Encrypt communication with SSL/TLS

To fix vulnerabilities on your organization's corporate network, you can enable traffic encryption using SSL/TLS. You can enable SSL/TLS on Administration Server and iOS MDM Server. Kaspersky Security Center supports SSL v3 as well as Transport Layer Security (TLS v1.0, 1.1, and 1.2). You can select encryption protocol and cipher suites. Kaspersky Security Center uses a self-signed certificates. Additional configuration of the iOS devices is not required. You can also use your own certificates. Kaspersky specialists recommend to use certificates issued by trusted certificate authorities.

Administration Server

To configure allowed encryption protocols and cipher suites on the Administration Server:

1. Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
2. Use the SrvUseStrictSslSettings flag to configure allowed encryption protocols and cipher suites on Administration Server. Execute the following command in the command line:

   klscflag -fset -pv ".core/.independent" -s Transport -n SrvUseStrictSslSettings -v <value> -t d

   Specify the <value> parameter of the command:

   • 0—All of the supported encryption protocols and cipher suites are enabled
   • 1—SSL v2 is disabled

     Cipher suites:

     • AES256-GCM-SHA384
     • AES256-SHA256
     • AES256-SHA
     • CAMELLIA256-SHA
     • AES128-GCM-SHA256
     • AES128-SHA256
     • AES128-SHA
     • SEED-SHA
     • CAMELLIA128-SHA
     • IDEA-CBC-SHA
     • RC4-SHA
     • RC4-MD5
     • DES-CBC3-SHA
   • 2—SSL v2 and SSL v3 are disabled (default value)

     Cipher suites:

     • AES256-GCM-SHA384
     • AES256-SHA256
     • AES256-SHA
     • CAMELLIA256-SHA
     • AES128-GCM-SHA256
     • AES128-SHA256
     • AES128-SHA
     • SEED-SHA
     • CAMELLIA128-SHA
     • IDEA-CBC-SHA
     • RC4-SHA
     • RC4-MD5
     • DES-CBC3-SHA
   • 3—only TLS v1.2.

     Cipher suites:

     • AES256-GCM-SHA384
     • AES256-SHA256
     • AES256-SHA
     • CAMELLIA256-SHA
     • AES128-GCM-SHA256
     • AES128-SHA256
     • AES128-SHA
     • CAMELLIA128-SHA
3. Restart the following Kaspersky Security Center 13 services:
   • Administration Server
   • Web Server
   • Activation Proxy

iOS MDM Server

The connection between the iOS devices and the iOS MDM Server is encrypted default.

To configure allowed encryption protocols and cipher suites on the iOS MDM Server:

1. Open the system registry of the client device with iOS MDM Server installed (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset

3. Create a key with the StrictSslSettings name.
4. Specify DWORD as the key type.
5. Set the key value:
   • 2—SSL v3 is disabled (TLS 1.0, TLS 1.1, TLS 1.2 are allowed)
   • 3—only TLS 1.2 (default value)
6. Restart the Kaspersky Security Center 13 iOS MDM Server service.