Installing applications using a remote installation task

Kaspersky Security Center allows you to install applications on devices remotely, using remote installation tasks. Those tasks are created and assigned to devices through a dedicated Wizard. To assign a task to devices more quickly and easily, you can specify devices in the Wizard window in one of the following ways:

• Select networked devices detected by Administration Server. In this case, the task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.
• Specify device addresses manually or import addresses from a list. You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
• Assign task to a device selection. In this case, the task is assigned to devices included in a selection created earlier. You can specify the default selection or a custom one that you created.
• Assign task to an administration group. In this case, the task is assigned to devices included in an administration group created earlier.

For correct remote installation on a device with no Network Agent installed, the following ports must be opened: a) TCP 139 and 445; b) UDP 137 and 138. By default, these ports are opened on all devices included in the domain. They are opened automatically by the remote installation preparation utility.

Installing an application on specific devices

Expand all | Collapse all

This section contains information on how to install an application remotely on an administration group, devices with specific IP addresses, or a selection of managed devices.

To install an application on specific devices:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts.

3. In the Task type field, select Install application remotely.
4. Select one of the following options:
   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

     If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

   • Specify device addresses manually or import addresses from a list

     You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

5. Follow the instructions of the Wizard.

   The Add Task Wizard creates a task for remote installation of the application selected in the Wizard on specified devices. If you selected the Assign task to an administration group option, the task is a group one.

6. Run the task manually or wait for it to launch according to the schedule that you specified in the task settings.

When the remote installation task is completed, the selected application is installed on the specified devices.

Installing an application through Active Directory group policies

Kaspersky Security Center allows you to install Kaspersky applications on managed devices by using Active Directory group policies.

You can install applications by using Active Directory group policies only from installation packages that include Network Agent.

To install an application by using Active Directory group policies:

1. Run the Protection Deployment Wizard. Follow the instructions of the Wizard.
2. On the Remote installation task settings page of the Protection Deployment Wizard, enable the Assign package installation in Active Directory group policies option.
3. On the Select accounts to access devices page, select the Account required (Network Agent is not used) option.
4. Add the account with administrator privileges on the device where Kaspersky Security Center is installed or the account included in the Group Policy Creator Owners domain group.
5. Grant the permissions to the selected account:
   1. Go to Control Panel → Administrative Tools and open Group Policy Management.
   2. Click the node with the required domain.
   3. Click the Delegation section.
   4. In the Permission drop-down list, select Link GPOs.
   5. Click Add.
   6. In the Select User, Computer, or Group window that opens, select the necessary account.
   7. Click OK to close the Select User, Computer, or Group window.
   8. In the Groups and users list, select the account that you have just added, and then click Advanced → Advanced.
   9. In the Permission entries list, double-click the account that you have just added.
   10. Grant the following permissions:
       • Create Group objects
       • Delete Group objects
       • Create group Policy Container objects
       • Delete group Policy Container objects
   11. Click OK to save the changes.
6. Define other settings by following the instructions of the Wizard.
7. Run the created remote installation task manually or wait for its scheduled start.

The following remote installation sequence starts:

1. When the task is running, the following objects are created in each domain that includes any client devices from the specified set:
   • Group policy object (GPO) under the name Kaspersky_AK{GUID}.
   • A security group that corresponds to the GPO. This security group includes client devices covered by the task. The content of the security group defines the scope of the GPO.
2. Kaspersky Security Center installs the selected Kaspersky applications on client devices directly from Share, that is, the shared network folder of the application. In the Kaspersky Security Center installation folder, an auxiliary subfolder will be created that contains the .msi file for the application to be installed.
3. When new devices are added to the task scope, they are added to the security group after the next start of the task. If the Run missed tasks option is selected in the task schedule, devices are added to the security group immediately.
4. When devices are deleted from the task scope, they are deleted from the security group after the next start of the task.
5. When a task is deleted from Active Directory, the GPO, the link to the GPO, and the corresponding security group are deleted, too.

If you want to apply another installation schema using Active Directory, you can configure the required settings manually. For example, this may be required in the following cases:

• When the anti-virus protection administrator does not have rights to make changes to the Active Directory of certain domains
• When the original installation package has to be stored on a separate network resource
• When it is necessary to link a GPO to specific Active Directory units

The following options for using an alternative installation scheme through Active Directory are available:

• If installation is to be performed directly from the Kaspersky Security Center shared folder, in the GPO properties you must specify the .msi file located in the exec subfolder of the installation package folder for the required application.
• If the installation package has to be located on another network resource, you must copy the whole exec folder content to it, because in addition to the file with .msi extension the folder contains configuration files generated when the package was created. To install the license key with the application, copy the key file to this folder as well.

Installing applications on secondary Administration Servers

To install an application on secondary Administration Servers:

1. Establish a connection with the Administration Server that controls the relevant secondary Administration Servers.
2. Make sure that the installation package corresponding to the application being installed is available on each of the selected secondary Administration Servers. If you cannot find the installation package on any of the secondary Servers, distribute it. For this purpose, create a task with the Distribute installation package task type.
3. Create a task for a remote application installation on secondary Administration Servers. Select the Install application on secondary Administration Server remotely task type.

   The Add Task Wizard creates a task for remote installation of the application selected in the Wizard on specific secondary Administration Servers.

4. Run the task manually or wait for it to launch according to the schedule that you specified in the task settings.

When the remote installation task is complete, the selected application is installed on the secondary Administration Servers.