Kaspersky applications. Centralized deployment

This section describes the methods for remote installation of Kaspersky applications and their removal from networked devices.

Before deploying applications on client devices, make sure that the hardware and software of client devices meets the applicable requirements.

Network Agent is a component that provides for Administration Server connection with client devices. Therefore, it must be installed on each client device to be connected to the remote centralized control system. The device on which the Administration Server is installed can only use the server version of Network Agent. This version is included in Administration Server as a part that is installed and removed together with it. There is no need to install Network Agent on that device.

Network Agent can be installed remotely or locally like any application. During centralized deployment of security applications through Administration Console, you can install Network Agent jointly with security applications.

Network Agents can differ depending upon the Kaspersky applications with which they work. In some cases, Network Agent can be installed locally only (for details please refer to the documentation for the corresponding applications). You only have to install Network Agent on a client device once.

Kaspersky applications are managed through Administration Console by using management plug-ins. Therefore, to access the application management interface through Kaspersky Security Center, the corresponding management plug-in must be installed on the administrator's workstation.

You can perform remote installation of applications from the administrator's workstation in the Kaspersky Security Center main window.

To install software remotely, you must create a remote installation task.

The created task for remote installation will start according to its schedule. You can interrupt the installation procedure by stopping the task manually.

If remote installation of an application returns an error, make sure that the device preparation requirements are met.

You can track the progress of remote installation of Kaspersky applications on a network using the deployment report.

For details about management of the listed applications in Kaspersky Security Center, please refer to the documentation for the corresponding applications.

Replacing third-party security applications

Installation of Kaspersky security applications through Kaspersky Security Center may require removal of third-party software incompatible with the application being installed. Kaspersky Security Center provides several ways of removing the third-party applications.

Removing incompatible applications by using the installer

This option is available in Microsoft Management Console-based Administration Console only.

The installer method of removing incompatible applications is supported by various types of installation. Before the security application installation, all incompatible applications are removed automatically if the properties window of the installation package of this security application (Incompatible applications section) has the Uninstall incompatible applications automatically option selected.

Removing incompatible applications when configuring remote installation of an application

You can enable the Uninstall incompatible applications automatically option when you configure remote installation of a security application. In Microsoft Management Console (MMC) based Administration Console, this option is available in the Remote Installation Wizard. In Kaspersky Security Center Web Console, you can find this option in the Protection Deployment Wizard. When this option is enabled, Kaspersky Security Center removes incompatible applications before installing a security application on a managed device.

How-to instructions:

• Administration Console: Removing incompatible applications using Remote Installation Wizard
• Kaspersky Security Center Web Console: Removing incompatible applications before installation

Removing incompatible applications through a dedicated task

To remove incompatible applications, use the Uninstall application remotely task. This task should be run on devices before the security application installation task. For example, in the installation task you can select On completing another task as the schedule type where the other task is Uninstall application remotely.

This method of uninstallation is useful when the security application installer cannot properly remove an incompatible application.

How-to instructions for Administration Console: Creating a task.

Installing applications using a remote installation task

Kaspersky Security Center allows you to install applications on devices remotely, using remote installation tasks. Those tasks are created and assigned to devices through a dedicated Wizard. To assign a task to devices more quickly and easily, you can specify devices in the Wizard window in one of the following ways:

• Select networked devices detected by Administration Server. In this case, the task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.
• Specify device addresses manually or import addresses from a list. You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
• Assign task to a device selection. In this case, the task is assigned to devices included in a selection created earlier. You can specify the default selection or a custom one that you created.
• Assign task to an administration group. In this case, the task is assigned to devices included in an administration group created earlier.

For correct remote installation on a device with no Network Agent installed, the following ports must be opened: a) TCP 139 and 445; b) UDP 137 and 138. By default, these ports are opened on all devices included in the domain. They are opened automatically by the remote installation preparation utility.

Installing an application on selected devices

To install an application on selected devices:

1. In the console tree, select the Tasks folder.
2. Run the task creation by clicking the Create a task button.

   The Add Task Wizard starts. Follow the instructions of the Wizard.

   In the Select the task type window of the Add Task Wizard, in the Kaspersky Security Center 14 Administration Server node select Install application remotely as the task type.

   The Add Task Wizard creates a task of remote installation of the selected application for specific devices. The newly created task is displayed in the workspace of the Tasks folder.

3. Run the task manually or wait for it to launch according to the schedule specified by you in the task settings.

On completion of the remote installation task, the selected application will be installed on the selected devices.

Installing an application on client devices in an administration group

To install an application on client devices in an administration group:

1. Establish a connection with the Administration Server that controls the relevant administration group.
2. Select an administration group in the console tree.
3. In the group workspace, select the Tasks tab.
4. Run the task creation by clicking the Create a task button.

   The Add Task Wizard starts. Follow the instructions of the Wizard.

   In the Select the task type window of the Add Task Wizard, in the Kaspersky Security Center 14 Administration Server node select Install application remotely as the task type.

   The Add Task Wizard creates a group task of remote installation of the selected application. The new task appears in the workspace of the administration group on the Tasks tab.

5. Run the task manually or wait for it to launch according to the schedule specified by you in the task settings.

On completion of the remote installation task, the selected application will be installed on client devices in the administration group.

Installing an application through Active Directory group policies

Kaspersky Security Center allows you to install Kaspersky applications on managed devices by using Active Directory group policies.

You can install applications by using Active Directory group policies only from installation packages that include Network Agent.

To install an application using Active Directory group policies:

1. Start configuring the application installation by using Remote Installation Wizard.
2. In the Defining remote installation task settings window of the Remote Installation Wizard, select the Assign package installation in Active Directory group policies option.
3. In the Select accounts to access devices window of the Remote Installation Wizard, select the Account required (Network Agent is not used) option.
4. Add the account with administrator privileges on the device where Kaspersky Security Center is installed or the account included in the Group Policy Creator Owners domain group.
5. Grant the permissions to the selected account:
   1. Go to Control Panel → Administrative Tools and open Group Policy Management.
   2. Click the node with the required domain.
   3. Click the Delegation section.
   4. In the Permission drop-down list, select Link GPOs.
   5. Click Add.
   6. In the Select User, Computer, or Group window that opens, select the necessary account.
   7. Click OK to close the Select User, Computer, or Group window.
   8. In the Groups and users list, select the account that you have just added, and then click Advanced → Advanced.
   9. In the Permission entries list, double-click the account that you have just added.
   10. Grant the following permissions:
       • Create Group objects
       • Delete Group objects
       • Create group Policy Container objects
       • Delete group Policy Container objects
   11. Click OK to save the changes.
6. Define other settings by following the instructions of the Wizard.
7. Run the created remote installation task manually or wait for its scheduled start.

The following remote installation sequence starts:

1. When the task is running, the following objects are created in each domain that includes any client devices from the specified set:
   • Group policy object (GPO) under the name Kaspersky_AK{GUID}.
   • A security group that corresponds to the GPO. This security group includes client devices covered by the task. The content of the security group defines the scope of the GPO.
2. Kaspersky Security Center installs the selected Kaspersky applications on client devices directly from Share, that is, the shared network folder of the application. In the Kaspersky Security Center installation folder, an auxiliary subfolder will be created that contains the .msi file for the application to be installed.
3. When new devices are added to the task scope, they are added to the security group after the next start of the task. If the Run missed tasks option is selected in the task schedule, devices are added to the security group immediately.
4. When devices are deleted from the task scope, they are deleted from the security group after the next start of the task.
5. When a task is deleted from Active Directory, the GPO, the link to the GPO, and the corresponding security group are deleted, too.

If you want to apply another installation schema using Active Directory, you can configure the required settings manually. For example, this may be required in the following cases:

• When the anti-virus protection administrator does not have rights to make changes to the Active Directory of certain domains
• When the original installation package has to be stored on a separate network resource
• When it is necessary to link a GPO to specific Active Directory units

The following options for using an alternative installation scheme through Active Directory are available:

• If installation is to be performed directly from the Kaspersky Security Center shared folder, in the GPO properties you must specify the .msi file located in the exec subfolder of the installation package folder for the required application.
• If the installation package has to be located on another network resource, you must copy the whole exec folder content to it, because in addition to the file with .msi extension the folder contains configuration files generated when the package was created. To install the license key with the application, copy the key file to this folder as well.

Installing applications on secondary Administration Servers

To install an application on secondary Administration Servers:

1. Establish a connection with the Administration Server that controls the relevant secondary Administration Servers.
2. Make sure that the installation package corresponding to the application being installed is available on each of the selected secondary Administration Servers. If the installation package cannot be found on any of the secondary Servers, distribute it by using the installation package distribution task.
3. Create the task of application installation on secondary Administration Servers in one of the following ways:
   • If you want to create a task for secondary Administration Servers in the selected administration group, create a group task of remote installation for this group.
   • If you want to create a task for specific secondary Administration Serves, create a task of remote installation for specific devices.

   The Deployment Task Creation Wizard starts to guide you through creation of the remote installation task. Follow the instructions of the Wizard.

   In the Select the task type window of the Add Task Wizard, in the Kaspersky Security Center 14 Administration Server section open the Advanced folder and select Install application on secondary Administration Servers remotely as the task type.

   The Add Task Wizard will create the task of remote installation of the selected application on specific secondary Administration Servers.

4. Run the task manually or wait for it to launch according to the schedule specified by you in the task settings.

On completion of the remote installation task, the selected application will be installed on secondary Administration Servers.

Installing applications using Remote Installation Wizard

Expand all | Collapse all

To install Kaspersky applications, you can use the Remote Installation Wizard. The Remote Installation Wizard allows remote installation of applications either through specially created installation packages or directly from a distribution package.

For proper operation of the Remote installation task on a client device that does not have Network Agent installed, the following ports must be open: TCP 139 and 445; UDP 137 and 138. By default, these ports are open for all devices included in the domain. They are opened automatically by the remote installation preparation utility.

To install the application on selected devices by using the Remote Installation Wizard:

1. In the console tree, locate the Remote installation folder and select the Installation packages subfolder.
2. In the workspace of the folder, select the installation package of the application that you have to install.
3. In the context menu of the installation package, select Install application.

   The Remote Installation Wizard starts.

4. In the Select devices for installation window, you can create a list of devices on which the application will be installed:
   • Install on a group of managed devices

     If this option is selected, the remote installation task is created for a group of devices.

   • Select devices for installation

     If this option is selected, the remote installation task is created for specific devices. Those specific devices can include both managed and unassigned ones.

5. In the Defining remote installation task settings window, specify the settings for remote installation of the application.

   In the Force installation package download settings group, specify how files that are required for the application installation are distributed to client devices:

   • Using Network Agent

     If this option is enabled, installation packages are delivered to client devices by Network Agent installed on those client devices.

     If this option is disabled, installation packages are delivered using the operating system tools of client devices.

     We recommend that you enable this option if the task has been assigned to devices with Network Agents installed.

     By default, this option is enabled.

   • Using operating system resources through Administration Server

     If this option is enabled, files are transmitted to client devices by using operating system tools of client devices through the Administration Server. You can enable this option if no Network Agent is installed on the client device, but the client device is in the same network as the Administration Server.

     By default, this option is enabled.

   • Using operating system resources through distribution points

     If this option is enabled, installation packages are transmitted to client devices using operating system tools through distribution points. You can select this option if there is at least one distribution point on the network.

     If the Using Network Agent option is enabled, the files are delivered using operating system tools only if Network Agent tools are unavailable.

     By default, this option is enabled for remote installation tasks that have been created on a virtual Administration Server.

   • Number of attempts to install

     If, when running the Remote installation task, Kaspersky Security Center fails to install an application on a managed device within the number of installer runs specified by the parameter, Kaspersky Security Center stops delivering the installation package to this managed device and does not start the installer on the device anymore.

     The Number of attempts to install option allows you to save the resources of the managed device, as well as reduce traffic (uninstallation, MSI file run, and error messages).

     Recurring task start attempts may indicate a problem on the device that prevents installation. The administrator should resolve the problem within the specified number of installation attempts (for example, by allocating sufficient disk space, removing incompatible applications, or modifying the settings of other applications that prevent installation) and to restart the task (manually or by a schedule).

     If installation is not achieved eventually, the problem is considered unresolvable and any further task starts are seen as costly in terms of unnecessary consumption of resources and traffic.

     When the task is created, the counter of attempts is set to 0. Each run of the installer that returns an error on the device increments the counter reading.

     If the number of attempts specified in the parameter has been exceeded and the device is ready for application installation, you can increase the value of the Number of attempts to install parameter and start the task to install the application. Alternatively, you can create a new Remote installation task.

   Define what to do with client devices managed by another Administration Server:

   • Install on all devices

     The application will be installed even on devices managed by other Administration Servers.

     This option is selected by default. You do not have to change this setting if you have only one Administration Server in your network.

   • Install only on devices managed through this Administration Server

     The application will be installed only on devices managed by this Administration Server. Select this option if you have more than one Administration Server in your network and want to avoid conflicts between them.

   Define the additional settings:

   • Do not re-install application if it is already installed

     If this option is enabled, the selected application will not be re-installed if it has already been installed on this client device.

     If this option is disabled, the application will be installed anyway.

     By default, this option is enabled.

   • Assign package installation in Active Directory group policies

     If this option is enabled, an installation package is installed by using the Active Directory group policies.

     This option is available if the Network Agent installation package is selected.

     By default, this option is disabled.

6. In the Selecting a license key window, select a license key and a method for its distribution:
   • Do not place license key in installation package (recommended)

     The key is automatically distributed to all devices with which it is compatible:

     • If automatic distribution has been enabled in the key properties.
     • If the Add key task has been created.
   • Place license key in installation package

     The key is distributed to devices together with the installation package.

     We do not recommend that you distribute the key using this method because the shared Read access rights are enabled to the repository of installation packages.

   The Selecting a license key window is displayed if the installation package does not include a license key.

   If the installation package includes a license key, the License key properties window is displayed, containing the license key details.

7. In the Selecting an operating system restart option window, specify whether the devices must be restarted if the operating system has to be restarted during installation of applications on them:
   • Do not restart the device

     If this option is selected, the device will not be restarted after the security application installation.

   • Restart the device

     If this option is selected, the device will be restarted after the security application installation.

   • Prompt user for action

     If this option is selected, after the security application installation, a notification is displayed to the user, informing that the device needs to be restarted. By using the Modify link you can modify message text, the period of message display, and the time of automatic restart.

     By default, this option is selected.

   • Force closure of applications in blocked sessions

     If this option is enabled, applications on blocked devices are forced to close before the restart.

     By default, this option is disabled.

8. In the Select accounts to access devices window, you can add the accounts that will be used to start the Remote installation task:
   • No account required (Network Agent installed)

     If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running.

     If Network Agent has not been installed on client devices, this option is unavailable.

   • Account required (Network Agent is not used)

     Select this option if Network Agent is not installed on the devices for which you assign the remote installation task. In this case, you can specify a user account or an SSH certificate to install the application.

     • Local Account. If this option is selected, specify the user account under which the application installer will be run. Click the Add button, select Local Account, and then specify the user account credentials.

       You can specify multiple user accounts if, for example, none of them have all the required rights on all devices for which you assign the task. In this case, all added accounts are used for running the task, in consecutive order, top-down.

     • SSH certificate. If you want to install an application on a Linux-based client device, you can specify an SSH certificate instead of a user account. Click the Add button, select SSH certificate, and then specify the private and public keys of the certificate.

       To generate a private key, you can use the ssh-keygen utility. Note that Kaspersky Security Center supports the PEM format of private keys, but the ssh-keygen utility generates SSH keys in the OPENSSH format by default. The OPENSSH format is not supported by Kaspersky Security Center. To create a private key in the supported PEM format, add the -m PEM option in the ssh-keygen command. For example:

       ssh-keygen -m PEM -t rsa -b 4096 -C "<user email>"

9. In the Starting installation window, click the Next button to create and start a Remote installation task on the selected devices.

   If the Starting installation window has the Do not run the task after the Remote Installation Wizard finishes option selected, the remote installation task will not start. You can start this task manually later. The task name corresponds to the name of the installation package for the application: Installation of <Installation package name>.

To install the application on devices in an administration group by using the Remote Installation Wizard:

1. Establish a connection with the Administration Server that controls the relevant administration group.
2. Select an administration group in the console tree.
3. In the workspace of the group, click the Perform action button and select Install application in the drop-down list.

   This will start the Remote Installation Wizard. Follow the instructions of the Wizard.

4. At the final step of the Wizard, click Next to create and run a remote installation task on the selected devices.

When the Remote Installation Wizard finishes, Kaspersky Security Center performs the following actions:

• Creates an installation package for application installation (if it was not created earlier). The installation package is located in the Remote installation folder, in the Installation packages subfolder, under a name that corresponds to the application name and version. You can use this installation package for the application installation in the future.
• Creates and runs a remote installation task for specific devices or for an administration group. The newly created remote installation task is stored in the Tasks folder or added to the tasks of the administration group for which it has been created. You can later launch this task manually. The task name corresponds to the name of the installation package for the application: Installation of <Installation package name>.

Working with the management plug-ins

Kaspersky applications are managed through the Administration Console by using the management plug-ins. Each Kaspersky application that can be managed through Kaspersky Security Center includes a management plug-in. Using the application management plug-in, you can perform the following actions in the Administration Console:

• Create and edit application policies and settings, as well as the settings of application tasks.
• Obtain information about application tasks, application events, and application operation statistics received from client devices.

To check the list of installed plug-ins and its versions:

1. In the Administration Console tree, right-click Administration Server <Server_name>, and select Properties.
2. Click Advanced → Details of application management plug-ins installed.

The list of installed management plug-ins and their versions appears in the right pane.

You can install the plug-ins for managed applications when you run the Administration Server quick start wizard during the Kaspersky Security Center initial setup. Also, you can install the management plug-ins manually.

To install a management plug-in manually:

1. Download the management plug-in for the Kaspersky application and the version required (for example, Kaspersky Endpoint Security for Windows 12.0) from Kaspersky Technical Support webpage.
2. If the Administration Console is running, close it.
3. Unzip the downloaded plug-in file and run the klcfginst.msi or klcfginst.exe file. Follow the installation wizard's instructions.
4. When the installation is complete, run the Administration Console and make sure the plug-in is presented in the list of installed plug-ins, as described in the previous procedure.

When you run the Administration Console after installation of a management plug-in that supports the Managed application quick start wizard, this wizard is started automatically. You can go through the steps of the Managed application quick start wizard to create default Kaspersky application policies and tasks. The wizard starts automatically only when you run the Administration Console after the initial plug-in installation or after you update the management plug-in to a version that is compatible with another version of the Kaspersky application for which tasks and policies have not yet been created. You can also start the Managed application quick start wizard manually.

To start the Managed application quick start wizard manually:

1. In the console tree, select the Administration Server node.
2. In the context menu of the Administration Server node, select All Tasks → Managed Application Quick Start Wizard.
3. The Managed application quick start wizard starts. Follow the wizard steps to create default Kaspersky application policies and tasks.

To remove a management plug-in:

1. If the Administration Console is running, close it.
2. Open Windows Registry editor.
3. Find the following key:
   • HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\28\Plugins for 32-bit system.
   • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\28\Plugins for 64-bit system.

   The key contains installed management plug-ins. For each plug-in, the DisplayName value contains the plug-in name, and the UninstallString value contains the command to uninstall the plug-in.

4. Find the key for the plug-in you want to uninstall, and copy its UninstallString value to the clipboard.
5. Paste the value into the command string and run it with system administrator rights.

The management plug-in version must not be earlier than the Kaspersky managed application version. If you update the Kaspersky application on the devices, you must install the management plug-in of the same version.

When you open the policy that was created in an earlier version of plug-in, you will be asked to accept the Kaspersky Security Network Statement.

When you uninstall Kaspersky Security Center Web Console, all management plug-ins are also uninstalled.

If you open and save the policy in the plug-in version that is later than the version of the managed application, the policy will be updated, and you will not be able to open it in the plug-in of the earlier version.

Viewing a protection deployment report

You can use the protection deployment report to monitor the progress of network protection deployment.

To view a protection deployment report:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. In the workspace of the Reports folder, select the report template named Report on protection deployment.

The workspace displays a report containing information about protection deployment on all networked devices.

You can generate a new protection deployment report and specify the type of data that it should include:

• For an administration group
• For specific devices
• For a device selection
• For all devices

Kaspersky Security Center assumes that protection is deployed on a device if a security application is installed and real-time protection enabled.

Remote removal of applications

Kaspersky Security Center allows you to uninstall applications from devices remotely through remote uninstallation tasks. Those tasks are created and assigned to devices through a dedicated Wizard. To assign a task to devices more quickly and easily, you can specify devices in the Wizard window in one of the following ways:

• Select networked devices detected by Administration Server. In this case, the task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.
• Specify device addresses manually or import addresses from a list. You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
• Assign task to a device selection. In this case, the task is assigned to devices included in a selection created earlier. You can specify the default selection or a custom one that you created.
• Assign task to an administration group. In this case, the task is assigned to devices included in an administration group created earlier.

Remote removal issues

When performing remote removal of third-party applications, administrators may encounter a warning stating, "Remote uninstallation has finished on this device with warnings: Application for removal is not installed." This issue typically arises when the application to be removed is installed only for the individual user who is currently logged in. If the user is not logged in, such an application becomes invisible and cannot be targeted for remote removal.

This behavior differs with applications intended for use by multiple users on the same device, where applications are globally visible and accessible by all users of the device.

Within Kaspersky Security Center, the application registry algorithm handles applications for individual users and applications for multiple users differently:

• Applications for multiple users are maintained in a real-time, up-to-date list of installed applications.
• Applications for individual users are monitored using a caching mechanism.

  If a user was logged in at the time of application detection, Kaspersky Security Center caches information about that user's applications. Even if the user subsequently logs out, Kaspersky Security Center continues to display these applications as installed based on the cached data, although they are no longer visible or accessible on the device.

This discrepancy can result in situations where Kaspersky Security Center identifies an application as installed based on cached data, but the application removal task fails because the application is not accessible when the user is logged out.

By default, the lifetime of cached application data is set to 30 days. Administrators can modify this setting to reduce the cache duration, thereby minimizing discrepancies between the displayed data and actual application visibility on devices.

To adjust the cache lifetime to 1 hour (3600 seconds), run the following command on the Administration Server:

klscflag -fset -pv klserver -n KLNAG_INV_PERUSER_APPS_CACHE_NONACTIVE_SIDS_LIFETIME_SEC -t d -v 3600

After running this command, restart the Administration Server for the changes to take effect.

Source of information about installed applications

The Network Agent retrieves information about software installed on Windows devices from the following registry keys:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

  Contains information about applications installed for all users.

• HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

  Contains information about applications installed for all users.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall

  Contains information about applications installed for the current user.

• HKEY_USER<...>\Software\Microsoft\Windows\CurrentVersion\Uninstall

  Contains information about applications installed for specific users.

Remote removal of an application from client devices of the administration group

To remove an application remotely from client devices of the administration group:

1. Establish a connection with the Administration Server that controls the relevant administration group.
2. Select an administration group in the console tree.
3. In the group workspace, select the Tasks tab.
4. Run the task creation by clicking the Create a task button.

   The Add Task Wizard starts. Follow the instructions of the Wizard.

   In the Select the task type window of the Add Task Wizard, in the Kaspersky Security Center 14 Administration Server node, in the Advanced folder select Uninstall application remotely as the task type.

   The Add Task Wizard creates a group task of remote removal of the selected application. The new task appears in the workspace of the administration group on the Tasks tab.

5. Run the task manually or wait for it to launch according to the schedule specified by you in the task settings.

On completion of the remote removal task, the selected application will be removed from client devices in the administration group.

Remote removal of an application from selected devices

To remove an application remotely from selected devices:

1. In the console tree, select the Tasks folder.
2. Run task creation by clicking New task.

   The Add Task Wizard starts. Follow the instructions of the Wizard.

   In the Select the task type window of the Add Task Wizard, in the Kaspersky Security Center 14 Administration Server node, in the Advanced folder select Uninstall application remotely as the task type.

   The Add Task Wizard creates a task of remote removal of the selected application from specific devices. The newly created task is displayed in the workspace of the Tasks folder.

3. Run the task manually or wait for it to launch according to the schedule specified by you in the task settings.

Upon completion of the remote removal task, the selected application will be removed from the selected devices.

Working with installation packages

When creating remote installation tasks, the system uses installation packages containing sets of parameters necessary for software installation.

Installation packages can contain a key file. It is recommended that you avoid sharing access to installation packages that contain a key file.

You can use a single installation package several times.

Installation packages created for Administration Server are moved to the console tree and located in the Remote installation folder, in the Installation packages subfolder. Installation packages are stored on the Administration Server, in a service subfolder named Packages, within the specified shared folder.

Creating an installation package

This article describes the procedure of creating the following types of installation packages:

• Installation package for a Kaspersky application
• Installation package for a specified executable file
• Installation package for an application from the Kaspersky database

You do not have to create an installation package manually for the remote installation of Network Agent. It is created automatically during the installation of Kaspersky Security Center and stored in the Installation packages folder. If the package for the remote installation of Network Agent has been deleted, you can re-create it by selecting the nagent.kud file in the NetAgent folder of the Kaspersky Security Center distribution package.

To create an installation package:

1. Connect to the necessary Administration Server.
2. In the console tree, select Advanced → Remote installation → Installation packages.
3. Start the creation of a new installation package in one of the following ways:
   • Right-click the Installation packages folder, and then select New → Installation package from the context menu.
   • Right-click in the empty area of the installation packages list, and then select Create → Installation package from the context menu.
   • Click Create installation package in the installation packages list management section.

   The New package wizard starts.

4. Select one of the following installation package types by clicking the corresponding icon:
   • Installation package for a Kaspersky application.
   • Installation package for a specified executable file.
   • Installation package for an application from the Kaspersky database.
5. Specify the name of the installation package to be created.

   You can specify any name.

6. Select the application or executable file for which the installation package is to be created, in one of the following ways:
   • Click the Browse button and, in the standard Windows Open window, select the distribution package of the required application located on available disks.

     This option is applicable if you choose to create an installation package for a Kaspersky application or for a specified executable file.

   • Click the Browse button and, in the Select application window, select the distribution package of the required application.

     This option is applicable if you choose to create an installation package for an application from the Kaspersky database.

   If you are creating an installation package for Administration Server, select the sc.kud file. The sc.kud file is located in the root folder of the Kaspersky Security Center distribution package.

   Do not specify any details of privileged accounts in the parameters of installation packages.

7. Review the End User License Agreement and Privacy Policy.

   When creating an installation package for an application, you may be prompted to view and accept an End User License Agreement and a Privacy Policy for that application.

   Read both documents. If you agree with all the terms of the License Agreement and the Privacy Policy, accept them by selecting the corresponding check boxes.

   The installation of the application on your device continues, and the creation of the installation package resumes.

   If you are creating an installation package for Kaspersky Endpoint Security for Mac, you can choose the language for the License Agreement and Privacy Policy.

8. If necessary, enable automatic installation of system components.

   If you are creating an installation package for an application from the Kaspersky database, you can enable the automatic installation of necessary system components. The New package wizard displays a list of all available system components for the selected application. You can access this list at any time in the installation package properties.

   If you are creating a patch installation package, the list includes all system components needed for the deployment of this patch.

9. Click the Finish button to complete the package creation process.

Once the New package wizard completes, the new installation package appears in the workspace of the Installation packages folder in the console tree.

Creating stand-alone installation packages

You and device users in your organization can use stand-alone installation packages to install applications on devices manually.

A stand-alone installation package is an executable file (installer.exe) that you can store on Web Server, in a shared folder, or transfer to a client device by another method. You can also send a link to the stand-alone installation package by email. On the client device, the user can run the received file locally to install an application without involving Kaspersky Security Center.

Be sure that the stand-alone installation package is not available for unauthorized persons.

You can create stand-alone installation packages for Kaspersky applications and for third-party applications for Windows, macOS, and Linux platforms. To create a stand-alone installation package for a third-party application, you must create a custom installation package first.

The source to create stand-alone installation packages are installation packages in the list of created on the Administration Server.

To create a stand-alone installation package:

1. In the console tree, select the Administration Server → Advanced → Remote installation → Installation packages.

   A list of installation packages available on Administration Server is displayed.

2. In the list of installation packages, select an installation package for which you want to create a stand-alone package.
3. In the context menu, select Create stand-alone installation package.

   Stand-alone Installation Package Creation Wizard starts. Proceed through the Wizard by using the Next button.

4. On the first page of the Wizard, if you have selected an installation package for the Kaspersky application and you want to install Network Agent together with the selected application, make sure that the Install Network Agent together with this application option is enabled.

   By default, this option is enabled. We recommend enabling this option if you are not sure whether Network Agent is installed on the device. If Network Agent is already installed on the device, after the stand-alone installation package with Network Agent is installed, Network Agent will be updated to the newer version.

   If you disable this option, Network Agent will not be installed on the device and the device will be unmanaged.

   If a stand-alone installation package for the selected application already exists on Administration Server, the Wizard informs you about this fact. In this case, you must select one of the following actions:

   • Create stand-alone installation package. Select this option if, for example, you want to create a stand-alone installation package for a new application version and also want to retain a stand-alone installation package that you created for a previous application version. The new stand-alone installation package is placed in another folder.
   • Use existing stand-alone installation package. Select this option if you want to use an existing stand-alone installation package. The process of package creation will not be started.
   • Rebuild existing stand-alone installation package. Select this option if you want to create a stand-alone installation package for the same application again. The stand-alone installation package is placed in the same folder.
5. On the next page of the Wizard, select the Move unassigned devices to this group option and specify an administration group to which you want to move the client device after Network Agent installation.

   By default, the device is moved to the Managed devices group.

   If you do not want to move the client device to an administration group after Network Agent installation, select the Do not move devices option.

6. On the next page of the Wizard, when the process of the stand-alone installation package creation is finished, a result of the stand-alone package creation and a path to the stand-alone package are displayed.

   You can click the links and do any of the following:

   • Open the folder with the stand-alone installation package.
   • Email the link to the created stand-alone installation package. To perform this action, you must have an email application launched.
   • Sample HTML code for publishing the link on a website. A TXT file is created and opened in an application that is associated with a TXT format. In the file, the <a> HTML tag with attributes is displayed.
7. On the next page of the Wizard, if you want to open the list of stand-alone installation packages, enable the Open the list of stand-alone packages option.
8. Click the FINISH button.

   The Stand-alone Installation Package Creation Wizard closes.

The stand-alone installation package is created and placed in the PkgInst subfolder of the Administration Server shared folder. You can view the list of stand-alone packages by clicking the View the list of stand-alone packages button above the list of installation packages.

Creating custom installation packages

Expand all | Collapse all

You can use custom installation packages to do the following:

• To install any application (for example, a text editor) on a client device, for example, by means of a task.
• To create a stand-alone installation package.

A custom installation package is a folder with a set of files. The source to create a custom installation package is an archive file. The archive file contains a file or files that must be included in the custom installation package. Creating a custom installation package, you can specify command-line parameters, for example, to install the application in a silent mode.

To create a custom installation package:

1. In the console tree, select the Administration Server → Advanced → Remote installation → Installation packages.

   A list of installation packages available on Administration Server is displayed.

2. Above the list of installation packages, click the Create installation package button.

   The New Package Wizard starts. Proceed through the Wizard by using the Next button.

3. On the first page of the Wizard, select Create an installation package for the specified executable file.
4. On the next page of the Wizard, specify the custom installation package name.
5. On the next page of the Wizard, click the Browse button and, in a standard Windows Open window, choose an archive file located on the available disks to create a custom installation package.

   You can upload a ZIP, CAB, TAR, or TAR.GZ archive. It is not possible to create an installation package from an SFX (self-extracting archive) file.

   Files are downloaded to the Kaspersky Security Center Administration Server.

6. On the next page of the Wizard, specify the command-line parameters of an executable file.

   You can specify command-line parameters to install the application from the installation package in a silent mode. Specifying command-line parameters is optional.

   If you want, configure the following options:

   • Copy entire folder to the installation package

     Select this option if the executable file is accompanied with additional files required for the application installation. Before you enable this option, make sure that all of the required files are stored in the same folder. If this option is enabled, the application adds the entire contents of the folder, including the specified executable file, to the installation package.

   • Convert settings to recommended values for applications recognized by Kaspersky Security Center 14

     The application will be installed with the recommended settings, if information about the specified application is contained in the Kaspersky database.

     If you entered parameters in the Executable file command line field, they are rewritten with the recommended settings.

     By default, this option is enabled.

     The Kaspersky database is created and maintained by Kaspersky analysts. For each application that is added to the database, Kaspersky analysts define optimal installation settings. The settings are defined to ensure successful remote installation of an application to a client device. The database is updated on the Administration Server automatically when you run the Download updates to the repository of the Administration Server task.

   The process to create the custom installation package starts.

   The Wizard informs you when the process is finished.

   If the custom installation package is not created, an appropriate message is displayed.

7. Click the Finish button to close the Wizard.

The installation package that you created is downloaded to the Packages subfolder of the Administration Server shared folder. After downloading, the custom installation package appears in the list of installation packages.

In the list of installation packages on Administration Server, you can view and edit custom installation package properties.

Viewing and editing properties of custom installation packages

Expand all | Collapse all

After you created a custom installation package, you can view general information about the installation package and specify the installation settings in the properties window.

To view and edit properties of a custom installation package:

1. In the console tree, select the Administration Server → Advanced → Remote installation → Installation packages.

   A list of installation packages available on Administration Server is displayed.

2. In the context menu of an installation package, select Properties.

   The properties window of the selected installation package opens.

3. View the following information:
   • Installation package name
   • Application name packed into the custom installation package
   • Application version
   • Installation package creation date
   • Path to the custom installation package on the Administration Server
   • Executable file command line
4. Specify the following settings:
   • Installation package name
   • Install required general system components

     If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates.

     If this option is disabled, you may have to install the prerequisites manually.

     By default, this option is disabled.

     This option is only available when the application added to the installation package is recognized by Kaspersky Security Center.

   • Executable file command line

     If the application requires additional parameters for a silent installation, specify them in this field. Refer to the vendor's documentation for details.

     You can also enter other parameters.

     This option is only available for packages that are not created on the basis of Kaspersky applications.

5. Click the OK or Apply button to save the changes, if any.

The new settings are saved.

Obtaining the Network Agent installation package from the Kaspersky Security Center distribution kit

You can obtain the Network Agent installation package from the Kaspersky Security Center distribution kit, without needing to install Kaspersky Security Center. You can then use the installation package to install Network Agent on the client devices.

To obtain the Network Agent installation package from the Kaspersky Security Center distribution kit:

1. Run the ksc_<version number>.<build number>_full_<localization language>.exe executable file from the Kaspersky Security Center distribution kit.
2. In the window that opens, click the Extract installation packages link.
3. In the list of installation packages, select the check box next to the Network Agent installation package, and then click the Next button.
4. If necessary, click the Browse button to change the displayed folder to extract the installation package to.
5. Click the Extract button.

   The application extracts the Network Agent installation package.

6. When the process is complete, click the Close button.

The Network Agent installation package is extracted to the selected folder.

You can use the installation package to install Network Agent by one of the following methods:

• Locally by running the setup.exe file from the extracted folder
• Via silent installation
• By using group policies of Microsoft Windows

Distributing installation packages to secondary Administration Servers

To distribute installation packages to secondary Administration Servers:

1. Establish a connection with the Administration Server that controls the relevant secondary Administration Servers.
2. Create a task of installation package distribution to secondary Administration Servers in one of the following ways:
   • If you want to create a task for secondary Administration Servers in the selected administration group, launch the creation of a group task for this group.
   • If you want to create a task for specific secondary Administration Servers, launch the creation of a task for specific devices.

   The Add Task Wizard starts. Follow the instructions of the Wizard.

   In the Select the task type window of the New Task Wizard, in the Kaspersky Security Center 14 Administration Server node, in the Advanced folder select Distribute installation package as the task type.

   The Add Task Wizard will create the task of distributing the selected installation packages to specific secondary Administration Servers.

3. Run the task manually or wait for it to launch according to the schedule you specified in the task settings.

The selected installation packages will be copied to the specific secondary Administration Servers.

Distributing installation packages through distribution points

You can use distribution points to distribute installation packages within an administration group.

After the installation packages are received from the Administration Server, distribution points automatically distribute them to client devices through IP multicasting. IP multicasting of new installation packages within an administration group occurs once. If a client device has been disconnected from the corporate network at the time of distribution, Network Agent (on the client device) automatically downloads the necessary installation package from a distribution point when the installation task is started.

Transferring application installation results to Kaspersky Security Center

After you have created the application installation package, you can configure it so that all diagnostic information about the results of the application installation is transferred to Kaspersky Security Center. For installation packages of Kaspersky applications, transfer of diagnostic information about the application installation results is configured by default, and no additional configuration is required.

To configure the transfer of diagnostic information about the results of application installation to Kaspersky Security Center:

1. Navigate to the folder of the installation package created by using Kaspersky Security Center for the selected application. The folder can be found in the shared folder specified during Kaspersky Security Center installation.
2. Open the file with the .kpd or .kud extension for editing (for example, in the Microsoft Windows Notepad editor).

   The file has the format of a regular configuration .ini file.

3. Add the following lines to the file:

   [SetupProcessResult]

   Wait=1

   This command configures Kaspersky Security Center to wait for setup completion for the application, for which the installation package is created, and to analyze the installer return code. If you have to disable the transfer of diagnostic data, set the value of the Wait key to 0.

4. Add the description of return codes for a successful installation. To do this, add the following lines to the file:

   [SetupProcessResult_SuccessCodes]

   <return code>=[<description>]

   <return code 1>=[<description>]

   …

   Square brackets contain optional keys.

   Syntax for the lines:

   • <return code>. Any number corresponding to the installer return code. The number of return codes can be arbitrary.
   • <description>. Text description of the installation result. The description can be omitted.
5. Add the description of return codes for a failed installation. To do this, add the following lines to the file:

   [SetupProcessResult_ErrorCodes]

   <return code>=[<description>]

   <return code 1>=[<description>]

   …

   The syntax of these lines is identical to the syntax for the lines containing successful setup return codes.

6. Close the .kpd or .kud file by saving all changes.

Finally, the results of installation of the user-defined application will be registered in the logs of Kaspersky Security Center and then shown in the list of events, in reports, and in task run logs.

Defining the KSN proxy server address for installation packages

In case the address or the domain of the Administration Server changes, you can define the KSN proxy server address for the installation package.

To define the KSN proxy server address for the installation package:

1. In the console tree, in the Remote installation folder, double-click the Installation packages subfolder.
2. In the menu that opens, select Properties.
3. In the properties window that opens, select the General subsection.
4. In the General subsection of the properties window, enter the address of the KSN proxy server.

The installation packages will use this address as default.

Receiving up-to-date versions of applications

Kaspersky Security Center allows you to receive up-to-date versions of corporate applications stored on Kaspersky servers.

To receive up-to-date versions of Kaspersky corporate applications:

1. Do one of the following:
   • In the console tree select the node the with the name of the required Administration Server, make sure the Monitoring tab is selected, and in the Deployment section click the There are new versions of Kaspersky applications available link.

     The There are new versions of Kaspersky applications available link becomes visible when Administration Server finds a new version of a corporate application on a Kaspersky server.

   • In the console tree, select Advanced → Remote installation → Installation packages, and in the workspace click Additional actions and from the drop-down list select View current versions of Kaspersky applications.

   The list of the current version of Kaspersky applications is displayed.

2. You can filter the list of Kaspersky applications to simplify the search for the required application.

   At the top of the Current application versions window, click the Filter link to filter the application list by the following criteria:

   • Components. Use this criterion to filter the Kaspersky application list by the protection areas that are in use on your network.
   • Type of downloaded software. Use this criterion to filter the Kaspersky application list by the application type.
   • Software products and updates to display. Use this criterion to display available Kaspersky applications by specific versions.
   • Displayed languages for software and updates. Use this criterion to display Kaspersky applications with a specific localization language.

   Click the Apply button to apply the selected filters.

3. Select the required application from the list.
4. Download the application distribution package by clicking the link in the Distribution package web address string.

   Updates of managed applications may require a specific minimum version of Kaspersky Security Center to be installed. If this version is later than your current version, these updates are displayed but cannot be approved. Also, no installation packages can be created from such updates until you upgrade Kaspersky Security Center. You are prompted to upgrade your Kaspersky Security Center instance to the required minimum version.

If the Download applications and create installation packages button is displayed for the application selected, you can click this button to download the application distribution package and create an installation package automatically. Kaspersky Security Center downloads the application distribution package to Administration Server, to the shared folder specified during installation of Kaspersky Security Center. The automatically created installation package is displayed in the Remote installation folder in the console tree, in the Installation packages subfolder.

After the Current application versions window is closed, the There are new versions of Kaspersky applications available link disappears from the Deployment section.

You can create installation packages for new versions of applications and manage newly created installation packages in the Remote installation folder in the console tree, in the Installation packages subfolder.

You can also open the Current application versions window by clicking the View current versions of Kaspersky applications link in the workspace of the Installation packages folder.

Preparing a Windows device for remote installation

Remote installation of the application on the client device may return an error for the following reasons:

• The task has already been successfully performed on this device.

  In this case, the task does not have to be performed again.

• When a task was started, the device was shut down.

  In this case, turn on the device, and then restart the task.

• There is no connection between the Administration Server and the Network Agent installed on the client device.

  To determine the cause of the problem, use the utility designed for remote diagnostics of client devices (klactgui).

• If Network Agent is not installed on the device, the following issues may occur during remote installation:
  • The client device has Disable simple file sharing enabled.
  • The Server service is not running on the client device.
  • The required ports are closed on the client device.
  • The account that is used to perform the task has insufficient privileges.

  To avoid issues that may occur during installation of the application on a client device without Network Agent installed, you must proceed as described in forced deployment through the remote installation task of Kaspersky Security Center.

Previously, the riprep utility was used to prepare a device for remote installation. This is now considered an outdated method for configuring operating systems. The riprep utility is not recommended for use on operating systems newer than Windows XP and Windows Server 2003 R2.

Preparing a Linux device for remote installation of Network Agent

If you want to install Network Agent on devices that use the operating system RED OS 7.3.4 or later or MSVSPHERE 9.2 or later, install the libxcrypt-compat package for the correct function of Network Agent.

To prepare a device running Linux for remote installation of Network Agent:

1. Make sure that the following software is installed on the target Linux device:
   • Sudo (for Ubuntu 10.04, Sudo version is 1.7.2p1 or later)
   • Perl language interpreter version 5.10 or later
2. Test the device configuration:
   1. Check whether you can connect to the device through an SSH client (such as PuTTY).

      If you cannot connect to the device, open the /etc/ssh/sshd_config file and make sure that the following settings have the respective values listed below:

      PasswordAuthentication no

      ChallengeResponseAuthentication yes

      Save the file (if necessary) and restart the SSH service by using the sudo service ssh restart command.

   2. Disable the sudo password for the user account under which the device is to be connected.
   3. Use the visudo command in sudo to open the sudoers configuration file.

      In the file you have opened, add the following line to the end of the file: <username> ALL = (ALL) NOPASSWD: ALL. In this case, <username> is the user account which is to be used for the device connection using SSH. If you are using the Astra Linux operating system, in the /etc/sudoers file add the last line with the following text: %astra-admin ALL=(ALL:ALL) NOPASSWD: ALL

   4. Save the sudoers file and then close it.
   5. Connect to the device again through SSH and make sure that the Sudo service does not prompt you to enter a password; you can do this using the sudo whoami command.
3. Open the /etc/systemd/logind.conf file, and then do one of the following:
   • Specify 'no' as a value for the KillUserProcesses setting: KillUserProcesses=no.
   • For the KillExcludeUsers setting, type the user name of the account under which the remote installation is to be performed, for example, KillExcludeUsers=root.

   If the target device is running Astra Linux, add export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin string in the /home/<username>/.bashrc file, where <username> is the user account which is to be used for the device connection using SSH.

   To apply the changed setting, restart the Linux device or execute the following command:

   $ sudo systemctl restart systemd-logind.service

4. If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system, install the insserv-compat package first to configure Network Agent.
5. Download and create an installation package:
   1. Before installing the package on the device, make sure that it already has all the dependencies (programs and libraries) installed for this package.

      You can view the dependencies for each package on your own, using utilities that are specific for the Linux distribution on which the package is to be installed. For more details about utilities, refer to your operating system documentation.

   2. Download the Network Agent installation package.
   3. To create a remote installation package, use the following files:
      • klnagent.kpd
      • akinstall.sh
      • .deb or .rpm package of Network Agent
6. Create a remote installation task with the following settings:
   • On the Settings page of the Add Task Wizard, select the Using operating system resources through Administration Server check box. Clear all other check boxes.
   • On the Selecting an account to run the task page, to run the task specify the settings of the user account that is used for device connection through SSH.
7. Run the remote installation task. Use the option for the su command to preserve the environment: -m, -p, --preserve-environment.

An error may be returned if you install Network Agent with SSH on devices running Fedora versions earlier than version 20. In this case, for successful installation of Network Agent, comment out the Defaults requiretty option (enclose it in comment syntax to remove it from parsed code) in the /etc/sudoers file. For a detailed description of the condition of the Defaults requiretty option that may cause problems during SSH connection, please refer to the Bugzilla bugtracker website.

Preparing a device running SUSE Linux Enterprise Server 15 for installation of Network Agent

To install Network Agent on a device with the SUSE Linux Enterprise Server 15 operating system,

Before the Network Agent installation, run the following command:

$ sudo zypper install insserv-compat

This enables you to install the insserv-compat package and configure Network Agent properly.

Run the rpm -q insserv-compat command to check whether the package is already installed.

If your network includes a lot of devices running SUSE Linux Enterprise Server 15, you can use the special software for configuring and managing the company infrastructure. By using this software, you can automatically install the insserv-compat package on all necessary devices at once. For example, you can use Puppet, Ansible, Chef, or you can make your own script—use any method that is convenient for you.

If the device does not have the GPG signing keys for SUSE Linux Enterprise, you may encounter the following warning: Package header is not signed! Select the i option to ignore the warning.

Besides the insserv-compat package installation, make sure that you have completely prepared your Linux devices. After that, deploy and install Network Agent.

Preparing a macOS device for remote installation of Network Agent

To prepare a device running macOS for remote installation of Network Agent:

1. Make sure that sudo is installed on the target macOS device.
2. Test the device configuration:
   1. Make sure port 22 is open on the client device. To do this, in the System Preferences, open the Sharing pane, and then make sure the Remote Login check box is selected.

      You can connect to the client device via Secure Shell (SSH) only through port 22. You cannot change the port number.

      You can use the ssh <device_name> command to log in to the macOS device remotely. In the Sharing pane, you can use the Allow access for option to set the scope of users who are allowed access to the macOS device.

   2. Disable the sudo password for the user account under which the device is to be connected.

      Use the sudo visudo command in the Terminal to open the sudoers configuration file. In the file that you have opened, in the User privilege specification entry specify the following: username ALL = (ALL) NOPASSWD: ALL. In this case, username stands for the user account, which is to be used for the device connection using SSH.

   3. Save the sudoers file and then close it.
   4. Connect to the device again via SSH and make sure that the Sudo service does not prompt you to enter a password; you can do this using the sudo whoami command.
3. Download and create an installation package:
   1. Download the Network Agent installation package using one of the following methods:
      • In the console tree, by opening the context menu on Remote installation → Installation packages and selecting Show current application versions to choose from available packages
      • By downloading the relevant version of Network Agent from Technical Support website at https://support.kaspersky.com/
      • By requesting the installation package from Technical Support specialists
   2. To create a remote installation package, use the following files:
      • klnagent.kud
      • install.sh
      • klnagentmac.dmg
4. Create a remote installation task with the following settings:
   • On the Settings page of the Add Task Wizard, select the Using operating system resources through Administration Server check box. Clear all other check boxes.
   • On the Selecting an account to run the task page, to run the task specify the settings of the user account that is used for device connection via SSH.

The client device is ready for remote installation of Network Agent through the corresponding task that you have created.