Version 1.3 Kaspersky Lab www.kaspersky.com
Table of Contents Chapter 1. Kaspersky MDM for Exchange ActiveSync... 2 1.1 Access to Corporate Resources... 2 1.2 Exchange ActiveSync Profiles... 2 1.3 Managing Profiles... 3 1.4 Operation Schema... 3 1.5 Applying Profiles to Mobile Devices... 3 1.6 For Which Mobile Devices Can Access Be Managed?... 4 1.7 Installation of MDM for Exchange ActiveSync... 6 System requirements... 6 Installation wizard... 8 Installation results... 10 1.8 Licensing... 12 1.9 Editing Profiles... 12 1.10 Parameters under Control... 16 1.11 Statistics... 20 Chapter 2. Kaspersky MDM for ios... 22 2.1 Operation Schema... 22 2.2 Installation of MDM for ios... 24 Server requirements... 24 Installation wizard... 26 Installation results... 28 Adding APNS certificate... 30 2.3 Applying MDM for ios Profiles to Devices... 32 Accounts and Devices... 32 Sending an MDM profile... 34 Installing MDM profile... 34 2.4 Using ios Profiles... 36 Creating ios profiles... 36 Applying ios profiles... 36 2.5 Device Management... 38 2.6 MDM for ios Settings... 40 Chapter 3. Kaspersky Security for Mobile... 42 3.1 Supported Platforms... 42 3.2 Preparing Administration Server... 44 3.3 Installation... 48 Installation using a standalone package (on Android)... 50 Installation via workstation (all operating systems, except for ios)... 52 Installation via MDM for ios (only ios devices)... 54 Installation via workstation (ios)... 54 3.4 Kaspersky Security for Mobile Settings... 56 Managing applications... 58
2 KASPERSKY LAB Chapter 1. Kaspersky MDM for Exchange ActiveSync KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Nowadays, Microsoft Exchange is a de-facto standard for a corporate mail and collaborative communications server. Approximately 50% of corporations worldwide use it. Kaspersky Lab product line includes scanning of corporate e-mail sent through Exchange Anti-Virus and Anti- Spam. This course, however, does not cover these products; instead this course focuses on mobile user protection. The ever growing popularity of smartphones and tablets has increased users ability to work remotely and to connect to corporate e-mail, in particular, Exchange servers. It is very useful, on a business trip or conference, at home or on vacation to take along a tablet. However light or small a laptop/notebook is, a tablet is usually more portable. Add in the fact that most smartphones and tablets support EDGE/3G/4G and the accessing the Internet becomes a lot simpler as well. A major disadvantage, though, is that a phone is easy to lose or leave behind in a public place. That is why the protection of the corporate resource (corporate e-mail) from unauthorized access is especially important here. 1.1 Access to Corporate Resources The Exchange ActiveSync component is responsible for synchronization of e-mail, contacts, calendar, tasks and notes between the Microsoft Exchange Server and mobile devices. The synchronization is based on XML and is performed over HTTP/HTTPS. An e-mail program on the device needs to be configured it can be either a mail client built into the operating system, or a third-party mail client. Here the connection parameters are set: the account details, address of the Exchange server, the certificate for secure connections, and a schedule for synchronization. The only thing the administrator can do about synchronizations on the Exchange side is to allow or prohibit them. 1.2 Exchange ActiveSync Profiles On the Exchange Server side, the administrator can specify parameters that the device must meet in order to receive access to corporate resources. For example, parameters may include allowing synchronization only to devices protected with an unlock password and encryption enabled. If these requirements are not met (the user does not set this up on the device), access will be denied. These parameters make up Exchange ActiveSync profiles.
Chapter 1. Kaspersky MDM for Exchange ActiveSync They are stored on the Exchange server and are applied to accounts. Every time, prior to the synchronization, the profile assigned to the account is checked, and synchronization is allowed only if the device meets the requirements. 1.3 Managing Profiles Configuration of ActiveSync profiles is not directly related to administering Exchange server. Actually it is an access policy for corporate resource, and often it is not the system administrator who is responsible for it, but a security administrator who manages Anti-Virus protection. The component we describe in this chapter, MDM for Exchange ActiveSync, allows the management of ActiveSync profiles in Kaspersky Security Center Administration Console. This in turn means that the security administrator does not need access to the Exchange Server Administration Console; everything is configured in the KSC Administration Console. 1.4 Operation Schema KSC Network Agent and MDM for Exchange ActiveSync (MDM for Exchange) are installed on the Microsoft Exchange server. The profile management interaction chain is as follows: Exchange Server (the core element, the profiles are physically stored here) MDM for Exchange Network Agent (started on the Exchange server) Network Agent (started on the KSC Administration Server) KSC Administration Server (only statistics and events are stored in the server database) You can see that MDM connects the Exchange server with the Network Agent. The Network Agent in turn is responsible for transferring the data received from MDM to the KSC Administration Server and in the reverse direction. The administrator can then use the KAC Administration Console to connect to the Administration Server and manage the profiles, which are physically stored on the Exchange Server. 1.5 Applying Profiles to Mobile Devices The Exchange server is completely responsible for transferring profiles to mobile devices. It must have the Client Access role with configured Exchange ActiveSync for this purpose. The KSC components do not participate in this. When configuring the e-mail program on the device, the user can specify the synchronization schedule: Regularly, for example, hourly 3
4 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Allow the use of Direct Push a technology that notifies about the changes on the Exchange server side. The device automatically initiates synchronization as soon as it receives such a notification The administrator will be able to initiate synchronization only if the user has enabled Direct Push. With Direct Push the administrator can only specify an interval at which the profile will be automatically sent to the device. 1.6 For Which Mobile Devices Can Access Be Managed? For any device that supports synchronization via Exchange ActiveSync. A profile is assigned to an account. If a smartphone or tablet allows configuring Exchange ActiveSync synchronization, it will receive the profile corresponding to the account it connects to. However, a profile allows configuration of parameters that are not applicable to some operating systems and devices. For example, attachment size can only be limited for built-in mail clients of Windows Mobile 6.0/6.5, Android 4.x, or Mail for Exchange (on Nokia Symbian) or NitroDesk TouchDown for Android. If another application is used, for example Windows Phone 7.5 e-mail, this parameter cannot be checked because of the limitations of the operating system. In such cases, the administrator can specify an alternative action for each profile: skip, if the parameter is not controlled, or prohibit synchronization for these devices and applications. Is not controlled here means that the Exchange Server is unable to receive information about it. Such issues can only be solved with the user s participation, to whom the administrator sends a message about the necessity to set a password, encrypt the drive, etc. In our example, there are two alternatives: either prohibit the user from connecting to the corporate e-mail, or skip the check meaning, the user will be able to work with attachments of any size. The comprehensive list of clients and their manageable parameters can be found, for example, in Wikipedia: http://en.wikipedia.org/wiki/comparison_of_exchange_activesync_clients.
Chapter 1. Kaspersky MDM for Exchange ActiveSync 5
6 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management 1.7 Installation of MDM for Exchange ActiveSync MDM for Exchange ActiveSync is installed directly on the mail server the computer where Microsoft Exchange Server is running. In a cluster ActiveSync needs to be installed on all Exchange servers with the Client Access role. Connection to the KSC Administration Server requires a Network Agent with configured connection parameters. Synchronization with mobile devices requires connection to the network to which they will connect, generally, it is the Internet. System requirements There are no special requirements for hardware and operating system. MDM can be installed on any computer where Microsoft Exchange Server is already running. Two versions of Microsoft Exchange Server are supported: 2007 and 2010. The server must be installed with at least three roles: Hub Transport, Mailbox (for accounts), and Client Access (for synchronization via Exchange ActiveSync). If there are several servers with the Client Access role in the domain, MDM is installed on all of them. Server preparation includes two steps: 1. Install KSС Network Agent on the Exchange server to provide connection to the KSC Administration Server. You can do it either locally or remotely via KSC Administration Console. Kaspersky Endpoint Security or any other anti-virus application does not have to be installed on the Exchange server. 2. Internet Information Services (IIS) with Windows Authentication enabled for PowerShell in the default web site settings. To check on the authentication setting, run the Server Manager (for example, carry out the inetmgr command), expand the <server name > / Sites / Default Web Site / PowerShell branch, open the Authentication group of settings. The Windows Authentication parameter must be set to Enabled.
Chapter 1. Kaspersky MDM for Exchange ActiveSync 7
8 KASPERSKY LAB Installation wizard KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management To start the installation, run the setup.exe file. It is included in the full distribution of Kaspersky Security Center, and located in the MDM4Exchange folder. The wizard is standard. The administrator is prompted to accept the license agreement and specify: The account for starting MDM. It must have the permission to modify Exchange ActiveSync profiles. MDM is integrated with Exchange server via a COM+ application named Kaspersky MDM for Exchange. If the account needs to be changed later, this can be done in its properties: open the Component Services snap-in (use the comexp.msc from command line), expand the Component Services / My Computer / COM+ Applications branch, find Kaspersky MDM for Exchange, and open its properties. The account is specified on the Identity tab. The address for connecting to PowerShell from the Administration Server. The default address is https://localhost/powershell. If another address or port is specified on the server, specify it in the wizard. After the installation is completed, the address or port can be modified in the following registry key: HKLM/Software/Wow6432node/KasperskyLab/Components/KLMODEM/1.0.0.0/Conset/PShellURL Installation mode standard or cluster
Chapter 1. Kaspersky MDM for Exchange ActiveSync 9
10 KASPERSKY LAB Installation results In addition to new keys in the registry: Kaspersky MDM for Exchange COM+ application Kaspersky MDM for Exchange in the list of running processes KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management See Component Services / My Computer / Running Processes in the Component Services snap-in (comexp.msc command) MDM4Exchange folders for storing system files are created in: The Network Agent folder %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent\ %ProgramData%\KasperskyLab\ After the Network Agent synchronizes with the KSC Administration Server, the following items will appear in the Administration Console: In the Mobile devices / Mobile devices servers container, the object corresponding to the installed mobile devices server Exchange ActiveSync mobile devices server Note: If the Mobile devices container is hidden, open the Configure interface dialog box (on the Getting Started page, click the Configure functionality displayed in user interface link), select the Display mobile devices management checkbox, and reconnect to the Administration Server. In the Mobile devices / Exchange ActiveSync mobile devices container the list of accounts that use Exchange ActiveSync for synchronizing with the Exchange server
Chapter 1. Kaspersky MDM for Exchange ActiveSync 11
12 KASPERSKY LAB 1.8 Licensing A special license is necessary for using mobile device servers. KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management The license key is installed on the Administration Server to which MDM connects, and licenses are counted by the number of simultaneously connected mobile device servers. To add a key, open the Administration Server properties and switch to the Keys section. After the key is installed, click the View restrictions link to see the maximum number of mobile device servers that can connect to the Administration Server. Note: The license restricts the total number of mobile device servers, both Exchange ActiveSync and ios. 1.9 Editing Profiles Open the properties of MDM for Exchange (Mobile devices / Mobile devices servers container) and switch to the Mailboxes section. All accounts received from the Exchange server are displayed here. If the list is not up to date, wait for the next synchronization of the Network Agent installed on the Exchange server with the Administration Server. By default, it takes place once every 15 minutes (the interval is specified in the Network Agent policy). Next to the account name, the following information is displayed: name of the assigned profile, whether it synchronized ever, and whether Exchange ActiveSync is enabled. The algorithm is as follows: 1. Create the list of profiles (the Change profiles button opens the list of profiles) 2. Apply the created profiles to the selected accounts (select an account and click Assign profile) 3. Disable ActiveSync for the accounts prohibited from connecting using mobile devices (select an account and click Enable/Disable ActiveSync)
Chapter 1. Kaspersky MDM for Exchange ActiveSync 13
14 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Exchange Server does not apply any profiles to new accounts automatically. In the Administration Console, <ActiveSync default policy> is displayed instead of a profile name if a profile has not been assigned to the account yet. When MDM for Exchange is installed, the Default profile appears in the list. It allows everything and prohibits nothing. In spite of the name, it is not applied automatically either. If a user profile is unassigned from an account, it receives the <ActiveSync default policy> status again.
Chapter 1. Kaspersky MDM for Exchange ActiveSync 15
16 KASPERSKY LAB 1.10 Parameters under Control KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management As we mentioned earlier, some settings are not applicable to some devices. In this case, you have two options: either skip checking inapplicable parameters, or prohibit synchronization if the specified settings cannot be checked. The Allow non-provisionable devices parameter regulates that. The following parameters can be controlled: 1. Password for unlocking the device and its complexity if the device is lost, this will be the first barrier from unauthorized access: Minimum password length The use of digits along with letters; you can also explicitly specify the minimum number of symbol sets to be used. For example, 3 corresponds to passwords made of letters, digits, and symbols Prohibit simple passwords for the users not to be able to use 1111 or 1234. A simple password definition is specified on the Exchange Server Enable password recovery a password for unlocking the device will be stored on the Exchange server Automatic data wipe and reset of the device to factory settings after the specified number of incorrect attempts to enter the password Device inactivity period after which it will be locked automatically Password expiration in days Enforce password history how many of the latest passwords cannot be re-used 2. Encryption of the whole device or SD card 3. Prohibit the use of removable drives, camera, Wi-Fi, infrared or Bluetooth connections, be a hotspot for other devices, synchronization with desktop computers 4. Prohibit using the built-in browser (other installed browsers cannot be controlled), POP3/IMAP connections of the mail clients (third-party mail clients cannot be controlled), starting unsigned programs and installing unsigned applications 5. Synchronization settings: Calendar synchronization interval (All time / two weeks / month / three months / six months) E-mail synchronization interval (All time / two weeks / month / three months / six months) Limit the e-mail message size (in KB) is not set by default Allow Direct Push while roaming (is prohibited by default) Allow receiving HTML e-mail such messages potentially may contain infected code. However, the option is disabled by default Allow downloading e-mail attachments; you can also specify the maximum size (is not set by default)
Chapter 1. Kaspersky MDM for Exchange ActiveSync 17
18 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management All the listed profile settings are device-related. For the Exchange server, the administrator can configure only one parameter: how often the profile will be automatically sent to the devices, regardless of whether anything has changed in it. By default, this option is disabled, and the users download the profiles during the synchronization. Password and encryption parameters are applicable to most of the supported devices. Points 3 and 4 are actually applicable only to Windows Mobile 6.x. The complete list of controlled parameters for various operating systems and applications is available on the Microsoft site (http://social.technet.microsoft.com/wiki/contents/articles/exchange-activesync-clientcomparison-table.aspx) and in Wikipedia: http://en.wikipedia.org/wiki/comparison_of_exchange_activesync_clients.
Chapter 1. Kaspersky MDM for Exchange ActiveSync 19
20 KASPERSKY LAB 1.11 Statistics KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management KSC Administration Console allows the administrator to easily control which devices connect, which profiles are applied to them, and which users do not use the settings specified in their profiles. The administrator receives this data in the same console, in the same place where the information about Anti-Virus network protection and other events generated by Kaspersky Lab products is gathered. By default, all events are sent to the Administration Server and are stored there for 30 days; notifications are not configured. To change this, open the properties of MDM for Exchange devices and select the Events section. If your company is small, it might be worthwhile configuring notifications about newly connected devices. Especially if you intend to install Kaspersky Security for Mobile on them (this is described in detail in Chapter 3). In this way you can get addresses that connect to Exchange, and send a request to install protection on the device to the owner. For large companies, the information about device wiping may come in handy. If an inbox often generates this event, either the owner is singularly absent-minded, or the number of allowed incorrect passwords is too low. Both suggest that the profile should be modified. Additionally, the Repositories node contains information about all devices ever connected to the network (this functionality is not available on the Exchange Server). This data is gathered by the System Management KSC components. There are no special templates for mobile device servers.
Chapter 1. Kaspersky MDM for Exchange ActiveSync 21
22 KASPERSKY LAB Chapter 2. Kaspersky MDM for ios KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management MDM for ios, despite its name, is installed on a Windows computer with pre-installed KSC Administration Server, but allows managing ios mobile devices via MDM profiles. If the user accepts installation of an MDM profile on their device, they allow remote administrators to manage the smartphone or tablet. The administrator can: Lock or wipe the device, reset the password Install or uninstall an application (third-party or from AppStore) Apply a profile that regulates password complexity, Exchange ActiveSync connection settings, VPN, certificates, APN, prohibits the use of the camera, Wi-Fi, installation of applications, etc. MDM for ios is not related to MDM for Exchange ActiveSync. These Kaspersky Security Center components work independently. 2.1 Operation Schema Kaspersky Security Center must be deployed in the network already: the Administration Server must be installed and configured; the Administration Console must be set up on the administrator s workstation. This is described in the corresponding course and in the KSC documentation. As is true of working with Kaspersky Security Center in general, the core element of the schema is the Administration Server, which the administrator manages via the Administration Console. All settings are stored in a database (local or remote) connected to the Administration Server. After installing a special plug-in for the Administration Console, the administrator will be able to create MDM for ios profiles. These will also be stored on the Administration Server. To provide profile delivery and subsequent management of ios mobile devices, an additional component of Kaspersky Security Center, Kaspersky MDM for ios, has to be installed on the Administration Server. Accordingly, it must be accessible from all managed mobile devices by an external IP address or domain name. This is provided by the network configuration. The Apple Push Notification Service is used for notifying the devices about the changes in their profiles and the necessity to synchronize with MDM for ios. The deployment procedure is as follows: 1. The administrator creates an MDM profile in the Administration Console 2. The profile is automatically published on the Administration Server 3. The administrator sends the link to the user s profile by e-mail or SMS
Chapter 2. Kaspersky MDM for ios 4. The user receives the message, opens the link, downloads and installs the MDM profile. All this has to be done by the user 5. After that, the device will be connected to Kaspersky MDM for ios and the administrator will be able to remotely manage it 23
24 KASPERSKY LAB 2.2 Installation of MDM for ios Server requirements KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management So, Kaspersky Security Center 10 must already be deployed in the network the Administration Server must be installed and configured, and the Administration Console connected to it. Additionally, the administrator must do the following: 1. Configure the network to provide connection between the Administration Server and the mobile devices to be managed through Wi-Fi or Internet. If the devices need to be managed when off the corporate wireless network, the Administration Server must be accessible from the Internet by IP address or domain name 2. Install Apple: Apple Inc. Root Certificate and Apple Application Integration Certificate. These can be downloaded from http://www.apple.com/certificateauthority/ 3. Install iphone Configuration Utility for Windows on the computers with the Administration Console (which are planned to be used for managing ios devices). This can be downloaded from the Apple site: http://support.apple.com/kb/dl1466 4. Register with the Apple Push Notification Service (APNS) and receive a certificate. This is described in detail in Kaspersky Lab knowledgebase: http://support.kaspersky.com/9245 5. A license key allowing mobile device management must be installed on the Administration Server. In the Administration Console, open the Administration Server properties, switch to the Keys section, and add the key During the proper installation of MDM for ios, you only need to know the Administration Server address and ports, everything else can be done in an arbitrary order.
Chapter 2. Kaspersky MDM for ios 25
26 KASPERSKY LAB Installation wizard KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management MDM for ios setup is included in the full version of Kaspersky Security Center: Server\MDM4IOS\setup.exe. In the wizard, the administrator accepts the license agreement, specifies the external address of the Administration Server to be used for mobile device connections, the ports for Network Agent connections (TCP 9799 by default), the local port of MDM for ios (TCP 9899), and an external port (TCP 443). Later, the ports can be modified in the properties of MDM for ios in the Administration Console.
Chapter 2. Kaspersky MDM for ios 27
28 KASPERSKY LAB Installation results KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management If everything is configured correctly, the ios MDM mobile server object will appear in the Mobile devices \ Mobile devices servers container of the Administration Console. If this container is hidden, open the Configure interface dialog box (on the Getting Started page, click the Configure functionality displayed in user interface link), select the Display mobile devices management checkbox, and reconnect to the Administration Server.
Chapter 2. Kaspersky MDM for ios 29
30 KASPERSKY LAB Adding APNS certificate KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management To be able to access APNS, the administrator must register the server there. A step-by-step guide is available in the Kaspersky Lab knowledgebase: http://support.kaspersky.com/9245. As a result, you will get a.pfx file. In the Administration Console, open the properties of MDM for ios and in the upper part of the Certificates section, add the.pfx file.
Chapter 2. Kaspersky MDM for ios 31
32 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management 2.3 Applying MDM for ios Profiles to Devices The administrator needs to take two actions: 1. Select the accounts to which an MDM profile is to be sent 2. Send the MDM profile After that, the users need to manually configure the settings according to the profile requirements. Note: Each link to an MDM profile can be used only once. Accounts and Devices Unlike MDM for Exchange ActiveSync, MDM for ios works directly with the devices instead of accounts. Meaning, when the user receives an MDM profile, it is literally installed on the phone. However, MDM profiles are to be sent by e-mail or SMS from the Administration Console. That is why the administrator should prepare the mailing list first of all. The User accounts container serves this purpose in the Administration Console. All accounts of which the Administration Server is aware are automatically displayed here. The administrator can also manually add other accounts. An MDM profile can be transferred by e-mail or SMS. That is why either the email address or the phone number must be specified in the properties of each account.
Chapter 2. Kaspersky MDM for ios 33
34 KASPERSKY LAB Sending an MDM profile By e-mail By SMS KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Then the administrator selects a user and clicks the Install ios MDM profile to user s mobile device link located in the lower right corner of the window (this command is also available on the shortcut menu of the user). Then it is necessary to select the MDM for ios profile and delivery method, edit the message if necessary and click OK. Note. QR code with a link to the MDM profile will be automatically added to the message. It is very useful if the e- mail is received on a computer the user will not have to manually type a long link; instead, they will just use the smartphone s camera to read the QR code. To e-mail a profile, at least one user address must be specified, and connection to an SMTP server must be configured on the Administration Server. You can view e-mail addresses in the accounts properties (double-click to open) in the User accounts container. To configure SMTP server settings, in the properties of the Reports and notifications container open the Notification section and select Email in the uppermost drop-down list. To be able to use SMS, at least one phone number must be specified in the account properties: double-click the account name in the User accounts container to check. SMS sending must be configured for the Administration Server, too. Open the properties of the Reports and notifications container, switch to the Notification section and select SMS in the uppermost drop-down list. You can use one of the two delivery options: Via an SMS gateway, if your mobile provider renders this service Via Kaspersky SMS Broadcasting Utility. It is installed on Android smartphones and allows using them for mass SMS sending. The installation file of the Kaspersky SMS Broadcasting Utility, sms_utility_<version >.apk, can be found in the distribution of Kaspersky Security for Mobile (which is described in the next chapter). The list of devices used by the Administration Server for sending SMS messages is specified in the properties of the Reports and notifications node, in the SMS senders section. Installing MDM profile The user receives a link to the MDM profile, downloads it and clicks the Install button. The profile is installed, and the administrator can see the device in the Mobile devices / ios MDM mobile devices node of the Administration Console. By default, the user can delete an MDM profile any time: select Kaspersky MDM Profile in Settings / General / Profiles and click Remove. But the administrator can prohibit this via an ios profile about which we will talk in the next section.
Chapter 2. Kaspersky MDM for ios 35
36 KASPERSKY LAB 2.4 Using ios Profiles KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management If the administrator wants to enforce specific settings on devices: password complexity, and/or Exchange Server, VPN, or Wi-Fi connection parameters, they need to create and apply an ios profile. Creating ios profiles ios profiles are created by the iphone Configuration Utility. In fact, it is installed exactly for this purpose. If necessary, you can install it on another computer, create ios profiles there, export, and then import to the Administration Console. To add a new or edit an existing ios profile, open the properties of MDM for ios and switch to the Profiles section. Click Create or Modify to open the iphone Configuration Utility. Switch to the Configuration Profiles section to edit the profile. When ready, just close the utility window. All the changes will be saved automatically, and a new profile, if created, will appear in the list of MDM for ios profiles. Applying ios profiles To apply an ios profile, find the necessary device among Mobile devices / ios MDM mobile devices, select it, and click the Install profile to device task link (or the same command on the shortcut menu of the device). In the window that opens, select the necessary profile and click OK. The profile will be automatically installed on the device. To unassign the profile, click the Remove profile from device link.
Chapter 2. Kaspersky MDM for ios 37
38 KASPERSKY LAB 2.5 Device Management KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Any device connected via an MDM profile can be remotely locked or wiped, its password can be reset. To do it, in the Administration Console open the Mobile devices / ios MDM mobile devices node, select the device and click the necessary command. Also, you can remotely install or uninstall any application, from the App Store or 3 rd party. For an App Store application, it is easy. First add its ID to the properties of MDM for ios (in the Mobile devices \ Mobile devices servers container, in the Managed applications section). Then find the necessary device in the Mobile devices / ios MDM mobile devices node and click Install application to device. For third-party applications, the procedure is somewhat more complicated because they have no ID. That is why the administrator will have to manually publish the application, if necessary sign it with a certificate, and make a.plist file. When adding the application, instead of the ID, specify the link to the.plist file, which in its turn contains a link to the.ipa file of the application distributive. The web server of the KSC Administration Server can be used for publishing the file. Note: It is the only possible method to remotely install Kaspersky Security for Mobile, which is described in the next chapter
Chapter 2. Kaspersky MDM for ios 39
40 KASPERSKY LAB 2.6 MDM for ios Settings KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management In the properties of MDM for ios, you can modify ports, specify the synchronization interval, modify event lifetime (30 days by default), and configure notifications. There are no special report templates for MDM for ios.
Chapter 2. Kaspersky MDM for ios 41
42 KASPERSKY LAB Chapter 3. Kaspersky Security for Mobile KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Smartphones, and especially tablets, can perform functions typical of workstations. If the user does not need resource-consuming applications and only needs an e-mail program, a browser, Skype and a text editor, a tablet may be a useful alternative, especially out of the office it is more lightweight than a notebook, and more useful on the go. If the organization made the decision to protect all devices that connect to the internal network without exception, it might be worthwhile to purchase Kaspersky Security for Mobile licenses for all employees using such devices. 3.1 Supported Platforms The solution for Android resembles an endpoint protection solution: it can be installed remotely via the Administration Console, it has an Anti-Virus component and application control. However, smartphones are not yet workstations. Only the latest models have processors and RAM comparable to netbooks. As far as network connections are concerned, they usually only have Wi-Fi. Accordingly the functionality of the Anti-Virus is limited when compared with endpoint protection to take into account the low performance of the devices and difficulties with getting signature database updates. On the other hand, the number of known malware for mobile platforms is still small when compared with the desktop versions of Microsoft Windows. However, a smartphone: Is simpler to lose Its Internet access is difficult to control Therefore, protection from unauthorized access is more important for smartphones than for workstations. Additionally, the components that allow finding lost devices were developed specifically for them, as desktops usually cannot receive SMS or determine their GPS location. The following operating systems are supported: Android 2.2 4.1 Windows Mobile 5.0 6.5 ios 4-6 Symbian 9.1, 9.2, 9.3, 9.4 Series 60 UI, Symbian^3, Symbian Anna, Symbian Belle (Nokia) BlackBerry 4.5, 4.6, 4.7, 5.0, 6.0, 7.1 Different sets of functionality are available for each platform though. For example, on ios, only containers and Web Protection are available, and on Android almost everything, except for the Firewall. This will be explained in detail later.
Chapter 3. Kaspersky Security for Mobile 43
44 KASPERSKY LAB 3.2 Preparing Administration Server KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Kaspersky Security for Mobile, regardless of the operating system running on the device, can be managed remotely via Kaspersky Security Center. The server must be prepared for that: Required settings: Install the Mobile devices support component in the Programs and Features snap-in (carry out the appwiz.cpl command to open it), select Kaspersky Security Center Administration Server, click Modify, in the Custom Setup dialog select Mobile devices support. Then specify the Administration Server address to be accessed by mobile devices. It depends on the network configuration. For example, to enable connections from the Internet, the Administration Server must be accessible from the outside. Therefore, an external domain name or IP address should be specified. The computer does not need to be restarted Note: The name of the Administration Server will be added not only to the properties of the remote installation package, but also to the certificates for secure connections. That is why the only way to modify it in future is complete reinstallation of the Mobile devices support component Open ports for managing mobile devices in the Administration Console, open the Administration Server properties, switch to the Settings section and select the Open port for mobile devices checkbox. After the settings are applied, TCP 13292 (connections) and 17100 (activation) ports will be opened on the computer Install the Administration Console plug-in for managing Kaspersky Security 10 for Mobile. It is the klcfginst.exe file, which can be found in the distribution of Kaspersky Security for Mobile or Kaspersky Security Center, in the \Server\Plugins\KES4Mobile folder. It should be run on all computers with Administration Consoles from which Kaspersky Security for Mobile will be managed Optional: Create a subgroup it is logical to move all mobile devices to an individual subgroup of managed computers to facilitate creating reports, viewing statistics, configuring different conditions for statuses Configure automatic relocation of mobile devices create a rule that will automatically move all devices running Android, ios, Windows Mobile, Symbian, and BlackBerry operating systems to the aforementioned subgroup. This is configured in the properties of the Unassigned computers container Create a group policy for Kaspersky Security for Mobile, add the license key to it Prepare a standalone installation package for Kaspersky Security for Mobile for Android the necessary files are available in the sc_package_en.exe archive. See the next section for details Distribute the kmlisten.exe utility to the managed computers running Windows to which devices (except for ios) are supposed to be connected. The utility will keep track of such devices and install Kaspersky Security for Mobile on them. This is described in detail later Install and configure MDM for ios for remote deployment of Kaspersky Security for ios. See the previous chapter for details
Chapter 3. Kaspersky Security for Mobile 45
46 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management
Chapter 3. Kaspersky Security for Mobile 47
48 KASPERSKY LAB 3.3 Installation KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management The distributive of Kaspersky Security for Mobile includes an individual installation file for each of the supported operating systems. It can be installed locally on any of them: copy the corresponding file from the distribution or download it from the appropriate Market. In this case, the user will be responsible for the Kaspersky Security Center connection settings and will need to correctly enter the network parameters (address and port) of the Administration Server. After that the administrator will be able to view information about the device in the Administration Console. Another installation method is designed for devices that are connected to workstations running Windows. In this case the user only confirms the program installation. This method works for all mobile operating systems except for ios. The third method, remote installation, can be employed only for Kaspersky Security for Mobile for Android and ios: Android: via the Administration Console, where a standalone package can be created and published ios: via MDM for ios (see the previous chapter)
Chapter 3. Kaspersky Security for Mobile 49
50 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Installation using a standalone package (on Android) Android devices, similarly to typical desktops (for example Windows), completely support installation using standalone packages: 1. The administrator adds the Android version of the Kaspersky Security for Mobile installation package on the Administration Server. The path to the kmlisten.kpd file needs to be specified in the wizard. All the files necessary for installation are located in the sc_package_en.exe archive of Kaspersky Security for Mobile distribution 2. Then you can open the package properties and edit its settings: Administration Server address and port The folder within the Unassigned computers / Domain subdirectory of the Administration Server structure into which such devices are to be moved when connected. KSM10 by default Whether the e-mail address is required with this option enabled, the user will be offered to enter their address. It will be used for identifying the device. In the Administration Console, the mobile device name will be as follows: <the address specified by the user>_<unique identifier of the device> 3. Create a standalone package. The Network Agent does not need to be installed clear the corresponding checkbox in the wizard. As a result, you will receive an.apk file, which will be automatically published on the built-in web server of KSC 4. The administrator then transfers this file to the users and asks them to install it. Any method can be used: it can be attached to an e-mail message, or a link to the package on the web server can be sent, or the installation file can be copied to any other web server. To send the message to a corporate e-mail address, open the User accounts container. The Send message by email command is available for each user here. In addition to the URL, you can insert the QR code, which is generated automatically. You can also send SMS to the users whose mobile phone numbers are known. 5. Then the administrator has to wait until the user receives the message, downloads the package and starts the installation. The address and port of the server are already specified in the package, and the user needs to confirm the installation, grant administrative permissions to Kaspersky Security (for activation of the Anti-Theft functionality), and enter their e-mail address if required After a successful synchronization with the Administration Server, the mobile device will appear in the Administration Console, either in the Unassigned computers / Domain / <the folder specified in the installation package properties> node, or in the folder specified in the automatic relocation rule (if configured).
Chapter 3. Kaspersky Security for Mobile 51
52 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Installation via workstation (all operating systems, except for ios) The administrator installs a special utility (kmlisten.exe) on the workstations running Windows operating systems to which the users are allowed to connect tablets and smartphones. It works in the background, and when a device compatible with Kaspersky Security for Mobile is connected, copies the distribution on it and starts the installation. It is performed automatically; the user only confirms the installation. The kmlisten.exe utility is shipped with Kaspersky Security for Mobile. To install it on a workstation, you can employ any method supported by Kaspersky Security Center (see the KSC course or product documentation for details). You will only need to set up the fields similar to the aforementioned: Administration Server address, port, the folder where the device will be placed within the Unassigned computers structure, and whether the e-mail address is required to be specified by the user.
Chapter 3. Kaspersky Security for Mobile 53
54 KASPERSKY LAB Installation via MDM for ios (only ios devices) KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management To be able to remotely install Kaspersky Security on ios, an MDM for ios profile must already be installed on the device. Then the administrator needs to: 1. Publish the installation package of Kaspersky Security for Mobile (an.ipa file) using any method, for example, the built-in web server of KSC 2. Add the published application in the Managed applications section under the properties of MDM for ios (the Mobile devices / Mobile devices servers container) Installation via workstation (ios) Kaspersky Security for ios can also be installed via the user s workstation, but only manually, using standard itunes tools. The.ipa file will be necessary for this (see higher).
Chapter 3. Kaspersky Security for Mobile 55
56 KASPERSKY LAB 3.4 Kaspersky Security for Mobile Settings KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management The functions available in Kaspersky Security for Mobile depend on the device s operating system. This is partly caused by the operating systems specifics and requirements of the manufacturers. As far as Windows Mobile, Symbian and BlackBerry are concerned, Kaspersky Security version upgrade only concerns the support of KSC 10 management. Aside from that, these products have the same functions as Kaspersky Security 8 for smartphones. The following features are supported: Component On-demand scanning Real-time protection OS Android Windows Mobile Symbian BlackBerry ios Yes Yes Yes Yes Yes Yes Anti-Theft Yes Yes Yes Yes Firewall Yes Yes Web Control Yes Yes Application Control Yes Containers Yes Yes Device Control Yes Encryption Yes Yes Personal functions Yes Yes Yes Yes Yes The most detailed information about the systems for which every setting works can be found in the policy of Kaspersky Security for Mobile. The systems to which a group of settings is applicable are listed there. Kaspersky Security for Mobile is managed solely via the policy and device properties, even the license key is specified in the policy. There are no separate tasks for Kaspersky Security for Mobile. Accordingly, you can set up only one active policy for each group, and any number of inactive. The Roaming status is not applicable to Kaspersky Security for Mobile policies despite being displayed in the interface.
Chapter 3. Kaspersky Security for Mobile 57
58 KASPERSKY LAB Managing applications KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management Consider a scenario when employees are allowed to use their personal mobile devices for accessing the corporate resources. The administrator can restrict the use of applications. For example, permit to use only NitroDesk TouchDown for reading e-mail. The administrator should publish the TouchDown distribution on the Administration Server, and make it required in the policy of Kaspersky Security for Mobile. Afterwards, the user will be regularly prompted to install TouchDown using the link to the distribution. The administrator can use either a clean installation of the application, or put the application in the container that allows managing its parameters (for example, require configuring an access password, prompt the user for their domain credentials, prohibit the application from using the Internet or from making calls, etc.)
Chapter 3. Kaspersky Security for Mobile 59
60 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management
Chapter 3. Kaspersky Security for Mobile 61
62 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management
Chapter 3. Kaspersky Security for Mobile 63
64 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management
Chapter 3. Kaspersky Security for Mobile 65
66 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management
Chapter 3. Kaspersky Security for Mobile 67
68 KASPERSKY LAB KL 010.10: Mobile Device Management Kaspersky Endpoint Security and Management 1.3