Initial deployment

If a Network Agent has already been installed on a device, remote installation of applications on that device is performed through this Network Agent. The distribution package of an application to be installed is transferred over communication channels between Network Agents and Administration Server, along with the installation settings defined by the administrator. To transfer the distribution package, you can use relay distribution nodes, that is, distribution points, multicast delivery, etc. For more details on how to install applications on managed devices with Network Agent already installed, see below in this section.

You can perform initial installation of Network Agent on devices running Windows, using one of the following methods:

• With third-party tools for remote installation of applications.
• By cloning an image of the administrator's hard drive with the operating system and Network Agent: using tools provided by Kaspersky Security Center for handling disk images, or using third-party tools.
• With Windows group policies: using standard Windows management tools for group policies, or in automatic mode, through the corresponding, dedicated option in the remote installation task of Kaspersky Security Center.
• In forced mode, using special options in the remote installation task of Kaspersky Security Center.
• By sending device users links to stand-alone packages generated by Kaspersky Security Center. Stand-alone packages are executable modules that contain the distribution packages of selected applications with their settings defined.
• Manually, by running application installers on devices.

The following methods can be used for the initial installation of Network Agent on a device running Linux:

• By connecting to the managed device through SSH and running the remote installation task.
• By running the package installation on the managed device.

The following methods can be used for the initial installation of Network Agent on a device running macOS:

• By running the remote installation task on the macOS distribution point.
• By sending device users links to stand-alone packages generated by Kaspersky Security Center. Stand-alone packages are executable modules that contain the distribution packages of selected applications, with pre-defined settings.

When selecting a method and a strategy for deployment of applications on a managed network, you must consider a number of factors (partial list):

• Organization's network configuration.
• Total number of devices.
• Presence of devices on the organization's network, which are not members of any Active Directory domain, and the presence of uniform accounts with administrator rights on those devices.
• Capacity of the channel between the Administration Server and devices.
• Type of communication between Administration Server, and remote subnets and the capacity of the network channels in those subnets.
• Security settings applied on remote devices at the start of deployment (such as use of UAC and Simple File Sharing mode).

Configuring installers

Before starting deployment of Kaspersky applications on a network, you must specify the installation settings, that is, those defined during the application installation. When installing Network Agent, you should specify, at a minimum, an address for connection to Administration Server; some advanced settings may also be required. Depending on the installation method that you have selected, you can define settings in different ways. In the simplest case (manual interactive installation on a selected device), all relevant settings can be defined through the user interface of the installer.

This method of defining the settings is inappropriate for silent installation of applications on groups of devices. In general, the administrator must specify values for settings in centralized mode; those values can subsequently be used for silent installation on selected networked devices.

Installation packages

The first and main method of defining the installation settings of applications is all-purpose and thus suitable for all installation methods, both with Kaspersky Security Center tools, and with most third-party tools. This method consists of creating installation packages of applications in Kaspersky Security Center.

Installation packages are generated using the following methods:

• Automatically, from specified distribution packages, on the basis of included descriptors (files with the kud extension that contain rules for installation and results analysis, and other information)
• From the executable files of installers or from installers in native format (.msi, .deb, .rpm), for standard or supported applications

Generated installation packages are organized hierarchically as folders with subfolders and files. In addition to the original distribution package, an installation package contains editable settings (including the installer's settings and rules for processing such cases as necessity of restarting the operating system in order to complete installation), as well as minor auxiliary modules.

Values of installation settings that would be specific for an individual supported application can be defined in the user interface of Administration Console when the installation package is created. When performing remote installation of applications through Kaspersky Security Center tools, installation packages are delivered to devices so that running the installer of an application makes all administrator-defined settings available for that application. When using third-party tools for installation of Kaspersky applications, you only have to ensure the availability of the entire installation package on the device, that is, the availability of the distribution package and its settings. Installation packages are created and stored by Kaspersky Security Center in a dedicated subfolder of the shared folder.

Do not specify any details of privileged accounts in the parameters of installation packages.

For the instruction about using this configuration method for Kaspersky applications before deployment through third-party tools, see section "Deployment using group policies of Microsoft Windows".

Immediately after Kaspersky Security Center installation, a few installation packages are automatically generated; they are ready for installation and include Network Agent packages and security application packages for Microsoft Windows.

Although the license key for an application can be set in the properties of an installation package, it is advisable to avoid this method of license distribution because there it is easy to obtain read access to installation packages. You should use automatically distributed license keys or installation tasks for license keys.

MSI properties and transform files

Another way of configuring installation on Windows platform is to define MSI properties and transform files. This method can be applied in the following cases:

• When installing through Windows group policies, by using regular Microsoft tools or other third-party tools for handling Windows group policies.
• When installing applications by using third-party tools intended for handling installers in Microsoft Installer format.

Deployment with third-party tools for remote installation of applications

When any tools for remote installation of applications (such as Microsoft System Center) are available in an organization, it is convenient to perform initial deployment by using those tools.

The following actions must be performed:

• Select the method for configuring installation that best suits the deployment tool to be used.
• Define the mechanism for synchronization between the modification of the settings of installation packages (through the Administration Console interface) and the operation of selected third-party tools used for deployment of applications from installation package data.
• When performing installation from a shared folder, you must make sure that this file resource has sufficient capacity.

About remote installation tasks in Kaspersky Security Center

Kaspersky Security Center provides various mechanisms for remote installation of applications, which are implemented as remote installation tasks (forced installation, installation by copying a hard drive image, installation through group policies of Microsoft Windows). You can create a remote installation task both for a specified administration group and for specific devices or a selection of devices (such tasks are displayed in Administration Console, in the Tasks folder). When creating a task, you can select installation packages (those of Network Agent and / or another application) to be installed within this task, as well as specify certain settings that define the method of remote installation. In addition, you can use the Remote Installation Wizard, which is based on creation of a remote installation task and results monitoring.

Tasks for administration groups affect both devices included in a specified group and all devices in all subgroups within that administration group. A task covers devices of secondary Administration Servers included in a group or any of its subgroups if the corresponding setting is enabled in the task.

Tasks for specific devices refresh the list of client devices at each run in accordance with the selection contents at the moment the task starts. If a selection includes devices that have been connected to secondary Administration Servers, the task will run on those devices, too. For details on those settings and installation methods see below in this section.

To ensure a successful operation of a remote installation task on devices connected to secondary Administration Servers, you must use the relaying task to relay installation packages used by your task to corresponding secondary Administration Servers in advance.

Deployment by capturing and copying the hard drive image of a device

If you need to install Network Agent on devices on which an operating system and other software also must be installed (or reinstalled), you can use the mechanism of capturing and copying the hard drive of that device.

To perform deployment by capturing and copying a hard drive:

1. Create a reference device with an operating system and the relevant software installed, including Network Agent and a security application.
2. Capture the reference image on the device and distribute that image on new devices through the dedicated task of Kaspersky Security Center.

   To capture and install disk images, you can use either third-party tools available in the organization, or the feature provided (under the Vulnerability and Patch Management license) by Kaspersky Security Center.

If you use any third-party tools to process disk images, you must delete the information that Kaspersky Security Center uses to identify the managed device, when performing deployment on a device from a reference image. Otherwise, Administration Server will not be able to properly distinguish devices that have been created by copying the same image.

When capturing a disk image with Kaspersky Security Center tools, this issue is solved automatically.

Copying a disk image with third-party tools

When applying third-party tools for capturing the image of a device with Network Agent installed, use one of the following methods:

• Recommended method. When installing Network Agent on a reference device, capture the device image before the first run of Network Agent service (because unique information identifying the device is created at the first connection of Network Agent to the Administration Server). After that, it is recommended that you avoid running Network Agent service until the completion of the image capturing operation.
• On the reference device, stop the Network Agent service and run the klmover utility with the -dupfix key. The utility klmover is included in the installation package of Network Agent. Avoid any subsequent runs of Network Agent service until the image capturing operation completes.
• Make sure that klmover will be run with the -dupfix key before (mandatory requirement) the first run of the Network Agent service on target devices, at the first launch of the operating system after the image deployment. The utility klmover is included in the installation package of Network Agent.

If the hard drive image has been copied incorrectly, you can resolve this problem.

You can apply an alternate scenario for Network Agent deployment on new devices through operating system images:

• The captured image contains no Network Agent installed.
• A stand-alone installation package of Network Agent located in the shared folder of Kaspersky Security Center has been added to the list of executable files that are run upon completion of the image deployment on target devices.

This deployment scenario adds flexibility: you can use a single operating system image together with various installation options for Network Agent and / or the security application, including device moving rules related to the standalone package. This slightly complicates the deployment process: you have to provide access to the network folder with stand-alone installation packages from a device.

Incorrect copying of a hard drive image

If a hard drive image with Network Agent installed has been copied without following the rules of deployment, some devices may be displayed together in Administration Console under a single icon with a name that changes constantly.

You can resolve this issue using one of the following methods:

• Removing Network Agent

  This method is the most reliable. You must remove Network Agent on devices that have been incorrectly copied from the image, using third-party tools, and then install it again. Network Agent cannot be removed through Kaspersky Security Center tools, because Administration Server cannot distinguish between faulty devices (they all share the same icon in Administration Console).

• Running the klmover utility with the "-dupfix" key

  Use third-party tools to run the klmover utility, located in the Network Agent installation folder, with the "-dupfix" key (klmover -dupfix) once on faulty devices (those incorrectly copied from the image). You cannot run the utility with Kaspersky Security Center tools, because Administration Server cannot distinguish between faulty devices (they all share the same icon in Administration Console).

  Then delete the icon on which the faulty devices had been displayed before you run the utility.

• Toughening up the rule for detection of incorrectly copied devices.

  This method is only applicable if Administration Server and Network Agents version 10 Service Pack 1 or later are installed.

  The rule for detection of incorrectly copied Network Agents must be toughened so that changing the NetBIOS name of a device results in an automatic "fix" of those Network Agents (with the assumption that all of the copied devices have unique NetBIOS names).

  On the device with Administration Server, you must import the reg file shown below to the Registry and then restart the Administration Server service.

  • If a 32-bit operating system is installed on the device with Administration Server:

  REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags] "KLSRV_CheckClones"=dword:00000003

  • If a 64-bit operating system is installed on the device with Administration Server:

  REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags] "KLSRV_CheckClones"=dword:00000003

Deployment using group policies of Microsoft Windows

It is recommended that you perform the initial deployment of Network Agents through Microsoft Windows group policies if the following conditions are met:

• This device is member of an Active Directory domain.
• The deployment scheme allows you to wait for the next routine restart of target devices before starting deployment of Network Agents on them (or you can force a Windows group policy to be applied to those devices).

This deployment scheme consists of the following:

• The application distribution package in Microsoft Installer format (MSI package) is located in a shared folder (a folder where the LocalSystem accounts of target devices have read permissions).
• In the Active Directory group policy, an installation object is created for the distribution package.
• The installation scope is set by specifying the organizational unit (OU) and / or the security group, which includes the target devices.
• The next time a target device logs in to the domain (before device users log in to the system), all installed applications are checked for the presence of the required application. If the application is not found, the distribution package is downloaded from the resource specified in the policy and is then installed.

An advantage of this deployment scheme is that assigned applications are installed on target devices while the operating system is loading, that is, even before the user logs in to the system. Even if a user with sufficient rights removes the application, it will be reinstalled at the next launch of the operating system. This deployment scheme's shortcoming is that changes made by the administrator to the group policy will not take effect until the devices are restarted (if no additional tools are involved).

You can use group policies to install both Network Agent and other applications if their respective installers are in Windows Installer format.

When this deployment scheme is selected, you must also assess the load on the file resource from which files will be copied to devices after applying the Windows group policy.

Handling Microsoft Windows policies through the remote installation task of Kaspersky Security Center

The simplest way to install applications through group policies of Microsoft Windows is to select the Assign package installation in Active Directory group policies option in the properties of the remote installation task of Kaspersky Security Center. In this case, Administration Server automatically performs the following actions when you run the task:

• Creates required objects in the group policy of Microsoft Windows.
• Creates dedicated security groups, includes the target devices in those groups, and assigns installation of selected applications for them. The set of security groups will be updated at every task run, in accordance with the pool of devices at the moment of the run.

To make this feature operable, in the task properties, specify an account that has write permissions in Active Directory group policies.

If you intend to install both Network Agent and another application through the same task, selecting the Assign package installation in Active Directory group policies option causes the application to create an installation object in the Active Directory policy for Network Agent only. The second application selected in the task will be installed through the tools of Network Agent as soon as the latter is installed on the device. If you want to install an application other than Network Agent through Windows group policies, you must create an installation task for this installation package only (without the Network Agent package). Not every application can be installed using Microsoft Windows group policies. To find out about this capability, you can refer to information about the possible methods for installing the application.

If required objects are created in the group policy by using Kaspersky Security Center tools, the shared folder of Kaspersky Security Center will be used as the source of the installation package. When planning the deployment, you must correlate the reading speed for this folder with the number of devices and the size of the distribution package to be installed. It may be useful to locate the shared folder of Kaspersky Security Center in a high-performance dedicated file repository.

In addition to its ease of use, automatic creation of Windows group policies through Kaspersky Security Center has this advantage: when planning Network Agent installation, you can easily specify the Kaspersky Security Center administration group into which devices will be automatically moved after installation completes. You can specify this group in the Add Task Wizard or in the settings window of the remote installation task.

When handling Windows group policies through Kaspersky Security Center, you can specify devices for a group policy object by creating a security group. Kaspersky Security Center synchronizes the contents of the security group with the current set of devices in the task. When using other tools for handling group policies, you can associate objects of group policies with selected OUs of Active Directory directly.

Unassisted installation of applications through policies of Microsoft Windows

The administrator can create objects required for installation in a Windows group policy on his or her own behalf. In this case, he or she can provide links to packages stored in the shared folder of Kaspersky Security Center, or upload those packages to a dedicated file server and then provide links to them.

The following installation scenarios are possible:

• The administrator creates an installation package and sets up its properties in Administration Console. The group policy object provides a link to the MSI file of this package stored in the shared folder of Kaspersky Security Center.
• The administrator creates an installation package and sets up its properties in Administration Console. Then the administrator copies the entire EXEC subfolder of this package from the shared folder of Kaspersky Security Center to a folder on a dedicated file resource of the organization. The group policy object provides a link to the MSI file of this package stored in a subfolder on the dedicated file resource of the organization.
• The administrator downloads the application distribution package (including that of Network Agent) from the internet and uploads it to the dedicated file resource of the organization. The group policy object provides a link to the MSI file of this package stored in a subfolder on the dedicated file resource of the organization. The installation settings are defined by configuring the MSI properties or by configuring MST transform files.

Forced deployment through the remote installation task of Kaspersky Security Center

To perform the initial deployment of Network Agent or other applications, you can force installation of selected installation packages by using the remote installation task of Kaspersky Security Center—provided that each device has a user account(s) with local administrator rights.

Forced installation can also be applied if devices cannot be directly accessed by Administration Server: for example, devices are on isolated networks, or they are on a local network while the Administration Server item is in DMZ.

In case of initial deployment, Network Agent is not installed. Therefore, in the settings of the remote installation task, you cannot select distribution of files required for application installation by using Network Agent. You can only choose to distribute files by using operating system resources through Administration Server or distribution points.

The Administration Server service must run under an account that has administrative privileges on the target devices. Alternatively, you can specify an account that has access to the admin$ share in the settings of the remote installation task.

By default, the remote installation task connects to devices by using the credentials of the account under which the Administration Server is running. It is important to clarify that this is the account used for accessing the admin$ share, rather than the account under which the remote installation task runs. Installation is carried out under the LocalSystem account.

You can specify target devices either explicitly (with a list), by selecting the Kaspersky Security Center administration group to which they belong; or by creating a selection of devices based upon a specific criterion. The installation start time is defined by the task schedule. If the Run missed tasks setting is enabled in the task properties, the task can be run either immediately after target devices are turned on or when they are moved to the target administration group.

Forced installation consists of delivering installation packages to target devices, subsequent copying of files to the admin$ resource on each of the target devices, and remote registration of supporting services on those devices. Delivery of installation packages to target devices is performed through a Kaspersky Security Center feature that ensures network interaction. The following conditions must be met in this case:

• Target devices are accessible from the Administration Server side or from the distribution point side.
• Name resolution for target devices functions properly on the network.
• The administrative shares (admin$) remain enabled on target devices.
• The following system services are running on target devices:
  • Server (LanmanServer)

    By default, this service is running.

  • DCOM Server Process Launcher (DcomLaunch)
  • RPC Endpoint Mapper (RpcEptMapper)
  • Remote Procedure Call (RpcSs)
• Port TCP 445 is open on target devices to enable remote access through Windows tools.

  TCP 139, UDP 137, and UDP 138 are used by older protocols and are no longer necessary for current applications.

  Dynamic outbound access ports must be allowed on the firewall for connections from the Administration Server and distribution points to target devices.

• The Active Directory domain policy security settings are allowed to provide the operation of the NTLM protocol during the deployment of Network Agent.
• On target devices running Microsoft Windows XP, Simple File Sharing mode is disabled.
• On target devices, the access sharing and security model are set as Classic – local users authenticate as themselves. It can in no way be Guest only – local users authenticate as Guest.
• Target devices are members of the domain, or uniform accounts with administrator rights are created on target devices in advance.

To successfully deploy Network Agent or other applications to a device that is not joined to a Windows Server 2003 or later Active Directory domain, you must disable remote UAC on that device. Remote UAC is one of the reasons that prevent local administrative accounts from accessing admin$, which is necessary for forced deployment of Network Agent or other applications. Disabling remote UAC does not affect local UAC.

During installation on new devices that have not yet been allocated to any of the Kaspersky Security Center administration groups, you can open the remote installation task properties and specify the administration group to which devices will be moved after Network Agent installation.

When creating a group task, keep in mind that each group task affects all devices in all nested groups within a selected group. Therefore, you must avoid duplicating installation tasks in subgroups.

A simplified way to create tasks for forced installation of applications is automatic installation. To do this, you must open the administration group properties, open the list of installation packages, and then select the ones that must be installed on devices in this group. As a result, the selected installation packages will be automatically installed on all devices in this group and all of its subgroups. The time interval over which the packages will be installed depends on the network throughput and the total number of networked devices.

To reduce the load on Administration Server during the delivery of installation packages to target devices, you can select installation via distribution points in the installation task. Note that this installation method places a significant load on devices acting as distribution points. Therefore, it is recommended that you select devices that meet the requirements for distribution points. If you use distribution points, you have to make sure that they are present in each of the isolated subnets hosting target devices.

Using distribution points as local installation centers may also be useful when performing installation on devices in subnets communicated with Administration Server via a low-capacity channel while a broader channel is available between devices in the same subnet.

The free disk space in the partition with the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must exceed, by many times, the total size of the distribution packages of installed applications.

Running stand-alone packages created by Kaspersky Security Center

The above-described methods of initial deployment of Network Agent and other applications cannot always be implemented because it is not possible to meet all of the applicable conditions. In such cases, you can create a common executable file called a stand-alone installation package through Kaspersky Security Center, using installation packages with the relevant installation settings that have been prepared by the administrator. The stand-alone installation package is stored in the shared folder of Kaspersky Security Center.

You can use Kaspersky Security Center to send selected users an email message containing a link to this file in the shared folder, prompting them to run the file (either in interactive mode, or with the key "-s" for silent installation). You can attach the stand-alone installation package to an email message and then send it to the users of devices that have no access to the shared folder of Kaspersky Security Center. The administrator can also copy the stand-alone package to a removable drive, deliver it to a relevant device, and then run it later.

You can create a stand-alone package from a Network Agent package, a package of another application (for example, the security application), or both. If the stand-alone package has been created from Network Agent and another application, installation starts with Network Agent.

When creating a stand-alone package with Network Agent, you can specify the administration group to which new devices (those that have not been allocated to any of the administration groups) will be automatically moved when Network Agent installation completes on them.

Stand-alone packages can run in interactive mode (by default), displaying the result for installation of applications they contain, or they can run in silent mode (when run with the key "-s"). Silent mode can be used for installation from scripts, for example, from scripts configured to run after an operating system image is deployed. The result of installation in silent mode is determined by the return code of the process.

Options for manual installation of applications

Administrators or experienced users can install applications manually in interactive mode. They can use either original distribution packages or installation packages generated from them and stored in the shared folder of Kaspersky Security Center. By default, installers run in interactive mode and prompt users for all required values. However, when running the process setup.exe from the root of an installation package with the key "-s", the installer will be running in silent mode and with the settings that have been defined when configuring the installation package.

When running setup.exe from the root of an installation package stored in the shared folder of Kaspersky Security Center, the package will first be copied to a temporary local folder, and then the application installer will be run from the local folder.

Creating an MST file

To transform the content of an MSI package and apply custom settings to an existing MSI file, you have to create a transformation file in the MST format. To do this, use the Orca.exe editor that is included in the Windows SDK.

To create an MST file:

1. Run the Orca.exe editor.
2. Go to the File tab, and in the menu, click Open.
3. Select the Kaspersky Network Agent.msi file.
4. Go to the Transformation tab, and in the menu, select New transformation.
5. In the Tables column, select Property and write the following values:
   • EULA=1
   • SERVERADDRESS=<Administration Server address>

   Click the Save button.

6. Go to the Transform tab, and in the menu, select Generate Transform.
7. In the window that opens, specify a name for the transformation file you create, and then click the Save button.

The MST file is saved.