Kaspersky applications deployment through Kaspersky Security Center Web Console

This section describes Kaspersky applications deployment on client devices in your organization by means of Kaspersky Security Center Web Console.

Scenario: Kaspersky applications deployment through Kaspersky Security Center Web Console

This scenario explains how to deploy Kaspersky applications through Kaspersky Security Center Web Console. You can use the Quick Start Wizard and Protection Deployment Wizard, or you can complete all necessary steps manually.

Prerequisites

The following applications are available for deployment by using Kaspersky Security Center Web Console:

• Kaspersky Endpoint Security for Windows
• Kaspersky Endpoint Security for Linux

Kaspersky applications deployment proceeds in stages:

1. Downloading management plug-in for the application

   This stage is handled by the Quick Start Wizard. If you choose not to run the Wizard, download the plug-in for Kaspersky Endpoint Security for Windows manually.

   If you plan to manage corporate mobile devices, follow the instructions provided in the Kaspersky Security for Mobile Help to download and install the management plug-ins for Kaspersky Endpoint Security for Android.

2. Downloading and creating installation packages

   This stage is handled by the Quick Start Wizard.

   The Quick Start Wizard allows you to download the installation package with the management plug-in. If you did not select this option when running the Wizard, or if you did not run the Wizard at all, you must download the package manually.

   If you cannot install Kaspersky applications by means of Kaspersky Security Center on some devices, for example, on remote employees' devices, you can create stand-alone installation packages for applications. If you use stand-alone packages to install Kaspersky applications, you do not have to create and run a remote installation task, nor create and configure tasks for Kaspersky Endpoint Security for Windows.

3. Creating, configuring, and running the remote installation task

   For Kaspersky Endpoint Security for Windows, this stage is part of the Protection Deployment Wizard, which starts automatically after the Quick Start Wizard has finished. If you choose not to run the Protection Deployment Wizard, you must create this task manually and configure it manually.

   You also can manually create several remote installation tasks for different administration groups or different device selections. You can deploy different versions of one application in these tasks.

   Make sure that all the devices on your network are discovered; then run the remote installation task (or tasks).

   If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system, install the insserv-compat package first to configure Network Agent.

4. Creating and configuring tasks for the managed application

   The Install update task of Kaspersky Endpoint Security for Windows must be configured.

   This stage is part of the Quick Start Wizard: the task is created and configured automatically with the default settings. If you did not run the Wizard, you must create this task manually and configure it manually. If you use the Quick Start Wizard, make sure that the schedule for the task meets your requirements. (By default, the scheduled start for the task is set to Manually, but you might want to choose another option.)

   Other Kaspersky applications might have other default tasks. Please refer to the documentation of the corresponding applications for details.

   Make sure that the schedule for each task that you create meets your requirements.

5. Installing Kaspersky Security for Mobile (optional)

   If you plan to manage corporate mobile devices, follow the instructions provided in the Kaspersky Security for Mobile Help for information about deployment of Kaspersky Endpoint Security for Android.

6. Creating policies

   Create the policy for each application manually or (in case of Kaspersky Endpoint Security for Windows) through the Quick Start Wizard. You can use the default settings of the policy; you can also modify the default settings of the policy according to your needs at any time.

7. Verifying the results

   Make sure that deployment was completed successfully: you have policies and tasks for each application, and these applications are installed on the managed devices.

Results

Completion of the scenario yields the following:

• All required policies and tasks for the selected applications are created.
• The schedules of tasks are configured according to your needs.
• The selected applications are deployed, or scheduled to be deployed, on the selected client devices.

Getting plug-ins for Kaspersky applications

To deploy a Kaspersky application, such as Kaspersky Endpoint Security for Windows, you must download the management plug-in for the application.

To download a management plug-in for a Kaspersky application:

1. In the Console settings drop-down list, select Web plug-ins.
2. In the window that opens, click the Add button.

   The list of available plug-ins is displayed.

3. In the list of available plug-ins, select the plug-in you want to download (for example, Kaspersky Endpoint Security 11 for Windows) by clicking on its name.

   A plug-in description page is displayed.

4. On the plug-in description page, click Install plug-in.
5. When the installation is complete, click OK.

The management plug-in is downloaded with the default configuration and displayed in the list of management plug-ins.

You can add plug-ins and update downloaded plug-ins from a file. You can download management plug-ins and web management plug-ins from the Kaspersky Technical Support webpage.

To download or update plug-in from a file:

1. In the Console settings drop-down list, select Web plug-ins.
2. Do one of the following:
   • Click Add from file to download a plug-in from a file.
   • Click Update from file to download an update of a plug-in from a file.
3. Specify the file and signature of the file.
4. Download the specified files.

The management plug-in is downloaded from the file and displayed in the list of management plug-ins.

Updating plug-ins for Kaspersky applications

Update management plug-ins for Kaspersky applications to make sure the plug-ins work properly.

To update a management plug-in for a Kaspersky application:

1. In the Console settings drop-down list, select Web plug-ins.

   In the window that opens the list of installed plug-ins is displayed.

2. Select the plug-in that you want to update.
3. Click the Update plug-in button.

   The list of available updates for the selected plug-in is displayed.

4. In the list of available plug-in updates, select the update you want to install by clicking on its name.

   A plug-in update description page is displayed.

5. On the plug-in update description page, click Install plug-in.
6. When the downloading and installation is complete, click OK.

The management plug-in update is downloaded and installed for the selected plug-in.

Downloading and creating installation packages for Kaspersky applications

You can create installation packages for Kaspersky applications from Kaspersky web servers if your Administration Server has access to the internet.

To download and create installation package for Kaspersky application:

1. Do one of the following:
   • In the main menu, go to DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → INSTALLATION PACKAGES.
   • In the main menu, go to OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES.

   You can also view notifications about new packages for Kaspersky applications in the list of onscreen notifications. If there are notifications about a new package, you can click the link next to the notification and proceed to the list of available installation packages.

   A list of installation packages available on Administration Server is displayed.

2. Click Add.

   The New Package Wizard starts. Proceed through the Wizard by using the Next button.

3. Select Create an installation package for a Kaspersky application.

   A list of available installation packages on Kaspersky web servers appears. The list contains installation packages only for those applications that are compatible with the current version of Kaspersky Security Center.

4. Click the name of an installation package, for example, Kaspersky Endpoint Security for Windows (11.1.0).

   A window opens with information about the installation package.

   You can download and use an installation package which includes cryptographic tools that implement strong encryption, if it complies with applicable laws and regulations. To download the installation package of Kaspersky Endpoint Security for Windows valid for the needs of your organization, consult the legislation of the country where the client devices of your organization are located.

5. Read the information and click the Download and create installation package button.

   If a distribution package can not be converted to an installation package, the Download distribution package button instead of the Download and create installation package is displayed.

   The downloading of the installation package to Administration Server starts. You can close the Wizard's window or proceed to the next step of the instruction. If you close the Wizard's window, the download process will continue in background mode.

   If you want to track an installation package download process:

   1. In the main menu, go to OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES → In progress ().
   2. Track the operation progress in the Download progress column and the Download status column of the table.

   When the process is complete, the installation package is added to the list on the Downloaded tab. If the download process stops and the download status switches to Accept EULA, then click the installation package name, and then proceed to the next step of the instruction.

   If the size of data contained in the selected distribution package exceeds the current limit, an error message is displayed. You can change the limit value and then proceed with the installation package creation.

6. For some Kaspersky applications, during the download process the Show EULA button is displayed. If it is displayed, do the following:
   1. Click the Show EULA button to read the End User License Agreement (EULA).
   2. Read the EULA that is displayed on the screen, and click Accept.

      The downloading continues after you accept the EULA. If you click Decline, the download is stopped.

7. When the downloading is complete, click the Close button.

The selected installation package is downloaded to the Administration Server shared folder, to the Packages subfolder. After downloading, the installation package is displayed in the list of installation packages.

Changing the limit on the size of custom installation package data

The total size of data unpacked during creation of a custom installation package is limited. The default limit is 1 GB.

If you attempt to upload an archive file that contains data exceeding the current limit, an error message is displayed. You might have to increase this limit value when creating installation packages from large distribution packages.

To change the limit value for the custom installation package size:

1. Open the system registry of the Administration Server device (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags

3. Right-click the hive, and then select New → DWORD (32-bit) value.

   A new DWORD key is created.

4. Assign key the MaxArchivePkgSize name.
5. Double-click the new DWORD key to edit.
6. Set the required limit value:
   1. Select any base: hexadecimal or decimal.
   2. Specify the number of bytes corresponding to the selected base.

   For example, if the required limit is 2 GB, you can specify the decimal value 2147483648 or the hexadecimal value 0x80000000.

7. Click OK.

The limit on the size of custom installation package data is changed.

Downloading distribution packages for Kaspersky applications

In Kaspersky Security Center Web Console, you can download and save distribution packages for Kaspersky applications. You can use the distribution packages to install the applications manually, without using Kaspersky Security Center.

To download and save distribution packages for Kaspersky applications:

1. On the Operations tab, select Kaspersky applications → Current application versions.

   A list of available distribution packages, plug-ins, and patches opens. Kaspersky Security Center displays only those items that are compatible with its current version.

2. In the list, click the name of the package that you want to download.

   The description of the package opens.

3. Read the description and click the Download and create installation package button.

   If a distribution package cannot be converted to an installation package, the Download distribution package button is displayed instead of the Download and create installation package.

   The download of the installation package to Administration Server starts.

The selected installation or distribution package is downloaded to the Administration Server shared folder, to the Packages subfolder. After it is downloaded, the installation package is displayed in the list of installation packages.

Checking that Kaspersky Endpoint Security is deployed successfully

To ensure that you have correctly deployed Kaspersky applications, such as Kaspersky Endpoint Security:

1. Using Kaspersky Security Center Web Console, make sure that you have the following:
   • A policy for Kaspersky Endpoint Security and/or other security applications that you use.
   • Tasks for Kaspersky Endpoint Security for Windows: Quick virus scan task and Install update task (if you use Kaspersky Endpoint Security for Windows).
   • Tasks for other security applications that you use.
2. On one of the managed devices, selected for installation, make sure of the following:
   • Kaspersky Endpoint Security or another Kaspersky security application is installed.
   • In Kaspersky Endpoint Security, the File Threat Protection, Web Threat Protection, and Mail Threat Protection settings match the policy that you created for this device.
   • Kaspersky Endpoint Security service can be stopped and started manually.
   • Group tasks can be stopped and started manually.

Creating stand-alone installation packages

You and device users in your organization can use stand-alone installation packages to install applications on devices manually.

A stand-alone installation package is an executable file (installer.exe) that you can store on Web Server, in a shared folder, send by email, or transfer to a client device by another method. On the client device, the user can run the received file locally to install an application without involving Kaspersky Security Center. You can create stand-alone installation packages for Kaspersky applications and for third-party applications for Windows, macOS, and Linux platforms. To create a stand-alone installation package for a third-party application, you must create a custom installation package.

Be sure that the stand-alone installation package is not available for unauthorized persons.

To create a stand-alone installation package:

1. Do one of the following:
   • In the main menu, go to DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → INSTALLATION PACKAGES.
   • In the main menu, go to OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES.

   A list of installation packages available on Administration Server is displayed.

2. In the list of installation packages, select an installation package and, above the list, click the Deploy button.
3. Select the Using a stand-alone package option.

   Stand-alone Installation Package Creation Wizard starts. Proceed through the Wizard by using the Next button.

4. Make sure that the Install Network Agent together with this application option is enabled if you want to install Network Agent together with the selected application.

   By default, this option is enabled. We recommend enabling this option if you are not sure whether Network Agent is installed on the device. If Network Agent is already installed on the device, after the stand-alone installation package with Network Agent is installed, Network Agent will be updated to the newer version.

   If you disable this option, Network Agent will not be installed on the device and the device will be unmanaged.

   If a stand-alone installation package for the selected application already exists on Administration Server, the Wizard informs you about this fact. In this case, you must select one of the following actions:

   • Create stand-alone installation package. Select this option if, for example, you want to create a stand-alone installation package for a new application version and also want to retain a stand-alone installation package that you created for a previous application version. The new stand-alone installation package is placed in another folder.
   • Use existing stand-alone installation package. Select this option if you want to use an existing stand-alone installation package. The process of package creation will not be started.
   • Rebuild existing stand-alone installation package. Select this option if you want to create a stand-alone installation package for the same application again. The stand-alone installation package is placed in the same folder.
5. On the Move to list of managed devices step, the Do not move devices option is enabled by default. If you do not want to move the client device to any administration group after Network Agent installation, leave this option enabled.

   If you want to move the client device after Network Agent installation, select the Move unassigned devices to this group option and specify an administration group to which you want to move the client device. By default, the device is moved to the Managed devices group.

6. When the process of the stand-alone installation package creation is finished, click the FINISH button.

   The Stand-alone Installation Package Creation Wizard closes.

The stand-alone installation package is created and placed in the PkgInst subfolder of the Administration Server shared folder. You can view the list of stand-alone packages by clicking the View the list of stand-alone packages button above the list of installation packages.

Viewing the list of stand-alone installation packages

You can view the list of stand-alone installation packages and properties of each stand-alone installation package.

To view the list of stand-alone installation packages for all installation packages:

Above the list, click the View the list of stand-alone packages button.

In the list of stand-alone installation packages, their properties are displayed as follows:

• Package name. Stand-alone installation package name that is automatically formed as the application name included in the package and the application version.
• Application name. Application name included in the stand-alone installation package.
• Application version.
• Network Agent installation package name. The property is displayed only if Network Agent is included in the stand-alone installation package.
• Network Agent version. The property is displayed only if Network Agent is included in the stand-alone installation package.
• Size. File size in MB.
• Group. Name of the group to which the client device is moved after Network Agent installation.
• Created. Date and time of the stand-alone installation package creation.
• Modified. Date and time of the stand-alone installation package modification.
• Path. Full path to the folder where the stand-alone installation package is located.
• Web address. Web address of the stand-alone installation package location.
• File hash. The property is used to certify that the stand-alone installation package was not changed by third-party persons and a user has the same file you have created and transferred to the user.

To view the list of stand-alone installation packages for specific installation package:

Select the installation package in the list and, above the list, click the View the list of stand-alone packages button.

In the list of stand-alone installation packages, you can do the following:

• Publish a stand-alone installation package on the Web Server by clicking the Publish button. Published stand-alone installation package is available for downloading for users whom you sent the link to the stand-alone installation package.
• Cancel publication of a stand-alone installation package on the Web Server by clicking the Unpublish button. Unpublished stand-alone installation package is available for downloading only for you and other administrators.
• Download a stand-alone installation package to your device by clicking the Download button.
• Send email with the link to a stand-alone installation package by clicking the Send by email button.
• Remove a stand-alone installation package by clicking the Remove button.

Creating custom installation packages

You can use custom installation packages to do the following:

• To install any application (such as a text editor) on a client device, for example, by means of a task.
• To create a stand-alone installation package.

A custom installation package is a folder with a set of files. The source to create a custom installation package is an archive file. The archive file contains a file or files that must be included in the custom installation package. While creating a custom installation package, you can specify command-line parameters, for example, to install the application in silent mode.

If you have an active license key for the Vulnerability and Patch Management (VAPM) feature, you can convert your default installation settings for the relevant custom installation package and use the values recommended by Kaspersky experts. The settings are automatically converted during the creation of the custom installation package only if the corresponding executable file is included in the Kaspersky database of third-party applications.

To create a custom installation package:

1. Do one of the following:
   • In the main menu, go to DISCOVERY & DEPLOYMENT → DEPLOYMENT & ASSIGNMENT → INSTALLATION PACKAGES.
   • In the main menu, go to OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES.

   A list of installation packages available on Administration Server is displayed.

2. Click Add.

   The New Package Wizard starts. Proceed through the Wizard by using the Next button.

3. Select Create an installation package from a file.
4. Specify the package name and click the Browse button.

   A standard Windows Open window in your browser opens to let you choose a file to create the installation package.

5. Choose an archive file located on the available disks.

   You can upload a ZIP, CAB, TAR, or TAR.GZ archive file. It is not possible to create an installation package from an SFX (self-extracting archive) file.

   If you want the settings to be converted during the package installation, make sure the Convert settings to recommended values for applications recognized by Kaspersky Security Center after the Wizard finishes check box is selected, and then click Next.

   File upload to the Kaspersky Security Center 14 Administration Server starts.

   If you enabled the use of the recommended installation settings, Kaspersky Security Center 14 checks whether the executable file is included in the Kaspersky database of third-party applications. If the check is successful, you get a notification informing you that the file is recognized. The settings are converted and the custom installation package is created. No further actions are required. Click the Finish button to close the Wizard.

6. Select a file (from the list of files that are extracted from the chosen archive file) and specify the command-line parameters of an executable file.

   You can specify command-line parameters to install the application from the installation package in a silent mode. Specifying command-line parameters is optional.

   The process to create the installation package is started.

   The Wizard informs you when the process is finished.

   If the installation package is not created, an appropriate message is displayed.

7. Click the Finish button to close the Wizard.

The installation package that you created is downloaded to the Packages subfolder of the Administration Server shared folder. After downloading, the installation package appears in the list of installation packages.

In the list of installation packages available on Administration Server, by clicking the link with the name of a custom installation package, you can:

• View the following properties of an installation package:
  • Name. Custom installation package name.
  • Source. Application vendor name.
  • Application. Application name packed into the custom installation package.
  • Version. Application version.
  • Language. Language of the application packed into the custom installation package.
  • Size (MB). Size of the installation package.
  • Operating system. Type of the operating system for which the installation package is intended.
  • Created. Installation package creation date.
  • Modified. Installation package modification date.
  • Type. Type of the installation package.
• Change the package name and command-line parameters. This feature is available only for packages that are not created on the basis of Kaspersky applications.

If you have converted the package installation settings to the recommended values for the custom package creation process, two additional sections may appear on the Settings tab of the custom installation package properties: Settings and Installation procedure.

The Settings section contains the following properties, shown in a table:

• Name. This column shows the name assigned to an installation parameter.
• Type. This column shows the type of an installation parameter.
• Value. This column shows the type of data defined by an installation parameter (Bool, Filepath, Numeric, Path, or String).

The Installation procedure section contains a table that describes the following properties of the update included in the custom installation package:

• Name. The name of the update.
• Description. The description of the update.
• Source. The source of the update, that is, whether it was released by Microsoft or by a different third-party developer.
• Type. The type of the update, that is, whether it is intended for a driver or an application.
• Category. The Windows Server Update Services (WSUS) category displayed for Microsoft updates (Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, Updates, or Upgrade).
• Importance level according to MSRC. The importance level of the update defined by Microsoft Security Response Center (MSRC).
• Importance level. The importance level of the update defined by Kaspersky.
• Patch importance level (for patches intended for Kaspersky applications). The importance level of the patch if it is intended for a Kaspersky application.
• Article. The identifier (ID) of the article in the Knowledge Base describing the update.
• Bulletin. The ID of the security bulletin describing the update.
• Not assigned for installation. Displays whether the update has the Not assigned for installation status.
• To be installed. Displays whether the update has the To be installed status.
• Installing. Displays whether the update has the Installing status.
• Installed. Displays whether the update has the Installed status.
• Failed. Displays whether the update has the Failed status.
• Restart is required. Displays whether the update has the Restart is required status.
• Registered. Displays the date and time when the update was registered.
• Installed in interactive mode. Displays whether the update requires interaction with the user during installation.
• Revoked. Displays the date and time when the update was revoked.
• Update approval status. Displays whether the update is approved for installation.
• Revision. Displays the current revision number of the update.
• Update ID. Displays the ID of the update.
• Application version. Displays the version number that the application will be updated to.
• Superseded. Displays other update(s) that can supersede the update.
• Superseding. Displays other update(s) that can be superseded by the update.
• You must accept the terms of the License Agreement. Displays whether the update requires acceptance of the terms of an End User License Agreement (EULA).
• Vendor. Displays the name of the update vendor.
• Application family. Displays the name of the family of applications to which the update belongs.
• Application. Displays the name of the application to which the update belongs.
• Language. Displays the language of the update localization.
• Not assigned for installation (new version). Displays whether the update has the Not assigned for installation (new version) status.
• Requires prerequisites installation. Displays whether the update has the Requires prerequisites installation status.
• Download mode. Displays the mode of the update download.
• Is a patch. Displays whether the update is a patch.
• Not installed. Displays whether the update has the Not installed status.

Distributing installation packages to secondary Administration Servers

Kaspersky Security Center allows you to create installation packages for Kaspersky applications and for third-party applications, as well as distribute installation packages to client devices and install applications from the packages. To optimize the load on the primary Administration Server, you can distribute installation packages to secondary Administration Servers. After that, the secondary Servers transmit the packages to client devices, and then you can perform the remote installation of the applications on your client devices.

To distribute installation packages to secondary Administration Servers:

1. Make sure that the secondary Administration Servers are connected to the primary Administration Server.
2. In the main menu, go to DEVICES → TASKS.

   The list of tasks is displayed.

3. Click the Add button.

   The New task wizard starts. Follow the steps of the wizard.

4. On the New task page, from the Application drop-down list, select Kaspersky Security Center. Then, from the Task type drop-down list, select Distribute installation package, and then specify the task name.
5. Select the devices to which the task is assigned in one of the following ways:
   • If you want to create a task for all secondary Administration Servers in a specific administration group, select this group, and then create a group task for it.
   • If you want to create a task for specific secondary Administration Servers, select these Servers, and then create a task for them.
6. On the Distributed installation packages page, select the installation packages that are to be copied to the secondary Administration Servers.
7. Specify an account to run the Distribute installation package task under this account. You can use your account and keep the Default account option enabled. Alternatively, you can specify that the task should be run under another account that has the necessary access rights. To do this, select the Specify account option, and then enter the credentials of that account.
8. On the Finish task creation page, you can enable the Open task details when creation is complete option to open the task properties window, and then modify the default task settings. Otherwise, you can configure the task settings later, at any time.
9. Click the Finish button.

   The task created for distributing installation packages to the secondary Administration Servers is displayed in the task list.

10. You can run the task manually or wait for it to launch according to the schedule that you specified in the task settings.

After the task is complete, the selected installation packages are copied to the specified secondary Administration Servers.

Installing applications using a remote installation task

Kaspersky Security Center allows you to install applications on devices remotely, using remote installation tasks. Those tasks are created and assigned to devices through a dedicated Wizard. To assign a task to devices more quickly and easily, you can specify devices in the Wizard window in one of the following ways:

• Select networked devices detected by Administration Server. In this case, the task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.
• Specify device addresses manually or import addresses from a list. You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
• Assign task to a device selection. In this case, the task is assigned to devices included in a selection created earlier. You can specify the default selection or a custom one that you created.
• Assign task to an administration group. In this case, the task is assigned to devices included in an administration group created earlier.

For correct remote installation on a device with no Network Agent installed, the following ports must be opened: a) TCP 139 and 445; b) UDP 137 and 138. By default, these ports are opened on all devices included in the domain. They are opened automatically by the remote installation preparation utility.

Installing an application on specific devices

Expand all | Collapse all

This section contains information on how to install an application remotely on an administration group, devices with specific IP addresses, or a selection of managed devices.

To install an application on specific devices:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts.

3. In the Task type field, select Install application remotely.
4. Select one of the following options:
   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

     If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

   • Specify device addresses manually or import addresses from a list

     You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

5. Follow the instructions of the Wizard.

   The Add Task Wizard creates a task for remote installation of the application selected in the Wizard on specified devices. If you selected the Assign task to an administration group option, the task is a group one.

6. Run the task manually or wait for it to launch according to the schedule that you specified in the task settings.

When the remote installation task is completed, the selected application is installed on the specified devices.

Installing an application through Active Directory group policies

Kaspersky Security Center allows you to install Kaspersky applications on managed devices by using Active Directory group policies.

You can install applications by using Active Directory group policies only from installation packages that include Network Agent.

To install an application by using Active Directory group policies:

1. Run the Protection Deployment Wizard. Follow the instructions of the Wizard.
2. On the Remote installation task settings page of the Protection Deployment Wizard, enable the Assign package installation in Active Directory group policies option.
3. On the Select accounts to access devices page, select the Account required (Network Agent is not used) option.
4. Add the account with administrator privileges on the device where Kaspersky Security Center is installed or the account included in the Group Policy Creator Owners domain group.
5. Grant the permissions to the selected account:
   1. Go to Control Panel → Administrative Tools and open Group Policy Management.
   2. Click the node with the required domain.
   3. Click the Delegation section.
   4. In the Permission drop-down list, select Link GPOs.
   5. Click Add.
   6. In the Select User, Computer, or Group window that opens, select the necessary account.
   7. Click OK to close the Select User, Computer, or Group window.
   8. In the Groups and users list, select the account that you have just added, and then click Advanced → Advanced.
   9. In the Permission entries list, double-click the account that you have just added.
   10. Grant the following permissions:
       • Create Group objects
       • Delete Group objects
       • Create group Policy Container objects
       • Delete group Policy Container objects
   11. Click OK to save the changes.
6. Define other settings by following the instructions of the Wizard.
7. Run the created remote installation task manually or wait for its scheduled start.

The following remote installation sequence starts:

1. When the task is running, the following objects are created in each domain that includes any client devices from the specified set:
   • Group policy object (GPO) under the name Kaspersky_AK{GUID}.
   • A security group that corresponds to the GPO. This security group includes client devices covered by the task. The content of the security group defines the scope of the GPO.
2. Kaspersky Security Center installs the selected Kaspersky applications on client devices directly from Share, that is, the shared network folder of the application. In the Kaspersky Security Center installation folder, an auxiliary subfolder will be created that contains the .msi file for the application to be installed.
3. When new devices are added to the task scope, they are added to the security group after the next start of the task. If the Run missed tasks option is selected in the task schedule, devices are added to the security group immediately.
4. When devices are deleted from the task scope, they are deleted from the security group after the next start of the task.
5. When a task is deleted from Active Directory, the GPO, the link to the GPO, and the corresponding security group are deleted, too.

If you want to apply another installation schema using Active Directory, you can configure the required settings manually. For example, this may be required in the following cases:

• When the anti-virus protection administrator does not have rights to make changes to the Active Directory of certain domains
• When the original installation package has to be stored on a separate network resource
• When it is necessary to link a GPO to specific Active Directory units

The following options for using an alternative installation scheme through Active Directory are available:

• If installation is to be performed directly from the Kaspersky Security Center shared folder, in the GPO properties you must specify the .msi file located in the exec subfolder of the installation package folder for the required application.
• If the installation package has to be located on another network resource, you must copy the whole exec folder content to it, because in addition to the file with .msi extension the folder contains configuration files generated when the package was created. To install the license key with the application, copy the key file to this folder as well.

Installing applications on secondary Administration Servers

To install an application on secondary Administration Servers:

1. Establish a connection with the Administration Server that controls the relevant secondary Administration Servers.
2. Make sure that the installation package corresponding to the application being installed is available on each of the selected secondary Administration Servers. If you cannot find the installation package on any of the secondary Servers, distribute it. For this purpose, create a task with the Distribute installation package task type.
3. Create a task for a remote application installation on secondary Administration Servers. Select the Install application on secondary Administration Server remotely task type.

   The Add Task Wizard creates a task for remote installation of the application selected in the Wizard on specific secondary Administration Servers.

4. Run the task manually or wait for it to launch according to the schedule that you specified in the task settings.

When the remote installation task is complete, the selected application is installed on the secondary Administration Servers.

Specifying settings for remote installation on Unix devices

Expand all | Collapse all

When you install an application on a Unix device by using a remote installation task, you can specify Unix-specific settings for the task. These settings are available in the task properties after the task is created.

To specify Unix-specific settings for a remote installation task:

1. In the main menu, go to DEVICES → TASKS.
2. Click the name of the remote installation task for which you want to specify the Unix-specific settings.

   The task properties window opens.

3. Go to Application settings → Unix-specific settings.
4. Specify the following settings:
   • Set a password for the root account (only for deployment through SSH)

     If the sudo command cannot be used on the target device without specifying the password, select this option, and then specify the password for the root account. Kaspersky Security Center transmits the password in an encrypted form to the target device, decrypts the password, and then starts the installation procedure on behalf of the root account with the specified password.

     Kaspersky Security Center does not use the account or the specified password to create an SSH connection.

   • Specify the path to a temporary folder with Execute permissions on the target device (only for deployment through SSH)

     If the /tmp directory on the target device does not have the execute permission, select this option, and then specify the path to the directory with the execute permission. Kaspersky Security Center uses the specified directory as a temporary directory to access via SSH. The application places the installation package in the directory and runs the installation procedure.

5. Click the Save button.

The specified task settings are saved.

Starting and stopping Kaspersky applications

You can use the Start or stop application task for starting and stopping Kaspersky applications on managed devices.

To create the Start or stop application task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The New task wizard starts. Proceed through the wizard by using the Next button.

3. In the Application drop-down list, select the application for which you want to create the task.

   Kaspersky applications are displayed in the list if you have previously added management web plug-ins for these applications.

4. In the Task type list, select the Application activation task.
5. In the Task name field, specify the name of the new task.

   The task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

6. Select the devices to which the task will be assigned.
7. In the Applications window, do the following:
   • Select the check boxes next to the names of applications for which you want to create the task.
   • Select the Start application or the Stop application option.
8. If you want to modify the default task settings, enable the Open task details when creation is complete option at the Finish task creation step. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs, and then save the settings.

The task is created and configured.

If you want to run the task, select it in the task list, and then click the Start button.

Mobile Device Management

Expand all | Collapse all

Management of mobile device protection through Kaspersky Security Center is carried out by using the Mobile Device Management feature, which requires a dedicated license. If you are intending to manage mobile devices owned by employees in your organization, enable and configure Mobile Device Management.

Mobile Device Management enables you to manage Android devices of the employees. The protection is provided by the Kaspersky Endpoint Security for Android mobile app installed on the devices. This mobile app ensures protection of mobile devices against web threats, viruses and other programs that pose threats. For centralized management through Kaspersky Security Center Web Console, you must install the following web management plug-ins on the device where Kaspersky Security Center Web Console is installed:

• Kaspersky Security for Mobile Plug-in
• Kaspersky Endpoint Security for Android Plug-in

For information about protection deployment and management of mobile devices, see Kaspersky Security for Mobile Help.

Modifying the Mobile Device Management settings in the Kaspersky Security Center Web Console

To modify the Mobile Device Management settings:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Additional ports section.
3. Modify the relevant settings:
   • Open port for mobile devices

     If this toggle switch is enabled, the port for mobile devices will be open on the Administration Server.

     You can use the port for mobile devices only if the Mobile Device Management component is installed.

     If this toggle switch is disabled, the port for mobile devices on the Administration Server will not be used.

     By default, this toggle switch is disabled.

   • Port for mobile device synchronization

     Number of the port used for connection of mobile devices to the Administration Server. The default port number is 13292.

     The decimal system is used for records.

   • Port for mobile device activation

     The port for connection of Kaspersky Endpoint Security for Android to activation servers of Kaspersky.

     The default port number is 17100.

4. Click the Save button.

The mobile devices can now connect to the Administration Server.

Replacing third-party security applications

Installation of Kaspersky security applications through Kaspersky Security Center may require removal of third-party software incompatible with the application being installed. Kaspersky Security Center provides several ways of removing the third-party applications.

Removing incompatible applications by using the installer

This option is available in Microsoft Management Console-based Administration Console only.

The installer method of removing incompatible applications is supported by various types of installation. Before the security application installation, all incompatible applications are removed automatically if the properties window of the installation package of this security application (Incompatible applications section) has the Uninstall incompatible applications automatically option selected.

Removing incompatible applications when configuring remote installation of an application

You can enable the Uninstall incompatible applications automatically option when you configure remote installation of a security application. In Microsoft Management Console (MMC) based Administration Console, this option is available in the Remote Installation Wizard. In Kaspersky Security Center Web Console, you can find this option in the Protection Deployment Wizard. When this option is enabled, Kaspersky Security Center removes incompatible applications before installing a security application on a managed device.

How-to instructions:

• Administration Console: Removing incompatible applications using Remote Installation Wizard
• Kaspersky Security Center Web Console: Removing incompatible applications before installation

Removing incompatible applications through a dedicated task

To remove incompatible applications, use the Uninstall application remotely task. This task should be run on devices before the security application installation task. For example, in the installation task you can select On completing another task as the schedule type where the other task is Uninstall application remotely.

This method of uninstallation is useful when the security application installer cannot properly remove an incompatible application.

How-to instructions for Administration Console: Creating a task.