Step 11. Connecting mobile devices

Expand all | Collapse all

If you previously enabled the Mobile devices protection area in the Wizard settings, specify the settings for connecting the enterprise mobile devices of the managed organization. If you did not enable Mobile devices protection area, this step is skipped.

At this step of the Wizard, do the following:

• Configure ports for connection of mobile devices
• Configure Administration Server authentication
• Create or manage certificates
• Set up issuance, automatic updating, and encryption of general-type certificates
• Create a moving rule for mobile devices

To set up the ports for connection of mobile devices:

1. Click the Configure button to the right of the Mobile device connection field.
2. In the drop-down list, select Configure ports.

   The Administration Server properties window opens, displaying the Additional ports section.

3. In the Additional ports section, you can specify the mobile device connection settings:
   • SSL port for the activation proxy server

     The number of an SSL port for connection of Kaspersky Endpoint Security for Windows to activation servers of Kaspersky.

     The default port number is 17000.

   • Open port for mobile devices

     A port opens for mobile devices to connect to the Licensing Server. You can define the port number and other settings in the fields below.

     By default, this option is enabled.

   • Port for mobile device synchronization

     Number of the port through which mobile devices connect to the Administration Server and exchange data with it. The default port number is 13292.

     You can assign a different port if port 13292 is being used for other purposes.

   • Port for mobile device activation

     The port for connection of Kaspersky Endpoint Security for Android to activation servers of Kaspersky.

     The default port number is 17100.

   • Open port for UEFI protection devices

     UEFI protection devices can connect to the Administration Server.

   • Port for UEFI protection devices

     You can change the port number if the Open port for UEFI protection devices option is enabled. The default port number is 13294.

4. Click OK to save changes and return to the Quick Start Wizard.

You will have to configure authentication of the Administration Server by mobile devices and authentication of mobile devices by the Administration Server. If you want, you can configure authentication later, separately from the Quick Start Wizard.

To configure Administration Server authentication by mobile devices:

1. Click the Configure button to the right of the Mobile device connection field.
2. In the drop-down list, select Configure authentication.

   The Administration Server properties window opens, displaying the Certificates section.

3. Select the authentication option for mobile devices in the Administration Server authentication by mobile devices group of settings, and select the authentication option for UEFI protection devices in the Administration Server authentication by UEFI protection devices group of settings.

   When Administration Server exchanges data with client devices, it is authenticated through the use of a certificate.

   By default, Administration Server uses the certificate that was created during Administration Server installation. If you want, you can add a new certificate.

To add a new certificate (optional):

1. Select Other certificate.

   The Browse button appears.

2. Click the Browse button.
3. In the window that opens, specify the certificate settings:
   • Certificate type

     In the drop-down list, you can select a certificate type:

     • X.509 certificate. If this option is selected, you should specify the private key of a certificate and an open certificate:
       • Private key (.prk, .pem). In this field, click the Browse button to specify the private key of a certificate in PKCS #8 (*.prk) format.
       • Public key (.cer). In this field, click the Browse button to specify a public key in PEM (*.cer) format.
     • PKCS #12 container. If you select this option, you can specify a certificate file in P12 or PFX format by clicking the Browse button and filling in the Certificate file field.
   • Activation time:
     • Immediately

       The current certificate will be immediately replaced with the new one after you click OK.

       Previously connected mobile devices will not be able to connect to Administration Server.

     • After this period expires, days

       If you select this option, a reserve certificate will be generated. The current certificate will be replaced with the new one in the specified number of days. The effective date of the reserve certificate is displayed in the Certificates section.

       It is recommended that you plan the reissue in advance. The reserve certificate must be downloaded to the mobile devices before the specified period expires. After the current certificate is replaced with the new one, previously connected mobile devices that do not have the reserve certificate will not be able to connect to Administration Server.

4. Click the Properties button to view the settings of the selected Administration Server certificate.

To reissue a certificate issued through Administration Server:

1. Select Certificate issued through Administration Server.
2. Click the Reissue button.
3. In the window that opens, specify the following settings:
   • Connection address:
     • Use old connection address

       The address of the Administration Server to which mobile devices connect remains unchanged.

       This option is selected by default.

     • Change connection address to

       If you want mobile devices to connect to a different address, specify the relevant address in this field.

       If the address for mobile device connection has changed, a new certificate must be issued. The old certificate becomes invalid on all mobile devices connected. Previously connected devices will not be able to connect to Administration Server so they will become unmanaged.

   • Activation time:
     • Immediately

       The current certificate will be immediately replaced with the new one after you click OK.

       Previously connected mobile devices will not be able to connect to Administration Server.

     • After this period expires, days

       If you select this option, a reserve certificate will be generated. The current certificate will be replaced with the new one in the specified number of days. The effective date of the reserve certificate is displayed in the Certificates section.

       It is recommended that you plan the reissue in advance. The reserve certificate must be downloaded to the mobile devices before the specified period expires. After the current certificate is replaced with the new one, previously connected mobile devices that do not have the reserve certificate will not be able to connect to Administration Server.

4. Click OK to save changes and return to the Certificates window.
5. Click OK to save changes and return to the Quick Start Wizard.

To set up issuance, automatic updating, and encryption of general-type certificates for identification of mobile devices by Administration Server:

1. Click the Configure button on the right of the Mobile device authentication field.

   The Certificate issuance rules window opens, displaying the Issuance of mobile certificates section.

2. If necessary, specify the following settings in the Issuance settings section:
   • Certificate lifetime, days

     Certificate lifetime period in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.

   • Certificate source

     Select the source of general-type certificates for mobile devices: certificates are issued by Administration Server, or they are specified manually.

     You can modify the certificate templates if integration with the public key infrastructure (PKI) has been configured in the Integration with PKI section. In this case, the following template selection fields are available:

   • Default template

     Use a certificate issued by an external certificate source – Certification Center – under the default template.

     By default, this option is selected.

   • Other template

     Select a template used to issue certificates. You can specify certificate templates in the domain. The Refresh list button updates the list of certificate templates.

3. If necessary, specify the following settings for automatic issuance of certificates in the Automatic Updates settings section:
   • Renew when certificate is to expire in (days)

     The number of days remaining until the current certificate's expiration during which Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 7.

   • Reissue certificate automatically if possible

     Select this option to reissue a certificate automatically for the number of days specified in the Renew when certificate is to expire in (days) field. If a certificate was manually defined, it cannot be automatically renewed, and the enabled option will not work.

     By default, this option is disabled.

   Certificates are automatically reissued by a Certification Authority.

4. If necessary, in the Password protection settings section, specify the settings for decrypting certificates during installation.

   Select the Prompt for password during certificate installation option to prompt the user for password when the certificate is installed on a mobile device. The password is used only once—during installation of the certificate on the mobile device.

   The password will be automatically generated by Administration Server and sent to the email address that you specified. You can specify the user's email address, or your own email address if you want to use another method to forward the password to the user.

   You can use the slider to specify the number of characters in the certificate decryption password.

   The password prompting option is required, for example, to protect a shared certificate in a stand-alone Kaspersky Endpoint Security for Android installation package. Password protection will prevent an intruder from obtaining access to the shared certificate through theft of the stand-alone installation package from Kaspersky Security Center Web Server.

   If this option is disabled, the certificate is automatically decrypted during installation and the user will not be prompted for a password. By default, this option is disabled.

5. Click OK to save changes and return to the Quick Start Wizard window.

   Click the Cancel button to return to the Quick Start Wizard without saving any changes made.

To enable the function for moving mobile devices to an administration group that you choose,

In the Automatic moving of mobile devices field, select the Create a moving rule for mobile devices option.

If the Create a moving rule for mobile devices option is selected, the application automatically creates a moving rule that moves devices running Android and iOS to the Managed devices group:

• With Android operating systems on which a Kaspersky Endpoint Security for Android and a mobile certificate are installed
• With iOS operating systems on which the iOS MDM profile with a shared certificate is installed

If such a rule already exists, the application does not create it again.

By default, this option is disabled.

Kaspersky no longer supports Kaspersky Safe Browser.

Page top