaded to the device with the policy. Thus, Kaspersky Security 10 installed on the device will be activated. If the application activation is not completed within three days from the moment of the Kaspersky Security 10 installation on the mobile device, the application will be automatically switched to the limited operating mode. In this mode, most of components are disabled. When switched to the limited operating mode, the automatic synchronization with the Administration Server is disabled. Therefore, if for some reason the activation of the application has not been completed within three days after the installation, the user must synchronize the device with the Administration Server manually. 61

62 REMOVING THE APPLICATION This section describes how to remove Kaspersky Security 10 for Mobile form the user mobile device. The method for Kaspersky Security removing depends on the device operation system. IN THIS SECTION Removing the application from Android devices Removing the application from BlackBerry, Symbian, and Windows Mobile devices Removing the application from Android devices REMOVING THE APPLICATION FROM ANDROID DEVICES Whether or not the user is able to remove Kaspersky Security 10 from the Android device depends on whether this is allowed by the policy used in the group to which this device belongs, or local properties of the application if changes to the relevant settings are not blocked by the policy. If the policy allows the user to remove the application, the user can manually remove Kaspersky Security from the device using the application interface or the Android device management tools. If according to the policy the user is not permitted to remove the application, the user shall contact the administrator. You can either remove the application via Kaspersky Security Center (see section Removing the application without the user's involvement on page 64) or permit application removal from the device (see section Permitting users to remove the application on page 62) via local properties of the application or using the policy applied to the device. PERMITTING USERS TO REMOVE THE APPLICATION You can allow or block users from removing Kaspersky Security 10 for Mobile from their mobile devices using the group policy. You can allow or block the user of a single device from removing Kaspersky Security from his device via local settings of the application in Administration Console. If you want to allow users to remove the application from all devices in the group, you can permit this action in the properties of the policy that was previously created for this group. If you want to allow application removal only on some devices, you have to create a new group policy and apply it to the relevant devices. At the next synchronization of mobile devices with the Administration Server, the option of the application removing will be available. If you want to allow the user of a single device to remove Kaspersky Security, you have to make sure that the Application management section in the local settings of the application is not blocked from editing in the policy that manages this device. Then go to the local settings of the app for the selected device and configure the Allow removal of Kaspersky Security 10 for Mobile setting. At the next synchronization of the mobile device with Administration Server, the application will become available for manual removal by the user. To allow users removing Kaspersky Security from their mobile devices, follow the steps below: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, select the Managed computers folder. 3. In the Managed computers folder, select the group of devices whose users should be allowed to remove the application. 62

63 R E M O V I N G T H E A P P L I C A T I O N 4. Create a new subgroup using one of the following method: In the context menu of the Managed computers folder in the console tree, or in the context menu of the subfolder, select Create Group; In the workspace of the folder, select the Groups tab and open the window by clicking the Create subgroup link. 5. In the Group name window type the group name and click OK. 6. Start the procedure for adding to the group the devices on which you want to allow application removal, in one of the following ways: Click the Add computers to the group link in the Groups tab of the application workspace. Click the Add computers link in the Computers tab of the application workspace. The wizard that adds client computers will be launched. Follow the instructions of the Wizard. 7. In the workspace of the created group, click the Policies tab and click the Create a policy link to start the wizard and create a policy. Follow the wizard's instructions. Change the settings at the following steps: At the Select an application for which you want to create a group policy step, select Kaspersky Security for Mobile to create a group policy. At the Additional settings step, in the Application management section, select the Allow removing Kaspersky Security 10 for Mobile check box. At the Create a group policy step, in the Policy status settings, select Active policy. The created policy will be active for the chosen group, and the option to remove Kaspersky Security will be available to the devices from this group at the next synchronization with the Administration Server. To allow a user to remove Kaspersky Security from his mobile device: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, open the Managed computers folder. 3. In the Managed computers folder, select the group that includes the device whose user should be allowed to remove the application. 4. In the workspace of the group, select the Policies tab. 5. In the list of objects, select the active policy that manages devices included in the selected group. 6. Open the properties of the selected policy in one of the following ways: By double-clicking the selected policy By selecting Properties in the context menu of the selected policy By clicking the Edit policy settings link in the section where you are managing the selected object 7. In the Properties <policy name> window that opens, select the Additional settings section. 8. In the Application management section, make sure that the "lock" attribute looks like this, meaning that the settings of this section can be edited in the local settings of the application. If necessary, click the button to make the settings of the Application management section editable in the local settings of the application. 63

64 I M P L E M E N T A T I O N G U I D E 9. Then select the Computers tab in the workspace of the group. 10. Select the user's device in the list of managed devices. 11. Open the properties of the selected device in one of the following ways: By double-clicking the selected device By clicking the Computer properties link in the section where you are managing the selected object By selecting Properties in the context menu of the selected device 12. In the Properties: <Device name> window that opens, select the Applications section. 13. In the Applications section, select Kaspersky Security 10 for Mobile. 14. Open the Kaspersky Security 10 for Mobile settings window in one of the following ways: By double-clicking the selected application By selecting Properties in the context menu of the selected application 15. In the Additional settings section, under Application management select the Allow removing Kaspersky Security for Mobile check box. As a result, at the next synchronization of this mobile device with Administration Server, Kaspersky Security will become available for manual removal by the user. REMOVING THE APPLICATION FROM THE DEVICE WITHOUT THE USER'S INVOLVEMENT You can remove Kaspersky Security 10 for Mobile in the remote mode from the users' devices that are connected to the Kaspersky Security Center Administration Server. If you want to remove the application from all devices in the group, you can do so in the properties of the policy that was previously created for this group. If you want to remove the application only on some devices, you have to create a new group policy and apply it to the relevant devices. At the next synchronization of mobile devices with Administration Server, the application will be removed. If you want to remove Kaspersky Security from a single device, you have to make sure that the Application management section in the local settings of the application is not blocked from editing in the policy that manages this device. Then go to the local settings of the application for the selected device and configure the Remove Kaspersky Security for Mobile from the device setting. At the next synchronization of this mobile device with Administration Server, the application will be removed. To remove Kaspersky Security from several devices without the users' involvement: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, select the Managed computers folder. 3. In the Managed computers folder choose the group of devices from which you want to remove the application. 4. Create a new subgroup using one of the following method: In the context menu of the Managed computers folder in the console tree, or in the context menu of the subfolder, select Create Group; In the workspace of the folder, select the Groups tab and open the window by clicking the Create subgroup link. 64

65 R E M O V I N G T H E A P P L I C A T I O N 5. In the Group name window type the group name and click OK. 6. Add the devices from which you want to remove the application to the group using one of the following method: Click the Add computers to the group link in the Groups tab of the application workspace. Click the Add computers link in the Computers tab of the application workspace. The wizard that adds client computers will be launched. Follow the instructions of the Wizard. 7. In the workspace of the group, click the Policies tab and click the Create a policy link to start the wizard and create a policy. The wizard that creates the policies will be started. Follow the instructions of the Wizard. For the policy applied to remove the application, change the settings at the following steps: At the Select an application for which you want to create a group policy step, select Kaspersky Security for Mobile Devices to create a group policy. At the Additional settings step, in the Application management section, select the Remove Kaspersky Security 10 for Mobile from device check box. A dialog box with the warning that the operation cannot be undone will appear. Confirm removing. At the Create a group policy for application step, in the Policy status settings, select Active policy. The created policy will be active for the chosen group, and Kaspersky Security will be removed from the devices in the group at the next synchronization with the Administration Server. To remove Kaspersky Security from one mobile device: 1. In the console tree, select the Administration Server to which the mobile devices are connected. 2. In the console tree, open the Managed computers folder. 3. In the Managed computers folder, select the group that includes the device from which you want to remove the application. 4. In the workspace of the group, select the Policies tab. 5. In the list of objects, select the active policy that manages devices included in the selected group. 6. Open the properties of the selected policy in one of the following ways: By double-clicking the selected policy By selecting Properties in the context menu of the selected policy By clicking the Edit policy settings link in the section where you are managing the selected object 7. In the Properties <policy name> window that opens, select the Additional settings section. 8. In the Application management section, make sure that the "lock" attribute looks like this, meaning that the settings of this section can be edited in the local settings of the application. If necessary, click the button to make the settings of the Application management section editable in the local settings of the application. 9. Then select the Computers tab in the workspace of the group. 10. Select the user's device in the list of managed devices. 65

66 I M P L E M E N T A T I O N G U I D E 11. Open the properties of the selected device in one of the following ways: By double-clicking the selected device By clicking the Computer properties link in the section where you are managing the selected object By selecting Properties in the context menu of the selected device 12. In the Properties: <Device name> window that opens, select the Applications section. 13. In the Applications section, select Kaspersky Security 10 for Mobile. 14. Open the Kaspersky Security 10 for Mobile settings window in one of the following ways: By double-clicking the selected application By selecting Properties in the context menu of the selected application 15. In the Additional settings section, under Application management select the Remove Kaspersky Security for Mobile from the check box. As a result, at the next synchronization of this mobile device with Administration Server, Kaspersky Security will be removed. REMOVING THE APPLICATION FROM BLACKBERRY, SYMBIAN, AND WINDOWS MOBILE DEVICES On BlackBerry, Symbian, and Windows Mobile devices, the user can remove Kaspersky Security 10 for Mobile without assistance using the standard procedure for the platform. Before the application is removed from Windows Mobile or Symbian devices, the protection of confidential information is automatically disabled, and all previously encrypted information is decrypted. Before removing the application from BlackBerry devices, the user must disable the protection of confidential information manually. To remove the application from Symbian and Windows Mobile devices, the user must provide the application secret code set at the first launch of the application. If the user lost the secret code, the administrator contacts the Technical Support to get the specific tool that allows to removing the application without the secret code. The application will be deleted after the device is restarted. REMOVING THE APPLICATION FROM ANDROID DEVICES The user can remove Kaspersky Security 10 from the device in the manual mode using the standard ios tools. To remove Kaspersky Security from ios devices, follow the steps below: Click the application icon and hold it until it "bounces". Then, click the close icon. 66

67 INFORMATION EXCHANGE WITH KASPERSKY SECURITY NETWORK The Kaspersky Security Network cloud service is the special on-line service provided by Kaspersky Lab. It provides information on reliability of files, programs and Internet resources. Kaspersky Security uses the Kaspersky Security Network cloud service for the following components: Scanning. The application additionally scans the installed programs before the first launch. This scan allows detecting new threats that have not been added or described in the Anti-Virus databases. Web Protection. The application additionally scans websites before they are opened. For more detailed information on data transferred by the Kaspersky Lab when the Kaspersky Security cloud service is used on the users' devices, read the License Agreement. By accepting the terms and conditions of the License Agreement, you agree to transfer the following information: Checksums for the processed files (MD5) The number of the application installations The information on visited websites to check the websites' reputation Statistical data on the detected threats All information transferred to the cloud service does not include personal data and other user's confidential information The information received by the Kaspersky Security Network cloud service is protected by Kaspersky Lab according to the legislation. For more detailed information, visit our website at 67

68 CONTACTING THE TECHNICAL SUPPORT SERVICE This section provides information about how to obtain technical support and the requirements for receiving help from Technical Support. IN THIS SECTION How to obtain technical support Technical support by phone Technical Support via Kaspersky CompanyAccount HOW TO OBTAIN TECHNICAL SUPPORT If you have not found a solution to your problem in the application documentation or in one of information sources about the application (see the Information sources about the application section on page 9), we recommend to contacting the Kaspersky Lab Technical Support service. Technical Support specialists will answer your questions about installing and using the application. Before contacting Technical Support, please read the support rules ( You can contact Technical Support in one of the following ways: By telephone. This method allows you to consult with specialists from our Russian-language or international Technical Support. You may send a request via Kaspersky CompanyAccount on the Technical Support service website. This method allows you to contact Technical Support specialists through a request form. TECHNICAL SUPPORT BY PHONE If an urgent issue arises, you can call specialists at Russian-speaking or international Technical Support ( Before contacting Technical Support, please read the support rules ( This will allow our specialists to help you more quickly. TECHNICAL SUPPORT VIA KASPERSKY COMPANYACCOUNT Kaspersky CompanyAccount is a web service ( that is used to send requests to Kaspersky Lab and track the progress made in processing them by the Kaspersky Lab experts. 68

69 C O N T A C T I N G T H E T E C H N I C A L S U P P O R T S E R V I C E To access Kaspersky CompanyAccount, you need to sign in ( For this purpose, specify the activation code or download the key file and type your address and the company name. The CompanyAccount user account for your company will be created. Data on the purchased license will be automatically included in this account. Hereafter, based on this data, all personnel of your company who are registered in Kaspersky CompanyAccount will be attached to CompanyAccount of your company. In Kaspersky CompanyAccount you can perform the following actions: Process requests: Send requests to the Technical Support service (see Electronic request to the Technical Support service on the page 70). Send file scan requests to the Virus Lab (see section Online request to the Virus Lab on page 70). Send certificate signing requests (for example, for signing of APN certificates (see page 70)). Send questions and feedback on Kaspersky CompanyAccount web service. Exchange messages with the Technical Support service. Track request statuses and view the request history. Manage keys and activation codes within the company: Upload other key files and specify other activation codes for the CompanyAccount of your company. Delete keys and activation codes (only if the administrative privileges are granted to CompanyAccount). View the list of applications to which the license applies. Receive a key file copy if the key file is lost or deleted. Manage CompanyAccount user accounts (only if the administrative privileges are granted to CompanyAccount): Add and remove accounts Reset the account password View requests Manage account permissions Receive notifications: On request processing statuses On the license expiration On adding new accounts in CompanyAccount (only if the required privileges are granted) On adding new key or activation code (only if special privileges have been granted) To administrate the CompanyAccount you have to send an electronic request using the Question on CompanyAccount form. After you are granted the administration privileges for CompanyAccount, you will be able to manage the company accounts and receive notifications, e.g., notifications on new users that were added to CompanyAccount. 69

70 I M P L E M E N T A T I O N G U I D E TECHNICAL SUPPORT BY You can send an electronic request to the Technical Support service in Russian, English and other languages. In the fields of the online request form, specify the following data: Request type Application name and version number Request text If necessary, you also can attach files to the electronic request form. The Technical Support specialist answers to your question via Kaspersky CompanyAccount system and sends the respond to the address that you specified during the registration. ELECTRONIC REQUEST TO SIGN APN CERTIFICATE You can send an electronic Certificate Signing Request (CSR request) to Technical Support. For this purpose, you need to specify the CSR request file in the electronic request form After the automatic processing of your electronic request is completed, you will receive the CSR request file signed by Kaspersky Lab that can be sent to Apple. You can view the processed request in the list of inactive requests of your account. ONLINE REQUEST TO THE VIRUS LAB Some requests must be sent to the Virus Lab instead of Technical Support. You can send requests to the Virus Lab in the following cases: If you suspect that a file or website contains a virus, but Kaspersky Security does not detect any threat. Virus Lab specialists analyze the file or URL that you send. If they detect a previously unknown virus, they add a corresponding description to the database, which becomes available when Kaspersky Lab anti-virus applications are updated; If Kaspersky Security detects a virus in a file or on a website, but you are certain that this file or website is safe. You can also send requests to the Virus Lab from the request form page ( without having a registered Kaspersky CompanyAccount. On this page, you do not have to specify the application activation code. Requests created via Kaspersky CompanyAccount have a higher priority than requests created via the request form. 70

71 GLOSSARY A A D M I N I S T R A T I O N S E R V E R A component of Kaspersky Security Center that centrally stores information about all Kaspersky Lab applications that are installed within the corporate network. It can also be used to manage these applications. A D M I N I S T R A T I O N G R O U P A set of managed devices, such as mobile devices grouped according to the functions they perform and the set of apps installed on them. Managed devices are grouped so they can be managed as a single whole. For example, mobile devices with the same operating system can be grouped. A group may include other groups. It is possible to create group policies and group tasks for group devices. A P P L E P U S H N O T I F I C A T I O N S E R V I C E ( A P N S ) C E R T I F I C A T E A certificate signed by Apple, which makes it possible to implement the functions of the Apple Push Notification service by means of which the ios MDM server can control ios devices. A P P L I C A T I O N M A N A G E M E N T P L U G - IN A dedicated component that provides the interface for managing Kaspersky Lab applications through Administration Console. Each application that can be managed through Kaspersky Security Center SPE has its own plug-in. It is included in all Kaspersky Lab applications that can be managed by using Kaspersky Security Center. C C E R T I F I C A T E S I G N I N G R E Q U E S T A file with Administration Server settings that, once confirmed by Kaspersky Lab, is sent to Apple for purposes of getting the APN certificate. C O N T A I N E R A special shell for mobile apps, which makes it possible to control the activity of the containerized app, thereby protecting personal and corporate data on the device. A container used on an ios device is signed by the same certificate that is used to sign Kaspersky Security for ios devices. D D E V I C E A D M I N I S T R A T O R (AN D R O I D ) A set of app rights on an Android device that enables the app to use device management policies. It is necessary to implement full functionality of Kaspersky Security on Android devices. E E X C H A N G E A C T I V E S Y N C M O B I L E D E V I C E A mobile device connected to Administration Server via Exchange ActiveSync protocol. E X C H A N G E A C T I V E S Y N C M O B I L E D E V I C E S E R V E R A Kaspersky Security component installed on the client computer, which makes it possible to connect Exchange ActiveSync mobile devices to Administration Server. 71

72 I M P L E M E N T A T I O N G U I D E G G R O U P T A S K ( K S M ) A task defined for an administration group and performed on managed devices within this group. I I N S T A L L A T I O N P A C K A G E A set of files created for remote installation of a Kaspersky Lab application by using the remote administration system. An installation package is created based on special files that are included in the application distribution package; it contains a set of settings required for application setup and its configuration for normal functioning immediately after installation. Parameter values correspond to application defaults. I OS MDM M O B I L E D E V I C E An ios mobile device controlled by the ios MDM Mobile Device Server. I OS MDM M O B I L E D E V I C E S E R V E R A component of the Kaspersky Security Center administration system that makes it possible to connect ios mobile devices to the Administration Server and control them using ios MDM profiles. I OS MDM P R O F I L E Used to send ios configuration profiles in background mode via the ios MDM server, as well as to receive extended diagnostic information about mobile devices. A link to the ios MDM profile needs to be sent to a user in order to enable the ios MDM server to discover and connect the user's ios mobile device. K K A S P E R S K Y S M S B R O A D C A S T I N G U T I L I T Y A utility installed on the administrator's Android device to send out text messages to Android devices of users. K A S P E R S K Y S E C U R I T Y N E T W O R K ( K S N ) Infrastructure of online services providing access to the current knowledge base of Kaspersky Lab describing the reputation of files, web sites and software. The use of data from Kaspersky Security Network ensures faster response by Kaspersky Lab apps to unknown threats, improves the effectiveness of some protection components, and reduces the risk of false positives. M M A N I F E S T F I L E A file in PLIST format containing a link to the app file (ipa file) located on a web server. It is used by ios devices to locate, download, and install apps from a web server. M O B I L E A P P P A C K A G E An installation file for the Android operating system (file with the.apk extension) uploaded to the Administration Server. Mobile app packages are stored on the Kaspersky Security Center web server or in the public folder of the Kaspersky Security Center administrator. Mobile app packages can be created for apps of third-party publishers. When creating a mobile app package, one can specify that the app will be containerized. 72

73 G L O S S A R Y P P O L I C Y A set of application settings for an administration group managed by the application using Kaspersky Security Center tools. Application settings can differ in various groups. A policy includes the settings for complete configuration of all application features. S S T A N D A L O N E P A C K A G E An installation file of Kaspersky Security for the Android operating system, which contains the settings of application connection to the Administration Server. It is created on the basis of the installation package of this application and is a particular case of mobile app package. 73

74 KASPERSKY LAB ZAO Kaspersky Lab software is internationally renowned for its protection against viruses, malware, spam, network and hacker attacks, and other threats. In 2008, Kaspersky Lab was rated among the world s top four leading vendors of information security software solutions for end users (IDC Worldwide Endpoint Security Revenue by Vendor). Kaspersky Lab is the preferred developer of computer protection systems among home users in Russia, according to the COMCON survey "TGI-Russia 2009". Kaspersky Lab was founded in Russia in Today, it is an international group of companies headquartered in Moscow with five regional divisions that manage the company's activity in Russia, Western and Eastern Europe, the Middle East, Africa, North and South America, Japan, China, and other countries in the Asia-Pacific region. The company employs more than 2000 qualified specialists. Products. Kaspersky Lab s products provide protection for all systems from home computers to large corporate networks. The personal product range includes anti-virus applications for desktop, laptop, and pocket computers, and for smartphones and other mobile devices. Kaspersky Lab delivers applications and services to protect workstations, file and web servers, mail gateways, and firewalls. Used in conjunction with Kaspersky Lab s centralized management system, these solutions ensure effective automated protection for companies and organizations against computer threats. Kaspersky Lab's products are certified by the major test laboratories, are compatible with the software of many suppliers of computer applications, and are optimized to run on many hardware platforms. Kaspersky Lab s virus analysts work around the clock. Every day they uncover hundreds of new computer threats, create tools to detect and disinfect them, and include them in the databases used by Kaspersky Lab applications. Kaspersky Lab's Anti-Virus database is updated hourly; and the Anti-Spam database every five minutes. Technologies. Many technologies that are now part and parcel of modern anti-virus tools were originally developed by Kaspersky Lab. It is no coincidence that many other developers use the Kaspersky Anti-Virus kernel in their products, including: SafeNet (USA), Alt-N Technologies (USA), Blue Coat Systems (USA), Check Point Software Technologies (Israel), Clearswift (UK), CommuniGate Systems (USA), Critical Path (Ireland), D-Link (Taiwan), M86 Security (USA), GFI (Malta), IBM (USA), Juniper Networks (USA), LANDesk (USA), Microsoft (USA), NETASQ (France), NETGEAR (USA), Parallels (Russia), SonicWALL (USA), WatchGuard Technologies (USA), ZyXEL Communications (Taiwan). Many of the company s innovative technologies are patented. Achievements. Over the years, Kaspersky Lab has won hundreds of awards for its services in combating computer threats. In 2010, Kaspersky Anti-Virus received several highest awards Advanced + after the tests carried out by AV- Comparatives, an authoritative Austrian anti-virus laboratory. But Kaspersky Lab's main achievement is the loyalty of its users worldwide. The company s products and technologies protect more than 300 million users, and its corporate clients number is more than 200,000. Kaspersky Lab s website: Virus encyclopedia: Virus Lab: Kaspersky Lab s web forum: [email protected] (to send probably infected files in the archived form only) (for queries addressed to virus analysts) 74

75 INFORMATION ABOUT THIRD-PARTY CODE Information about third-party code is contained in the file legal_notices.txt, in the application installation folder. On Android devices data from the legal_notices.txt file is displayed in the Additional Information window, in the About the application section. 75

76 TRADEMARK NOTIFICATIONS Registered trademarks and service marks are the property of their respective owners. Apple, iphone, Mac OS are registered trademarks of Apple Inc. Android, Android Market are trademarks of Google, Inc. Microsoft, Windows are trademarks owned by Microsoft Corporation and registered in the United States of America and elsewhere. Nokia, Series 60 are trademarks or registered trademarks of Nokia Corporation. Blackberry is owned by Research In Motion Limited, registered in the USA, with registration pending or existing elsewhere. The word mark Bluetooth and its logo are the property of Bluetooth SIG, Inc. The Symbian trademark is owned by Symbian Foundation Ltd. 76

77 INDEX A Activating the application Administration group creation transfer rule Administration Plug-in installing APN certificate... 20, 70 getting... 42, 70 installing Apple Store... 21, 58 Application activation license... 37, 61 C Container... 12, 45 creating signing Creating policies D Developer certificate G Google Play... 19, 54 I Installation Kaspersky Security Center on Android devices... 16, 48, 50, 52, 54 on Blackberry devices on ios devices... 20, 57 on Symbian devices on Windows Mobile devices Installation package configuring settings creating distribution... 22, 52 ios MDM profile creating L License activating the application... 37, 61 M Management plug-in installing Mass mailing... 38, 39 Mobile app package

78 I M P L E M E N T A T I O N G U I D E P Provisioning S Signing a container for ios app distribution kit for ios Standalone package... 48, 50 creating... 48, 50 distribution... 49, 51 78