Configuring network protection

This section contains information about manual configuration of policies and tasks, about user roles, about building an administration group structure and hierarchy of tasks.

Scenario: Configuring network protection

The quick start wizard creates policies and tasks with the default settings. These settings may turn out to be sub-optimal or even disallowed by the organization. Therefore, we recommend that you fine-tune these policies and tasks and create other policies and tasks, if they are necessary for your network.

Prerequisites

Before you start, make sure that you have completed the Kaspersky Security Center Cloud Console initial configuration scenario, including the quick start wizard.

When the quick start wizard is running, the following policies and tasks are created in the Managed devices administration group:

• Policy of Kaspersky Endpoint Security
• Group task for updating Kaspersky Endpoint Security
• Policy of Network Agent
• Find vulnerabilities and required updates (task of Network Agent)

Stages

Configuring network protection proceeds in stages:

1. Setup and propagation of Kaspersky application policies and policy profiles

   To configure and propagate settings for Kaspersky applications installed on the managed devices, you can use two different security management approaches: device-centric or user-centric. You can also combine these two approaches.

2. Configuring tasks for remote management of Kaspersky applications

   Check the tasks created with the quick start wizard and fine-tune them, if necessary.

   How-to instructions:

   • Setting up the group task for updating Kaspersky Endpoint Security
   • Creating the Find vulnerabilities and required updates task

   If necessary, create additional tasks to manage the Kaspersky applications installed on the client devices.

3. Evaluating and limiting the event load on the database

   Information about events that occur during the operation of managed applications is transferred from a client device and registered in the Administration Server database. To reduce the load on the Administration Server, evaluate and limit the maximum number of events that can be stored in the database.

   How-to instructions: Setting the maximum number of events.

Results

Upon completion of this scenario, your network will be protected by configuration of Kaspersky applications, tasks, and events received by the Administration Server:

• The Kaspersky applications are configured according to the policies and policy profiles.
• The applications are managed through a set of tasks.
• The maximum number of events that can be stored in the database is set.

When the network protection configuration is complete, you can proceed to configuring regular updates to Kaspersky databases and applications.

About device-centric and user-centric security management approaches

You can manage security settings from the standpoint of device features and from the standpoint of user roles. The first approach is called device-centric security management and the second is called user-centric security management. To apply different application settings to different devices you can use either or both types of management in combination.

Device-centric security management enables you to apply different security application settings to managed devices depending on device-specific features. For example, you can apply different settings to devices allocated in different administration groups. You can also differentiate the devices by usage of those devices in Active Directory, or their hardware specifications.

User-centric security management enables you to apply different security application settings to different user roles. You can create several user roles, assign an appropriate user role to each user, and define different application settings to the devices owned by users with different roles. For example, you may want to apply different application settings to devices of accountants and human resources (HR) specialists. As a result, when user-centric security management is implemented, each department—accounts department and HR department—has its own settings configuration for Kaspersky applications. A settings configuration defines which application settings can be changed by users and which are forcibly set and locked by the administrator.

By using user-centric security management you can apply specific application settings to individual users. This may be required when an employee has a unique role in the company or when you want to monitor security issues related to devices of a specific person. Depending on the role of this employee in the company, you can expand or limit the rights of this person to change application settings. For example, you might want to expand the rights of a system administrator who manages client devices in a local office.

You can also combine the device-centric and user-centric security management approaches. For example, you can configure a specific application policy for each administration group, and then create policy profiles for one or several user roles of your enterprise. In this case the policies and policy profiles are applied in the following order:

1. The policies created for device-centric security management are applied.
2. They are modified by the policy profiles according to the policy profile priorities.
3. The policies are modified by the policy profiles associated with user roles.

Policy setup and propagation: Device-centric approach

This section provides a scenario for a device-centric approach to the centralized configuration of Kaspersky applications installed on managed devices. When you complete this scenario, the applications will be configured on all of the managed devices in accordance with the application policies and policy profiles that you define.

You might also want to consider user-centric security management as an alternative or additional option to the device-centric approach.

Process

The scenario of device-centric management of Kaspersky applications consists of the following steps:

1. Configuring application policies

   Configure settings for Kaspersky applications installed on the managed devices by creating a policy for each application. The set of policies will be propagated to the client devices.

   When you configure the protection of your network in quick start wizard, Kaspersky Security Center Cloud Console creates the default policy for Kaspersky Endpoint Security for Windows. If you completed the configuration process by using this wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky Endpoint Security policy.

   If you have a hierarchical structure of several administration groups, the child administration groups inherit the policies from the primary Administration Server by default. You can force the inheritance by the child groups to prohibit any modifications of the settings configured in the upstream policy. If you want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The remaining unlocked settings will be available for modification in the downstream policies. The created hierarchy of policies will allow you to effectively manage devices in the administration groups.

   How-to instructions: Creating a policy

2. Creating policy profiles (optional)

   If you want devices within a single administration group to run under different policy settings, create policy profiles for those devices. A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device.

   By using profile activation conditions, you can apply different policy profiles, for example, to the devices located in a specific unit or security group of Active Directory, having a specific hardware configuration, or marked with specific tags. Use tags to filter devices that meet specific criteria. For example, you can create a tag called Windows, mark all devices running Windows operating system with this tag, and then specify this tag as an activation condition for a policy profile. As a result, Kaspersky applications installed on all devices running Windows will be managed by their own policy profile.

   How-to instructions:

   • Creating a policy profile
   • Creating a policy profile activation rule
3. Propagating policies and policy profiles to the managed devices

   Kaspersky Security Center Cloud Console automatically synchronizes the Administration Server with the managed devices several times per hour. During the synchronization, the new or changed policies and policy profiles are propagated to the managed devices. You can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization command. When synchronization is complete, the policies and policy profiles are delivered and applied to the installed Kaspersky applications.

   You can check whether the policies and policy profiles were delivered to a device. Kaspersky Security Center Cloud Console specifies the delivery date and time in the properties of the device.

   How-to instructions: Forced synchronization

Results

When the device-centric scenario is complete, the Kaspersky applications are configured according to the settings specified and propagated through the hierarchy of policies.

The configured application policies and policy profiles will be applied automatically to the new devices added to the administration groups.

Policy setup and propagation: User-centric approach

This section describes the scenario of user-centric approach to the centralized configuration of Kaspersky applications installed on the managed devices. When you complete this scenario, the applications will be configured on all of the managed devices in accordance with the application policies and policy profiles that you define.

You might also want to consider device-centric security management as an alternative or additional option to the user-centric approach. Learn more about two management approaches.

Process

The scenario of user-centric management of Kaspersky applications consists of the following steps:

1. Configuring application policies

   Configure settings for Kaspersky applications installed on the managed devices by creating a policy for each application. The set of policies will be propagated to the client devices.

   When you configure the protection of your network in quick start wizard, Kaspersky Security Center Cloud Console creates the default policy for Kaspersky Endpoint Security. If you completed the configuration process by using this wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky Endpoint Security policy.

   If you have a hierarchical structure of several administration groups, the child administration groups inherit the policies from the primary Administration Server by default. You can force the inheritance by the child groups to prohibit any modifications of the settings configured in the upstream policy. If you want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The remaining unlocked settings will be available for modification in the downstream policies. The created hierarchy of policies will allow you to effectively manage devices in the administration groups.

   How-to instructions: Creating a policy

2. Specifying owners of the devices

   Assign the managed devices to the corresponding users.

   How-to instructions: Assigning a user as a device owner

3. Defining user roles typical for your enterprise

   Think about different kinds of work that the employees of your enterprise typically perform. You must divide all employees in accordance with their roles. For example, you can divide them by departments, professions, or positions. After that you will need to create a user role for each group. Keep in mind that each user role will have its own policy profile containing application settings specific for this role.

4. Creating user roles

   Create and configure a user role for each group of employees that you defined at the previous step or use the predefined user roles. The user roles will contain set of rights of access to the application features.

   How-to instructions: Creating a user role

5. Defining the scope of each user role

   For each of the created user roles, define users and/or security groups and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

   How-to instructions: Editing the scope of a user role

6. Creating policy profiles

   Create a policy profile for each user role in your enterprise. The policy profiles define which settings will be applied to the applications installed on users' devices depending on the role of each user.

   How-to instructions: Creating a policy profile

7. Associating policy profiles with the user roles

   Associate the created policy profiles with the user roles. After that: the policy profile becomes active for a user that has the specified role. The settings configured in the policy profile will be applied to the Kaspersky applications installed on the user's devices.

   How-to instructions: Associating policy profiles with roles

8. Propagating policies and policy profiles to the managed devices

   Kaspersky Security Center Cloud Console automatically synchronizes the Administration Server with the managed devices several times per hour. During the synchronization, the new or changed policies and policy profiles are propagated to the managed devices. You can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization command. When synchronization is complete, the policies and policy profiles are delivered and applied to the installed Kaspersky applications.

   You can check whether the policies and policy profiles were delivered to a device. Kaspersky Security Center Cloud Console specifies the delivery date and time in the properties of the device.

   How-to instructions: Forced synchronization

Results

When the user-centric scenario is complete, the Kaspersky applications are configured according to the settings specified and propagated through the hierarchy of policies and policy profiles.

For a new user, you will have to create a new account, assign the user one of the created user roles, and assign the devices to the user. The configured application policies and policy profiles will be automatically applied to the devices of this user.

Network Agent policy settings

Expand all | Collapse all

To configure the Network Agent policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the name of the Network Agent policy.

   The properties window of the Network Agent policy opens.

See the comparison table detailing how the settings below apply depending on the type of operating system used.

General tab

On this tab you can modify the policy status and specify the inheritance of policy settings:

• In the Policy status block, you can select one of the policy modes:
  • Active
  • Inactive

    If this option is selected, the policy becomes inactive, but it is still stored in the Policies folder. If required, the policy can be activated.

• In the Settings inheritance settings group, you can configure the policy inheritance:
  • Inherit settings from parent policy

    If this option is enabled, the policy setting values are inherited from the upper-level group policy and, therefore, are locked.

    By default, this option is enabled.

  • Force inheritance of settings in child policies

    If this option is enabled, after policy changes are applied, the following actions will be performed:

    • The values of the policy settings will be propagated to the policies of administration subgroups, that is, to the child policies.
    • In the Settings inheritance block of the General section in the properties window of each child policy, the Inherit settings from parent policy option will be automatically enabled.

    If this option is enabled, the child policies settings are locked.

    By default, this option is disabled.

Event configuration tab

This tab allows you to configure event logging and event notification. Events are distributed according to importance level in the following sections on the Event configuration tab:

• Functional failure
• Warning
• Info

In each section, the event type list shows the types of events and the default event storage term on the Administration Server (in days). Clicking the Properties button lets you specify the settings of event logging and notifications about events selected in the list. By default, common notification settings specified for the entire Administration Server are used for all event types. However, you can change specific settings for required event types.

Application settings tab

Settings

In the Settings section, you can configure the Network Agent policy:

• Distribute files through distribution points only

  If this option is enabled, client devices receive updates through distribution points only, not directly from update servers.

  If this option is disabled, client devices can receive updates from various sources: directly from update servers and from a local or network folder.

  By default, this option is disabled.

• Maximum size of event queue, in MB
• Application is allowed to retrieve policy's extended data on device

  Network Agent installed on a managed device transfers information about the applied security application policy to the security application (for example, Kaspersky Endpoint Security for Windows). You can view the transferred information in the security application interface.

  Network Agent transfers the following information:

  • Time of the policy delivery to the managed device
  • Name of the active or out-of-office policy at the moment of the policy delivery to the managed device
  • Name and full path to the administration group that contained the managed device at the moment of the policy delivery to the managed device
  • List of active policy profiles

    You can use the information to ensure the correct policy is applied to the device and for troubleshooting purposes. By default, this option is disabled.

• Protect Network Agent service against unauthorized removal or termination, and prevent changes to the settings

  When this option is enabled, after Network Agent is installed on a managed device, the component cannot be removed or reconfigured without required privileges. The Network Agent service cannot be stopped. This option has no effect on domain controllers.

  Enable this option to protect Network Agent on workstations operated with local administrator rights.

  By default, this option is disabled.

• Use uninstallation password

  If this option is enabled, by clicking the Modify button you can specify the password for the klmover utility and Network Agent remote uninstallation.

  Note that the klmover utility is used only for moving managed devices under management of a virtual Administration Server.

  By default, this option is disabled.

Repositories

In the Repositories section, you can select the types of objects whose details will be sent from Network Agent to Administration Server. If modification of some settings in this section is prohibited by the Network Agent policy, you cannot modify these settings:

• Details of installed applications
• Include information about patches

  Information about patches of applications installed on client devices is sent to the Administration Server. Enabling this option may increase the load on the Administration Server and DBMS, as well as cause increased volume of the database.

  By default, this option is enabled. It is available only for Windows.

• Details of Windows Update updates

  If this option is enabled, information about Microsoft Windows Update updates that must be installed on client devices is sent to the Administration Server.

  Sometimes, even if the option is disabled, updates are displayed in the device properties in the Available updates section. This might happen if, for example, the devices of the organization had vulnerabilities that could be fixed by these updates.

  By default, this option is enabled. It is available only for Windows.

  Information about optional Microsoft Windows updates is not being sent to the Administration Server.

• Details of software vulnerabilities and corresponding updates

  If this option is enabled, information about vulnerabilities in third-party software (including Microsoft software), detected on managed devices, and about software updates to fix third-party vulnerabilities (not including Microsoft software) is sent to the Administration Server.

  Selecting this option (Details of software vulnerabilities and corresponding updates) increases the network load, Administration Server disk load, and Network Agent resource consumption.

  By default, this option is enabled. It is available only for Windows.

  To manage software updates of Microsoft software, use the Details of Windows Update updates option.

• Hardware registry details

Software updates and vulnerabilities

In the Software updates and vulnerabilities section, you can configure search of Windows updates, as well as enable scanning of executable files for vulnerabilities. The settings in the Software updates and vulnerabilities section are available only on devices running Windows:

• In the Windows Update search mode settings group, you can select the update search mode:
  • Active

    If this option is selected, Administration Server with support from Network Agent initiates a request from Windows Update Agent on the client device to the update source: Windows Update Servers or WSUS. Next, Network Agent passes information received from Windows Update Agent to Administration Server.

    The option takes effect only if Connect to the update server to update data option of the Find vulnerabilities and required updates task is selected.

    By default, this option is selected.

  • Passive

    If you select this option, Network Agent periodically passes Administration Server information about updates retrieved at the last synchronization of Windows Update Agent with the update source. If no synchronization of Windows Update Agent with an update source is performed, information about updates on Administration Server becomes out-of-date.

    Select this option if you want to get updates from the memory cache of the update source.

  • Disabled

    If this option is selected, Administration Server does not request any information about updates.

    Select this option if, for example, you want to test the updates on your local device first.

• Scan executable files for vulnerabilities when running them

  If this option is enabled, executable files are scanned for vulnerabilities when they are run.

  By default, this option is disabled.

Restart management

In the Restart management section, you can specify the action to be performed if the operating system of a managed device has to be restarted for correct use, installation, or uninstallation of an application:

• Do not restart the operating system

  Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

• Restart the operating system automatically, if necessary

  Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

• Prompt user for action

  The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

  By default, this option is selected.

  • Repeat the prompt every (min)

    If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

    By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

    If this option is disabled, the prompt is displayed only once.

  • Force restart after (min)

    After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

    By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

• Force closure of applications in blocked sessions

  Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

  If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

  If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

  By default, this option is disabled.

Windows Desktop Sharing

In the Windows Desktop Sharing section, you can enable and configure the audit of the administrator's actions performed on a remote device when desktop access is shared. The settings in the Windows Desktop Sharing section are available only on devices running Windows:

• Enable audit

  If this option is enabled, audit of the administrator's actions is enabled on the remote device. Records of the administrator's actions on the remote device are logged:

  • In the event log on the remote device
  • In a file with the syslog extension located in the Network Agent installation folder on the remote device
  • In the event database of Kaspersky Security Center Cloud Console

  Audit of the administrator's actions is available when the following conditions are met:

  • The Vulnerability and patch management license is in use
  • The administrator has the right to start shared access to the desktop of the remote device

  If this option is disabled, the audit of the administrator's actions is disabled on the remote device.

  By default, this option is disabled.

• Masks of files to monitor when read

  The list contains file masks. When the audit is enabled, the application monitors the administrator's reading files that match the masks and saves information about files read. The list is available if the Enable audit check box is selected. You can edit file masks and add new ones to the list. Each new file mask should be specified in the list on a new line.

  By default, the following file masks are specified:*.txt, *.rtf, *.doc, *.xls, *.docx, *.xlsx, *.odt, *.pdf.

• Masks of files to monitor when modified

  The list contains masks of files on the remote device. When audit is enabled, the application monitors changes made by the administrator in files that match masks, and saves information about those modifications. The list is available if the Enable audit check box is selected. You can edit file masks and add new ones to the list. Each new file mask should be specified in the list on a new line.

  By default, the following file masks are specified:*.txt, *.rtf, *.doc, *.xls, *.docx, *.xlsx, *.odt, *.pdf.

Manage patches and updates

In the Manage patches and updates section, you can configure download and distribution of updates, as well as installation of patches, on managed devices: enable or disable the Automatically install applicable updates and patches for components that have the Undefined status option.

Connectivity

The Connectivity section includes three subsections:

• Network
• Connection profiles
• Connection schedule

In the Network subsection, you can configure the connection to Administration Server, enable the use of a UDP port, and specify the UDP port number.

• In the Connection to Administration Server settings group, you can specify the following settings:
  • Compress network traffic

    If this option is enabled, the speed of data transfer by Network Agent is increased by means of a decrease in the amount of information being transferred and a consequent decreased load on the Administration Server.

    The workload on the CPU of the client computer may increase.

    By default, this check box is enabled.

  • Open Network Agent ports in Microsoft Windows Firewall

    If this option is enabled, the ports, necessary for the work of Network Agent, are added to the Microsoft Windows Firewall exclusion list.

    By default, this option is enabled.

  • Use the connection gateway on a distribution point (if available), under the default connection settings

    If this option is enabled, the connection gateway on the distribution point is used under the settings specified in the administration group properties.

    By default, this option is enabled.

• Use UDP port

  If you need Network Agent to connect to Administration Server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to Administration Server is 15000.

• UDP port number

  In this field you can enter the UDP port number. The default port number is 15000.

  The decimal system is used for records.

  If the client device runs Windows XP Service Pack 2, the integrated firewall blocks UDP port 15000. This port should be opened manually.

• Use the distribution point to force a connection to Administration Server

  Select this option if you selected the Run push server option in the distribution point settings window. Otherwise, the distribution point will not act as a push server.

In the Connection profiles subsection, no new items can be added to the Administration Server connection profiles list so the Add button is inactive. The preset connection profiles cannot be modified, either.

In the Connection schedule subsection, you can specify the time intervals during which Network Agent sends data to the Administration Server:

• Connect when necessary
• Connect at specified time intervals

In the Connection schedule subsection, you can specify the time intervals during which Network Agent sends data to the Administration Server:

• Connect when necessary

  If this option is selected, the connection is established when Network Agent has to send data to the Administration Server.

  By default, this option is selected.

• Connect at specified time intervals

  If this option is selected, Network Agent connects to the Administration Server at a specified time. You can add several connection time periods.

Network polling by distribution points

In the Network polling by distribution points section, you can configure automatic polling of the network. The polling settings are available only on devices running Windows. You can use the following options to enable the polling and set its frequency:

• Windows network

  If this option is enabled, the distribution point automatically polls the network according to the schedule configured by clicking the Set quick polling schedule and Set full polling schedule links.

  If this option is disabled, the Administration Server does not poll the network.

  By default, this option is enabled.

• IP ranges

  If this option is enabled, the distribution point automatically polls IP ranges according to the schedule configured by clicking the Set polling schedule link.

  If this option is disabled, the distribution point does not poll IP ranges.

  By default, this option is disabled.

• Domain controllers

  If the option is enabled, the distribution point automatically polls domain controllers according to the schedule that you configured by clicking the Set polling schedule button.

  If this option is disabled, the distribution point does not poll domain controllers.

  The frequency of domain controller polling for Network Agent versions prior to 10.2 can be configured in the Poll interval (min) field. The field is available if this option is enabled.

  By default, this option is disabled.

Network settings for distribution points

In the Network settings for distribution points section, you can specify the internet access settings:

• Use proxy server
• Address
• Port number
• Bypass proxy server for local addresses

  If this option is enabled, no proxy server is used to connect to devices on the local network.

  By default, this option is disabled.

• Proxy server authentication

  If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.

  By default, this check box is cleared.

• User name
• Password

KSN Proxy (distribution points)

In the KSN Proxy (distribution points) section, you can configure the application to use the distribution point to forward KSN requests from the managed devices:

• Enable KSN Proxy on the distribution point side

  The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.

  This feature is not supported by distribution point devices running Linux or macOS.

  The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky. By default, the KSN statement is located in %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\ksneula.

  By default, this option is disabled. Enabling this option takes effect only if the I agree to use Kaspersky Security Network option is enabled in the Administration Server properties window.

  You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.

• Port

  The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.

• UDP port

  If you need Network Agent to connect to Administration Server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to Administration Server is 15000.

Comparison of Network Agent policy settings by operating systems

The table below shows which Network Agent policy settings you can use to configure Network Agent with a specific operating system.

Network Agent policy settings: comparison by operating systems

Manual setup of the Kaspersky Endpoint Security policy

This section provides recommendations on how to configure the Kaspersky Endpoint Security policy. You can perform setup in the policy properties window. When you edit a setting, click the lock icon to the right of the relevant group of settings to apply the specified values to a workstation.

Configuring Kaspersky Security Network

Kaspersky Security Network (KSN) is the infrastructure of cloud services that has information about the reputation of files, web resources, and software. Kaspersky Security Network enables Kaspersky Endpoint Security for Windows to respond faster to different kinds of threats, enhances the performance of the protection components, and decreases the likelihood of false positives. For more information about Kaspersky Security Network, see the Kaspersky Endpoint Security for Windows Help.

You can configure the Kaspersky Security Network work in the policy properties window of Kaspersky Endpoint Security for Windows, in the Application settings → Advanced Threat Protection section.

To specify recommended KSN settings:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the policy of Kaspersky Endpoint Security for Windows.

   The properties window of the selected policy opens.

3. In the policy properties, go to Application settings → Advanced Threat Protection → Kaspersky Security Network.
4. Make sure that the Use Administration Server as a KSN proxy server option is enabled. Using this option helps to redistribute and optimize traffic on the network.

   If you use Managed Detection and Response, you must enable Kaspersky Security Network option for the distribution point and enable extended KSN mode.

5. Enable use of KSN servers if the KSN proxy service is not available. To do this, enable the Use Kaspersky Security Network servers if the KSN proxy server is unavailable option.

   KSN servers may be located either on the side of Kaspersky (when KSN is used) or on the side of third parties (when KPSN is used).

6. Click OK.

The recommended KSN settings are specified.

Checking the list of the networks protected by Firewall

Make sure that Kaspersky Endpoint Security for Windows Firewall protects all your networks. By default, Firewall protects networks with the following types of connection:

• Public network. Security applications, firewalls, or filters do not protect devices in such a network.
• Local network. Access to files and printers is restricted for devices in this network.
• Trusted network. Devices in such a network are protected from attacks and unauthorized access to files and data.

If you configured a custom network, make sure that Firewall protects it. For this purpose, check the list of the networks in the Kaspersky Endpoint Security for Windows policy properties. The list may not contain all the networks.

For more information about Firewall, see the Kaspersky Endpoint Security for Windows Help.

To check the list of networks:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the policy of Kaspersky Endpoint Security for Windows.

   The properties window of the selected policy opens.

3. In the policy properties, go to Application settings → Essential Threat Protection → Firewall.
4. Under Available networks, click the Network settings link.

   The Network connections window opens. This window displays the list of networks.

5. If the list has a missing network, add it.

Excluding software details from the Administration Server memory

We recommend that Administration Server does not save information about software modules that are started on the network devices. As a result, the Administration Server memory does not overrun.

You can disable saving this information in the Kaspersky Endpoint Security for Windows policy properties.

To disable saving information about installed software modules:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the policy of Kaspersky Endpoint Security for Windows.

   The properties window of the selected policy opens.

3. In the policy properties, go to Application settings → General Settings → Reports and Storage.
4. Under Data transfer to Administration Server, disable the About started applications check box if it is still enabled in the top-level policy.

   When this check box is selected, the Administration Server database saves information about all versions of all software modules on the networked devices. This information may require a significant amount of disk space in the Kaspersky Security Center Cloud Console database (dozens of gigabytes).

The information about installed software modules is no longer saved to the Administration Server database.

Configuring the registration of important policy events in the Administration Server database

To avoid the Administration Server database overflow, we recommend that you save only important events to the database. For the events that you consider unimportant, you can reduce the storage period or disable the storing.

To configure the event storage settings:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the name of the required policy.

   The properties window of the selected policy opens.

3. Go to the Event configuration tab, and then click the name of the event type for which you want to configure the registration in the database.
4. In the right pane that opens, do one of the following:
   • If you want to change the storage period for the event type, make sure that the Store in the Administration Server database for (days) toggle button is turned on, and then enter the required number of days for the event type to be stored.
   • If you do not want to store the event type in the in the Administration Server database, turn off the Store in the Administration Server database for (days) toggle button.
5. Click OK, and then after the right pane is closed, click the Save button.

The policy properties window is closed, and setting that you configured is applied.

Manual setup of the group update task for Kaspersky Endpoint Security

The optimal and recommended schedule option for Kaspersky Endpoint Security is When new updates are downloaded to the repository when the Use automatically randomized delay for task starts check box is selected.

Tasks

This section describes tasks used by Kaspersky Security Center Cloud Console.

About tasks

Kaspersky Security Center Cloud Console manages Kaspersky security applications installed on devices by creating and running tasks. Tasks are required for installing, launching, and stopping applications, scanning files, updating databases and software modules, and performing other actions on applications. Tasks can be performed on the Administration Server and on devices.

The following types of tasks are performed on devices:

• Local tasks—Tasks that are performed on a specific device

  Local tasks can be modified either by the administrator, who uses administration tools, or by the user of a remote device (for example, through the security application interface). If a local task has been modified simultaneously by the administrator and the user of a managed device, the changes made by the administrator will take effect because they have a higher priority.

• Group tasks—Tasks that are performed on all devices of a specific group

  Unless otherwise specified in the task properties, a group task also affects all subgroups of the selected group.

• Global tasks—Tasks that are performed on a set of devices, regardless of whether they are included in any group

For each application, you can create multiple group tasks, global tasks, or local tasks.

You can make changes to the settings of tasks, view the progress of tasks, and copy, export, import, and delete tasks.

A task is started on a device only if the application for which the task was created is running.

Execution results of tasks are saved in the OS event log on each device and in the Administration Server database.

Do not include private data in task settings. For example, avoid specifying the domain administrator password.

About task scope

The scope of a task is the set of devices on which the task is performed. The types of scope are as follows:

• For a local task, the scope is the device itself.
• For an Administration Server task, the scope is the Administration Server.
• For a group task, the scope is the list of devices included in the group.

When creating a global task, you can use the following methods to specify its scope:

• Specifying certain devices manually.

  You can use an IP address (or IP range), NetBIOS name, or DNS name as the device address.

• Importing a list of devices from a TXT file with the device addresses to be added (each address must be placed on an individual line).

  If you import a list of devices from a file or create a list manually, and if devices are identified by their names, the list can only contain devices for which information has already been entered into the Administration Server database. Moreover, the information must have been entered when those devices were connected or during device discovery.

• Specifying a device selection.

  Over time, the scope of a task changes as the set of devices included in the selection change. A selection of devices can be made on the basis of device attributes, including software installed on a device, and on the basis of tags assigned to devices. Device selection is the most flexible way to specify the scope of a task.

  Tasks for device selections are always run on a schedule by the Administration Server. These tasks cannot be run on devices that lack connection to the Administration Server. Tasks whose scope is specified by using other methods are run directly on devices and therefore do not depend on the device connection to the Administration Server.

Tasks for device selections are not run on the local time of a device; instead, they are run on the local time of the Administration Server. Tasks whose scope is specified by using other methods are run on the local time of a device.

Creating a task

You can create a task in the task list. Alternatively, you can select devices in the Managed devices list, and then create a new task assigned to the selected devices.

To create a task in the task list:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Follow its instructions.

3. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
4. Click the Finish button.

The task is created and displayed in the list of tasks.

To create a new task assigned to the selected devices:

In the main menu, go to Assets (Devices) → Managed devices.

The list of managed devices is displayed.

1. In the list of managed devices, select the check boxes next to the devices to run the task for them. You can use the search and filter functions to find the devices you're looking for.
2. Click the Run task button, and then select Create new task.

   The New task wizard starts.

   On the first step of the wizard, you can remove the devices selected to include in the task scope. Follow the wizard instructions.

3. Click the Finish button.

The task is created for the selected devices.

Viewing the task list

You can view the list of tasks that are created in Kaspersky Security Center Cloud Console.

To view the list of tasks,

In the main menu, go to Assets (Devices) → Tasks.

The list of tasks is displayed. The tasks are grouped by the names of applications to which they are related. For example, the Uninstall application remotely task is related to the Administration Server, and the Find vulnerabilities and required updates task refers to the Network Agent.

To view properties of a task,

Click the name of the task.

The task properties window is displayed with several named tabs. For example, the Task type is displayed on the General tab, and the task schedule—on the Schedule tab.

Starting a task manually

The application starts tasks according to the schedule settings specified in the properties of each task. You can start a task manually at any time from the task list. Alternatively, you can select devices in the Managed devices list, and then start an existing task for them.

To start a task manually:

1. In the main menu, go to Assets (Devices) → Tasks.
2. In the task list, select the check box next to the task that you want to start.
3. Click the Start button.

The task starts. You can check the task status in the Status column or by clicking the Result button.

Starting a task for selected devices

You can select one or more client devices in the list of devices, and then launch a previously created task for them. This allows you to run tasks created earlier for a specific set of devices.

This changes the devices to which the task was assigned to the list of devices that you select when you run the task.

To start a task for selected devices:

1. In the main menu, go to Assets (Devices) → Managed devices. The list of managed devices is displayed.

   In the list of managed devices, use the check boxes to select the devices to run the task for them. You can use the search and filter functions to find the devices you're looking for.

2. Click the Run task button, and then select Apply existing task.
   
   The list of the existing tasks is displayed.
3. The selected devices are displayed above the task list. If necessary, you can remove a device from this list. You can delete all but one device.
4. Select the desired task in the list. You can use the search box above the list to search for the desired task by name. Only one task can be selected.
5. Click Save and start task.

The selected task is immediately started for the selected devices. The scheduled start settings in the task are not changed.

General task settings and properties

Expand all | Collapse all

This section contains the settings that you can view and configure for most of your tasks. The list of settings available depends on the task you are configuring.

Settings specified during task creation

You can specify the following settings when creating a task. Some of these settings can also be modified in the properties of the created task.

• Devices to which the task will be assigned:
  • Assign task to an administration group

    The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

    For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

    If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

  • Specify device addresses manually or import addresses from a list

    The task is assigned to specific devices. You can specify devices by one of the following methods:

    • Specify the IP address, NetBIOS name, or DNS name of the device.
    • Specify the IP range.

      You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

    • Select devices detected by the Administration Server, including unassigned devices.

      For example, you may want to use this option in a task of installing Network Agent on unassigned devices.

  • Assign task to a device selection

    The task is assigned to devices included in a device selection. You can specify one of the existing selections.

    For example, you may want to use this option to run a task on devices with a specific operating system version.

• Account settings:
  • Default account

    The task will be run under the same account as the application that performs this task.

    By default, this option is selected.

  • Specify account

    Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

• Operating system restart settings:
  • Do not restart

    Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

  • Restart the device

    Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

  • Prompt user for action

    The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

    By default, this option is selected.

  • Repeat prompt every (min)

    If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

    By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

    If this option is disabled, the prompt is displayed only once.

  • Restart after (min)

    After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

    By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

  • Force closure of applications in blocked sessions

    Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

    If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

    If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

    By default, this option is disabled.

Settings specified after task creation

You can specify the following settings only after a task is created.

• Group task settings:
  • Distribute to subgroups

    This option is only available in the settings of the group tasks.

    When this option is enabled, the task scope includes:

    • The administration group that you selected while creating the task.
    • The administration groups subordinate to the selected administration group at any level down by the group hierarchy.

    When this option is disabled, the task scope includes only the administration group that you selected while creating the task.

    By default, this option is enabled.

  • Distribute to secondary and virtual Administration Servers

    When this option is enabled, the task that is effective on the primary Administration Server is also applied on the secondary Administration Servers (including virtual ones). If a task of the same type already exists on the secondary Administration Server, both tasks are applied on the secondary Administration Server—the existing one and the one that is inherited from the primary Administration Server.

    This option is only available when the Distribute to subgroups option is enabled.

    By default, this option is disabled.

• Task scheduling settings:
  • Start task setting:
    • Manually

      The task does not run automatically. You can only start it manually.

      By default, this option is selected.

    • Once

      The task runs once, on the specified date and time (by default, on the day when the task was created).

    • Immediately

      The task runs immediately after its settings are saved.

    • Every N minutes

      The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

      By default, the task runs every 30 minutes, starting from the current system time.

    • Every N hours

      The task runs regularly, with the specified interval in hours, starting from the specified date and time.

      By default, the task runs every 6 hours, starting from the current system date and time.

    • Every N days

      The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

      By default, the task runs every day, starting from the current system date and time.

    • By days of week

      The task runs regularly, on the specified days of the week, at the specified time.

      By default, the task runs every Friday at 6:00:00 PM.

    • Monthly

      The task runs regularly, on the specified day of the month, at the specified time.

      In months that lack the specified day, the task runs on the last day.

      By default, the task runs on the first day of each month, at the current system time.

    • Every month on specified days of selected weeks

      The task runs regularly, on the specified days of each month, at the specified time.

      By default, no days of month are selected. The default start time is 18:00.

    • When new updates are downloaded to the repository

      When new updates are downloaded to the distribution point repositories, Kaspersky Security Center Cloud Console runs all tasks that have this schedule. Network Agent checks the availability of updates during periodic synchronization between the managed device and the Administration Server (the heartbeat).

      For example, you may want to use this schedule for the Update task related to a security application, such as Kaspersky Endpoint Security.

      If Network Agent on a managed device detects no new updates for 25 hours or longer, then Kaspersky Security Center Cloud Console runs on this device all tasks that have this schedule. These tasks are run every hour until new updates are detected. Kaspersky Security Center Cloud Console also runs these tasks every hour if there is no connection between the managed device and the distribution point that downloads updates to the repository.

    • On virus outbreak

      The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

      • Anti-virus for workstations and file servers
      • Anti-virus for perimeter defense
      • Anti-virus for mail systems

      By default, all application types are selected.

      You may want to run different tasks depending on the security application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

    • On completing another task

      The current task starts after another task completes. This parameter only works if both tasks are assigned to the same devices. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task as a triggering task.

      You have to select the triggering task from the table and the status with which this task must complete (Completed successfully or Failed).

      If necessary, you can search, sort, and filter the tasks in the table as follows:

      • Enter the task name in the search field, to search the task by its name.
      • Click the sort icon to sort the tasks by name.

        By default, the tasks are sorted in alphabetical ascending order.

      • Click the filter icon, and in the window that opens, filter the tasks by group, and then click the Apply button.

    The scheduling settings may depend on the local time zone of the device operating system.

    Correlation between the local time zone of the device operating system and the task start time

    Task schedule	Local time is used
    Once	No
    Every N minutes	No
    Every N hours	No
    Every N days	Yes
    By days of week	Yes
    Monthly	Yes
    Every month on specified days of selected weeks	Yes
    When new updates are downloaded to the repository	Another trigger for running the task (corresponds to the schedule name)
    On virus outbreak	Another trigger for running the task (corresponds to the schedule name)
    On completing another task	Another trigger for running the task (corresponds to the schedule name)
    Immediately	Another trigger for running the task (corresponds to the schedule name)
    Manually	Another trigger for running the task (corresponds to the schedule name)

  • Run missed tasks

    This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

    If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

    If this option is disabled, only scheduled tasks run on client devices. For Manually, Once and Immediately schedule, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

    By default, this option is disabled.

  • Use automatically randomized delay for task starts

    If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

    The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

    If this option is disabled, the task starts on client devices according to the schedule.

  • Use automatically randomized delay for task starts within an interval of

    If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

    If this option is disabled, the task starts on client devices according to the schedule.

    By default, this option is disabled. The default time interval is one minute.

  • Turn on devices by using the Wake-on-LAN function before starting the task

    The operating system on the device starts at the specified time before the task is started. The default time period is five minutes.

    Enable this option if you want the task to run on all of the client devices from the task scope, including those devices that are turned off when the task is about to start.

    If you want the device to be automatically turned off after the task is completed, enable the Shut down the devices after completing the task option. This option can be found in the same window.

    By default, this option is disabled.

  • Shut down the devices after completing the task

    For example, you may want to enable this option for an install update task that installs updates to client devices each Friday after business hours, and then turns off these devices for the weekend.

    By default, this option is disabled.

  • Stop the task if it runs longer than

    After the specified time period expires, the task is stopped automatically, whether it is completed or not.

    Enable this option if you want to interrupt (or stop) tasks that take too long to execute.

    By default, this option is disabled. The default task execution time is 120 minutes.

• Notifications:
  • Store task history block:
    • Save all events
    • Save events related to task progress
    • Save only task execution results
    • Store in the Administration Server database for (days)

      Application events related to execution of the task on all client devices from the task scope are stored on the Administration Server during the specified number of days. When this period elapses, the information is deleted from the Administration Server.

      By default, this option is enabled.

    • Store in the OS event log on device

      Application events related to execution of the task are stored locally in Windows Event Log of each client device.

      By default, this option is disabled.

  • Notify of errors only
  • Notify by email
• Task scope settings
• Exclusions from scope

  You can specify groups of devices to which the task is not applied. Groups to be excluded can only be subgroups of the administration group to which the task is applied.

• Revision history

Exporting a task

Kaspersky Security Center Cloud Console allows you to save a task and its settings to a KLT file. You can use this KLT file to import the saved task both to Kaspersky Security Center Windows and Kaspersky Security Center Linux.

To export a task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Select the check box next to the task that you want to export.

   You cannot export multiple tasks at the same time. If you select more than one task, the Export button will be disabled. Administration Server tasks are also unavailable for export.

3. Click the Export button.
4. In the opened Save as window, specify the task file name and path. Click the Save button.

   The Save as window is displayed only if you use Google Chrome, Microsoft Edge, or Opera. If you use another browser, the task file is automatically saved in the Downloads folder.

Importing a task

Expand all | Collapse all

Kaspersky Security Center Cloud Console allows you to import a task from a KLT file. The KLT file contains the exported task and its settings.

To import a task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click the Import button.
3. Click the Browse button to choose a task file that you want to import.
4. In the opened window, specify the path to the KLT task file, and then click the Open button. Note that you can select only one task file.

   The task processing starts.

5. After the task is processed successfully, select the devices to which you want to assign the task. To do this, select one of the following options:
   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

     If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

   • Specify device addresses manually or import addresses from a list

     You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

6. Specify the task scope.
7. Click the Complete button to finish the task import.

The notification with the import results appears. If the task is imported successfully, you can click the Details link to view the task properties.

After a successful import, the task is displayed in the task list. The task settings and schedule are also imported. The task will be started according to its schedule.

If the newly imported task has an identical name to an existing task, the name of the imported task is expanded with the (<next sequence number>) index, for example: (1), (2).

Viewing task run results stored on the Administration Server

Kaspersky Security Center Cloud Console allows you to view the results for group tasks, tasks for specific devices, and Administration Server tasks.

To view the task results:

1. In the task properties window, select the General section.
2. Click the Results link to open the Task results window.

Managing client devices

Kaspersky Security Center Cloud Console allows you to manage client devices:

• View settings and statuses of managed devices, including clusters and server arrays.
• Configure distribution points.
• Manage tasks.

You can use administration groups to combine client devices in a set that can be managed as a single unit. A client device can be included in only one administration group. Devices can be allocated to a group automatically based on Rule conditions:

• Creating device moving rules.
• Copying device moving rules.
• Conditions for a device moving rule.

You can use device selections to filter devices based on a condition. You can also tag devices for creating selections, for finding devices, and for distributing devices among administration groups.

Settings of a managed device

Expand all | Collapse all

To view the settings of a managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the required device.

The properties window of the selected device is displayed.

The following tabs are displayed in the upper part of the properties window representing the main groups of the settings:

• General

  This tab comprises the following sections:

  • The General section displays general information about the client device. Information is provided on the basis of data received during the last synchronization of the client device with the Administration Server:
    • Name

      In this field, you can view and modify the client device name in the administration group.

    • Description

      In this field, you can enter an additional description for the client device.

    • Device status

      Status of the client device assigned on the basis of the criteria defined by the administrator for the status of anti-virus protection on the device and the activity of the device on the network.

    • Device owner

      Name of the device owner. You can assign or remove a user as a device owner by clicking the Manage device owner link.

    • Full group name

      Administration group, which includes the client device.

    • Last update of anti-virus databases

      Date the anti-virus databases or applications were last updated on the device.

    • Connected to Administration Server

      Date and time Network Agent installed on the client device last connected to the Administration Server.

    • Last visible

      Date and time the device was last visible on the network.

    • Network Agent version

      Version of the installed Network Agent.

    • Created

      Date of the device creation within Kaspersky Security Center Cloud Console.

    • Do not disconnect from the Administration Server

      If this option is enabled, continuous connectivity between the managed device and the Administration Server is maintained. You may want to use this option if you are not using push servers, which provide such connectivity.

      If this option is disabled and push servers are not in use, the managed device only connects to the Administration Server to synchronize data or to transmit information.

      The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

      This option is disabled by default on managed devices. This option is enabled by default on the device where the Administration Server is installed and stays enabled even if you try to disable it.

  • The Network section displays the following information about the network properties of the client device:
    • IP address

      Device IP address.

    • Windows domain

      Windows domain or workgroup, which contains the device.

    • DNS name

      Name of the DNS domain of the client device.

    • NetBIOS name

      Windows network name of the client device.

    • IPv6 address
  • The System section provides information about the operating system installed on the client device:
    • Operating system
    • CPU architecture
    • Operating system vendor
    • Operating system folder
    • Device name
    • Virtual machine type

      The virtual machine manufacturer.

    • Dynamic virtual machine as part of VDI

      This row displays whether the client device is a dynamic virtual machine as part of VDI.

    • Operating system build
  • The Protection section provides the following information about the current status of anti-virus protection on the client device:
    • Visible

      Visibility status of the client device.

    • Device status

      Status of the client device assigned on the basis of the criteria defined by the administrator for the status of anti-virus protection on the device and the activity of the device on the network.

    • Status description

      Status of the client device protection and connection to Administration Server.

    • Protection status

      This field shows the current status of real-time protection on the client device.

      When the status changes on the device, the new status is displayed in the device properties window only after the client device is synchronized with the Administration Server.

    • Last full scan

      Date and time the last malware scan was performed on the client device.

    • Virus detected

      Total number of threats detected on the client device since installation of the security application (first scan), or since the last reset of the threat counter.

    • Objects that have failed disinfection

      Number of unprocessed files on the client device.

      This field ignores the number of unprocessed files on mobile devices.

    • Disk encryption status

      The current status of file encryption on the local drives of the device. For a description of the statuses, see the Kaspersky Endpoint Security for Windows Help.

  • The Device status defined by application section provides information about the device status that is defined by the managed application installed on the device. This device status can differ from the one defined by Kaspersky Security Center Cloud Console.
• Applications

  This tab lists all Kaspersky applications installed on the client device.This tab contains the Start and Stop buttons that allow you to start and stop the selected Kaspersky application (excluding Network Agent). You can use these buttons if port 15000 UDP is available on the managed device for receipt push-notifications from Administration Server. If the managed device is unavailable for push-notifications, but the mode of continuous connection to Administration Server is enabled (the Do not disconnect from the Administration Server option in the General section is enabled), the Start and Stop buttons are available too. Otherwise, when you try to start or stop the application, an error message is displayed. Also you can click the application name to view general information about the application, a list of events that have occurred on the device, and the application settings.

• Active policies and policy profiles

  This tab lists the policies and policy profiles that are currently assigned to the managed device.

• Tasks

  On the Tasks tab, you can manage client device tasks: view the list of existing tasks, create new ones, remove, start and stop tasks, modify their settings, and view execution results. The list of tasks is provided based on data received during the last session of client synchronization with the Administration Server. The Administration Server requests the task status details from the client device. If port 15000 UDP is available on the managed device for receipt push-notifications from Administration Server, the task status is displayed and buttons for managing the task are enabled. If the managed device is unavailable for push-notifications, but the mode of continuous connection to Administration Server is enabled (the Do not disconnect from the Administration Server option in the General section is enabled), the actions with tasks are available too.

  If connection is not established, the status is not displayed and buttons are disabled.

• Events

  The Events tab displays events logged on the Administration Server for the selected client device.

• Security issues

  In the Security issues tab, you can view, edit, and create security issues for the client device. Security issues can be created either automatically, through managed Kaspersky applications installed on the client device, or manually by the administrator. For example, if some users regularly move malware from their removable drives to devices, the administrator can create a security issue. The administrator can provide a brief description of the case and recommended actions (such as disciplinary actions to be taken against a user) in the text of the security issue, and can add a link to the user or users.

  A security issue for which all of the required actions have been taken is called processed. The presence of unprocessed security issues can be chosen as the condition for a change of the device status to Critical or Warning.

  This section contains a list of security issues that have been created for the device. Security issues are classified by severity level and type. The type of a security issue is defined by the Kaspersky application, which creates the security issue. You can highlight processed security issues in the list by selecting the check box in the Processed column.

• Tags

  In the Tags tab, you can manage the list of keywords that are used for finding client devices: view the list of existing tags, assign tags from the list, configure auto-tagging rules, add new tags and rename old tags, and remove tags.

• Advanced

  This tab comprises the following sections:

  • Applications registry. In this section, you can view the registry of applications installed on the client device and their updates; you can also set up the display of the applications registry.

    Information about installed applications is provided if Network Agent installed on the client device sends required information to the Administration Server. You can configure sending of information to the Administration Server in the properties window of Network Agent or its policy, in the Repositories section.

    Clicking an application name opens a window that contains the application details and a list of the update packages installed for the application.

  • Executable files. This section displays executable files found on the client device.
  • Distribution points. This section provides a list of distribution points with which the device interacts.
    • Export to file

      Click the Export to file button to save to a file a list of distribution points with which the device interacts. By default, the application exports the list of devices to a CSV file.

    • Properties

      Click the Properties button to view and configure the distribution point with which the device interacts.

  • Hardware registry. In this section, you can view information about hardware installed on the client device.

    If Network Agent is installed on a device running Windows, it sends to the Administration Server the following information about the device hardware:

    • RAM
    • Mass storage devices
    • Motherboard
    • CPU
    • Network adapters
    • Monitors
    • Video adapter
    • Sound card

    If Network Agent is installed on a device running Linux or macOS, it sends to the Administration Server the following information about the device hardware, if this information is provided by the operating system:

    • Total RAM volume
    • Total volume of mass storage devices
    • Motherboard
    • CPU
    • Network adapters
  • Available updates. This section displays a list of software updates found on this device but not installed yet.
  • Software vulnerabilities. This section provides information about vulnerabilities in third-party applications installed on client devices.

    To save the vulnerabilities to a file, select the check boxes next to the vulnerabilities that you want to save, and then click the Export to CSV button or Export to TXT button.

    The section contains the following settings:

    • Show only vulnerabilities that can be fixed

      If this option is enabled, the section displays vulnerabilities that can be fixed by using a patch.

      If this option is disabled, the section displays both vulnerabilities that can be fixed by using a patch, and vulnerabilities for which no patch has been released.

      By default, this option is enabled.

    • Vulnerability properties

      Click a software vulnerability name in the list to view the properties of the selected software vulnerability in a separate window. In the window, you can do the following:

      • Ignore software vulnerability on this managed device (in Administration Console or in Kaspersky Security Center Cloud Console).
      • View the list of recommended fixes for the vulnerability.
      • Manually specify the software updates to fix the vulnerability (in Administration Console or in Kaspersky Security Center Cloud Console).
      • View vulnerability instances.
      • View the list of existing tasks to fix vulnerability and create new tasks to fix vulnerability.

  • Remote diagnostics. In this section, you can perform remote diagnostics of client devices.

Device selections

Device selections are a tool for filtering devices according to specific conditions. You can use device selections to manage several devices: for example, to view a report about only these devices or to move all of these devices to another group.

Kaspersky Security Center Cloud Console provides a broad range of predefined selections (for example, Devices with Critical status, Protection is disabled, Active threats are detected). Predefined selections cannot be deleted. You can also create and configure additional user-defined selections.

In user-defined selections, you can set the search scope and select all devices, managed devices, or unassigned devices. Search parameters are specified in the conditions. In the device selection you can create several conditions with different search parameters. For example, you can create two conditions and specify different IP ranges in each of them. If several conditions are specified, a selection displays the devices that meet any of the conditions. By contrast, search parameters within a condition are superimposed. If both an IP range and the name of an installed application are specified in a condition, only those devices will be displayed where both the application is installed and the IP address belongs to the specified range.

Viewing the device list from a device selection

Kaspersky Security Center Cloud Console allows you to view the list of devices from a device selection.

To view the device list from the device selection:

1. In the main menu, go to the Assets (Devices) → Device selections or Discovery & deployment → Device selections section.
2. In the selection list, click the name of the device selection.

   The page displays a table with information about the devices included in the device selection.

3. You can group and filter the data of the device table as follows:
   • Click the settings icon (), and then select the columns to be displayed in the table.
   • Click the filter icon (), and then specify and apply the filter criterion in the invoked menu.

     The filtered table of devices is displayed.

You can select one or several devices in the device selection and click the New task button to create a task that will be applied to these devices.

To move the selected devices of the device selection to another administration group, click the Move to group button, and then select the target administration group.

Creating a device selection

To create a device selection:

1. In the main menu, go to Assets (Devices) → Device selections.

   A page with a list of device selections is displayed.

2. Click the Add button.

   The Device selection settings window opens.

3. Enter the name of the new selection.
4. Specify the group that contains the devices to be included in the device selection:
   • Find any devices—Searching for devices that meet the selection criteria and included in the Managed Devices or Unassigned devices group.
   • Find managed devices—Searching for devices that meet the selection criteria and included in the Managed Devices group.
   • Find unassigned devices—Searching for devices that meet the selection criteria and included in the Unassigned devices group.

   You can enable the Include data from secondary Administration Servers check box to enable searching for devices that meet the selection criteria and managed by secondary Administration Servers.

5. Click the Add button.
6. In the window that opens, specify conditions that must be met for including devices in this selection, and then click the OK button.
7. Click the Save button.

The device selection is created and added to the list of device selections.

Configuring a device selection

Expand all | Collapse all

To configure a device selection:

1. In the main menu, go to Assets (Devices) → Device selections.

   A page with a list of device selections is displayed.

2. Select the relevant user-defined device selection, and click the Properties button.

   The Device selection settings window opens.

3. On the General tab, click the New condition link.
4. Specify conditions that must be met for including devices in this selection.
5. Click the Save button.

The settings are applied and saved.

Below are descriptions of the conditions for assigning devices to a selection. Conditions are combined by using the OR logical operator: the selection will contain devices that comply with at least one of the listed conditions.

General

In the General section, you can change the name of the selection condition and specify whether that condition must be inverted:

Invert selection condition

Network infrastructure

In the Network subsection, you can specify the criteria that will be used to include devices in the selection according to their network data:

• Device name

  Windows network name (NetBIOS name) of the device, or the IPv4 or IPv6 address.

• Domain

  Displays all devices included in the specified Windows domain.

• Administration group

  Displays devices included in the specified administration group.

• Description

  Text in the device properties window: In the Description field of the General section.

  To describe text in the Description field, you can use the following characters:

  • Within a word:
    • *. Replaces any string with any number of characters.

    Example:

    To describe words such as Server or Server's, you can enter Server*.

    • ?. Replaces any single character.

    Example:

    To describe words such as Window or Windows, you can enter Windo?.

    Asterisk (*) or question mark (?) cannot be used as the first character in the query.

  • To find several words:
    • Space. Displays all the devices whose descriptions contain any of the listed words.

    Example:

    To find a phrase that contains Secondary or Virtual words, you can include Secondary Virtual line in your query.

    • +. When a plus sign precedes a word, all search results will contain this word.

    Example:

    To find a phrase that contains both Secondary and Virtual, enter the +Secondary+Virtual query.

    • -. When a minus sign precedes a word, no search results will contain this word.

    Example:

    To find a phrase that contains Secondary and does not contain Virtual, enter the +Secondary-Virtual query.

    • "<some text>". Text enclosed in quotation marks must be present in the text.

    Example:

    To find a phrase that contains Secondary Server word combination, you can enter "Secondary Server" in the query.

• IP range

  If this option is enabled, you can enter the initial and final IP addresses of the IP range in which the relevant devices must be included.

  By default, this option is disabled.

• Managed by a different Administration Server

  Select one of the following values:

  • Yes. A device moving rule only applies to client devices managed by other Administration Servers. These Servers are different from the Server on which you configure the device moving rule.
  • No. The device moving rule only applies to client devices managed by the current Administration Server.
  • No value is selected. The condition does not apply.

In the Active Directory subsection, you can configure criteria for including devices into a selection based on their Active Directory data:

• Device is in an Active Directory organizational unit

  If this option is enabled, the selection includes devices from the Active Directory organizational unit specified in the entry field.

  By default, this option is disabled.

• Include child organizational units

  If this option is enabled, the selection includes devices from all child organizational units of the specified Active Directory organizational unit.

  By default, this option is disabled.

• This device is a member of an Active Directory group

  If this option is enabled, the selection includes devices from the Active Directory group specified in the entry field.

  By default, this option is disabled.

In the Network activity subsection, you can specify the criteria that will be used to include devices in the selection according to their network activity:

• Acts as a distribution point

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection includes devices that act as distribution points.
  • No. Devices that act as distribution points are not included in the selection.
  • No value is selected. The criterion will not be applied.
• Do not disconnect from the Administration Server

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Enabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is selected.
  • Disabled. The selection will include devices on which the Do not disconnect from the Administration Server check box is cleared.
  • No value is selected. The criterion will not be applied.
• Connection profile switched

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The selection will include devices that connected to the Administration Server after the connection profile was switched.
  • No. The selection will not include devices that connected to the Administration Server after the connection profile was switched.
  • No value is selected. The criterion will not be applied.
• Last connected to Administration Server

  You can use this check box to set a search criterion for devices according to the time they last connected to the Administration Server.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last connection was established between Network Agent installed on the client device and the Administration Server. The selection will include devices that fall within the specified interval.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• New devices detected by network poll

  Searches for new devices that have been detected by network polling over the last few days.

  If this option is enabled, the selection only includes new devices that have been detected by device discovery over the number of days specified in the Detection period (days) field.

  If this option is disabled, the selection includes all devices that have been detected by device discovery.

  By default, this option is disabled.

• Device is visible

  In the drop-down list, you can set up the criterion for including devices in the selection when performing search:

  • Yes. The application includes in the selection devices that are currently visible in the network.
  • No. The application includes in the selection devices that are currently invisible in the network.
  • No value is selected. The criterion will not be applied.

In the Cloud segments subsection, you can configure criteria for including devices in a selection according to their respective cloud segments:

• Device is in a cloud segment

  If this option is enabled, you can choose devices from the AWS, Azure, and Google cloud segments.

  If the Include child objects option is also enabled, the search is run on all child objects of the selected segment.

  Search results include only devices from the selected segment.

• Device discovered by using the API

  In the drop-down list, you can select whether a device is detected by API tools:

  • Yes. The device is detected by using the AWS, Azure, or Google API.
  • No. The device cannot be detected by using the AWS, Azure, or Google API. That is, the device is either outside the cloud environment or it is in the cloud environment but it cannot be detected by using an API.
  • No value. This condition does not apply.

Device statuses

In the Managed device status subsection, you can configure criteria for including devices into a selection based on the description of the devices status from a managed application:

• Device status

  Drop-down list in which you can select one of the device statuses: OK, Critical, or Warning.

• Real-time protection status

  Drop-down list, in which you can select the real-time protection status. Devices with the specified real-time protection status are included in the selection.

• Device status description

  In this field, you can select the check boxes next to conditions that, if met, assign one of the following statuses to the device: OK, Critical, or Warning.

In the Status of components in managed applications subsection, you can configure criteria for including devices in a selection according to the statuses of components in managed applications:

• Data Leakage Prevention status

  Search for devices by the status of Data Leakage Prevention (Unknown, Stopped, Starting, Paused, Running, Failed).

• Collaboration servers protection status

  Search for devices by the status of server collaboration protection (Unknown, Stopped, Starting, Paused, Running, Failed).

• Anti-virus protection status of mail servers

  Search for devices by the status of Mail Server protection (Unknown, Stopped, Starting, Paused, Running, Failed).

• Endpoint Sensor status

  Search for devices by the status of the Endpoint Sensor component (Unknown, Stopped, Starting, Paused, Running, Failed).

In the Status-affecting problems in managed applications subsection, you can specify the criteria that will be used to include devices in the selection according to the list of possible problems detected by a managed application. If at least one problem that you select exists on a device, the device will be included in the selection. When you select a problem listed for several applications, you have the option to select this problem in all of the lists automatically.

You can select check boxes for descriptions of statuses from the managed application; upon receipt of these statuses, the devices will be included in the selection. When you select a status listed for several applications, you have the option to select this status in all of the lists automatically.

System details

In the Operating system section, you can specify the criteria that will be used to include devices in the selection according to their operating system type.

• Platform type

  If the check box is selected, you can select an operating system from the list. Devices with the specified operating systems installed are included in the search results.

• Operating system service pack version

  In this field, you can specify the package version of the operating system (in the X.Y format), which will determine how the moving rule is applied to the device. By default, no version value is specified.

• Operating system bit size

  In the drop-down list, you can select the architecture for the operating system, which will determine how the moving rule is applied to the device (Unknown, x86, AMD64, or IA64). By default, no option is selected in the list so that the operating system's architecture is not defined.

• Operating system build

  This setting is applicable to Windows operating systems only.

  The build number of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later build number. You can also configure searching for all build numbers except the specified one.

• Operating system release number

  This setting is applicable to Windows operating systems only.

  The release identifier (ID) of the operating system. You can specify whether the selected operating system must have an equal, earlier, or later release ID. You can also configure searching for all release ID numbers except the specified one.

In the Virtual machines section, you can set up the criteria to include devices in the selection according to whether these are virtual machines or part of virtual desktop infrastructure (VDI):

• This is a virtual machine

  In the drop-down list, you can select the following options:

  • Undefined.
  • No. Find devices that are not virtual machines.
  • Yes. Find devices that are virtual machines.
• Virtual machine type

  In the drop-down list, you can select the virtual machine manufacturer.

  This drop-down list is available if the Yes or Not important value is selected in the This is a virtual machine drop-down list.

• Part of Virtual Desktop Infrastructure

  In the drop-down list, you can select the following options:

  • Undefined.
  • No. Find devices that are not part of Virtual Desktop Infrastructure.
  • Yes. Find devices that are part of the Virtual Desktop Infrastructure (VDI).

In the Hardware registry subsection, you can configure criteria for including devices into a selection based on their installed hardware:

Ensure that the lshw utility is installed on Linux devices from which you want to fetch hardware details. Hardware details fetched from virtual machines may be incomplete depending on the hypervisor used.

• Device

  In the drop-down list, you can select a unit type. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Vendor

  In the drop-down list, you can select the name of a unit manufacturer. All devices with this unit are included in the search results.

  The field supports the full-text search.

• Device name

  Name of the device in the Windows network. The device with the specified name is included in the selection.

• Description

  Description of the device or hardware unit. Devices with the description specified in this field are included in the selection.

  A device's description in any format can be entered in the properties window of that device. The field supports the full-text search.

• Device vendor

  Name of the device manufacturer. Devices produced by the manufacturer specified in this field are included in the selection.

  You can enter the manufacturer's name in the properties window of a device.

• Serial number

  All hardware units with the serial number specified in this field will be included in the selection.

• Inventory number

  Equipment with the inventory number specified in this field will be included in the selection.

• User

  All hardware units of the user specified in this field will be included in the selection.

• Location

  Location of the device or hardware unit (for example, at the HQ or a branch office). Computers or other devices that are deployed at the location specified in this field will be included in the selection.

  You can describe the location of a device in any format in the properties window of that device.

• CPU clock rate, in MHz, from

  The minimum clock rate of a CPU. Devices with a CPU that matches the clock rate range specified in the entry fields (inclusive) will be included in the selection.

• CPU clock rate, in MHz, to

  The maximum clock rate of a CPU. Devices with a CPU that matches the clock rate range specified in the entry fields (inclusive) will be included in the selection.

• Number of virtual CPU cores, from

  The minimum number of virtual CPU cores. Devices with a CPU that matches the range of the virtual cores number specified in the entry fields (inclusive) will be included in the selection.

• Number of virtual CPU cores, to

  The maximum number of virtual CPU cores. Devices with a CPU that matches the range of the virtual cores number specified in the entry fields (inclusive) will be included in the selection.

• Hard drive volume, in GB, from

  The minimum volume of the hard drive on the device. Devices with a hard drive that matches the volume range specified in the entry fields (inclusive) will be included in the selection.

• Hard drive volume, in GB, to

  The maximum volume of the hard drive on the device. Devices with a hard drive that matches the volume range specified in the entry fields (inclusive) will be included in the selection.

• RAM size, in MB, from

  The minimum size of the device RAM. Devices with RAM that matches the size range specified in the entry fields (inclusive) will be included in the selection.

• RAM size, in MB, to

  The maximum size of the device RAM. Devices with RAM that matches the size range specified in the entry fields (inclusive) will be included in the selection.

Third-party software details

In the Applications registry subsection, you can set up the criteria to search for devices according to applications installed on them:

• Application name

  Drop-down list in which you can select an application. Devices on which the specified application is installed, are included in the selection.

• Application version

  Entry field in which you can specify the version of selected application.

• Vendor

  Drop-down list in which you can select the manufacturer of an application installed on the device.

• Application status

  A drop-down list in which you can select the status of an application (Installed, Not installed). Devices on which the specified application is installed or not installed, depending on the selected status, will be included in the selection.

• Find by update

  If this option is enabled, search will be performed using the details of updates for applications installed on the relevant devices. After you select the check box, the Application name, Application version, and Application status fields change to Update name, Update version, and Status respectively.

  By default, this option is disabled.

• Name of incompatible security application

  Drop-down list in which you can select third-party security applications. During the search, devices on which the specified application is installed, are included in the selection.

• Application tag

  In the drop-down list, you can select the application tag. All devices that have installed applications with the selected tag in the description are included in the device selection.

• Apply to devices without the specified tags

  If this option is enabled, the selection includes devices with descriptions that contain none of the selected tags.

  If this option is disabled, the criterion is not applied.

  By default, this option is disabled.

In the Vulnerabilities and updates subsection, you can specify the criteria that will be used to include devices in the selection according to their Windows Update source:

WUA is switched to Administration Server

Details of Kaspersky applications

In the Kaspersky applications subsection, you can configure criteria for including devices in a selection based on the selected managed application:

• Application name

  In the drop-down list, you can set a criterion for including devices in a selection when search is performed by the name of a Kaspersky application.

  The list provides only the names of applications with management plug-ins installed on the administrator's workstation.

  If no application is selected, the criterion will not be applied.

• Application version

  In the entry field, you can set a criterion for including devices in a selection when search is performed by the version number of a Kaspersky application.

  If no version number is specified, the criterion will not be applied.

• Critical update name

  A drop-down list in which you can select the status of an application (Installed, Not installed). Devices on which the specified application is installed or not installed, depending on the selected status, will be included in the selection.

  In the entry field, you can set a criterion for including devices in a selection when search is performed by application name or by update package number.

  If the field is left blank, the criterion will not be applied.

• Select the period of the last update of modules

  You can use this option to set a criterion for searching devices by time of the last update of modules of applications installed on those devices.

  If this check box is selected, in the entry fields you can specify the time interval (date and time) during which the last update of modules of applications installed on those devices was performed.

  If this check box is cleared, the criterion will not be applied.

  By default, this check box is cleared.

• Device is managed through Administration Server

  In the drop-down list, you can include in the selection the devices managed through Kaspersky Security Center Cloud Console:

  • Yes. The application includes in the selection devices managed through Kaspersky Security Center Cloud Console.
  • No. The application includes devices in the selection if they are not managed through Kaspersky Security Center Cloud Console.
  • No value is selected. The criterion will not be applied.
• Security application is installed

  In the drop-down list, you can include in the selection all devices with the security application installed:

  • Yes. The application includes in the selection all devices with the security application installed.
  • No. The application includes in the selection all devices with no security application installed.
  • No value is selected. The criterion will not be applied.

In the Anti-virus protection subsection, you can set up the criteria for including devices in a selection based on their protection status:

• Databases released

  If this option is selected, you can search for client devices by anti-virus database release date. In the entry fields you can set the time interval, on the basis of which the search is performed.

  By default, this option is disabled.

• Database records count

  If this option is enabled, you can search for client devices by number of database records. In the entry fields you can set the lower and upper threshold values for anti-virus database records.

  By default, this option is disabled.

• Last scanned

  If this check option is enabled, you can search for client devices by time of the last malware scan. In the entry fields you can specify the time period within which the last malware scan was performed.

  By default, this option is disabled.

• Threats detected

  Advanced Encryption Standard (AES) symmetrical block cipher algorithm. In the drop-down list, you can select the encryption key size (56-bit, 128-bit, 192-bit, or 256-bit).

  Available values: AES56, AES128, AES192, and AES256.

  If this option is enabled, you can search for client devices by number of viruses detected. In the entry fields you can set the lower and upper threshold values for the number of viruses found.

  By default, this option is disabled.

The Application components subsection contains the list of components of those applications that have corresponding management plug-ins installed in Kaspersky Security Center Cloud Console.

In the Application components subsection, you can specify criteria for including devices in a selection according to the statuses and version numbers of the components that refer to the application that you select:

• Status

  Search for devices according to the component status sent by an application to the Administration Server. You can select one of the following statuses: N/A, Stopped, Paused, Starting, Running, Failed, Not installed, Not supported by license. If the selected component of the application installed on a managed device has the specified status, the device is included in the device selection.

  Statuses sent by applications:

  • Stopped—The component is disabled and not working at the moment.
  • Paused—The component is suspended, for example, after the user has paused protection in the managed application.
  • Starting—The component is currently in the process of initialization.
  • Running—The component is enabled and working properly.
  • Failed—An error has occurred during the component operation.
  • Not installed—The user did not select the component for installation when configuring custom installation of the application.
  • Not supported by license—The license does not cover the selected component.

  Unlike other statuses, the N/A status is not sent by applications. This option shows that the applications have no information about the selected component status. For example, this can happen when the selected component does not belong to any of the applications installed on the device, or when the device is turned off.

• Version

  Search for devices according to the version number of the component that you select in the list. You can type a version number, for example 3.4.1.0, and then specify whether the selected component must have an equal, earlier, or later version. You can also configure searching for all versions except the specified one.

Tags

In the Tags section, you can configure criteria for including devices into a selection based on key words (tags) that were previously added to the descriptions of managed devices:

Apply if at least one specified tag matches

To add tags to the criterion, click the Add button, and select tags by clicking the Tag entry field. Specify whether to include or exclude the devices with the selected tags in the device selection.

• All devices that have this tag

  If this option is selected, the search results will display the devices whose descriptions contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

  By default, this option is selected.

• All devices that do not have this tag

  If this option is selected, the search results will display the devices whose descriptions do not contain the selected tag. To find devices, you can use the asterisk, which stands for any string with any number of characters.

Users

In the Users section, you can set up the criteria to include devices in the selection according to the accounts of users who have logged in to the operating system.

• Last user who logged in to the system

  If this option is enabled, you can select the user account for configuring the criterion. Note that the user list is filtered and displays internal users. The search results will include devices on which the selected user performed the last login to the system.

• User who logged in to the system at least once

  If this option is enabled, you can select the user account for configuring the criterion. Note that the user list is filtered and displays internal users. The search results will include devices on which the specified user logged in to the system at least once.

Exporting the device list from a device selection

Kaspersky Security Center Cloud Console allows you to save information about devices from a device selection and export it as a CSV or a TXT file.

To export the device list from the device selection:

1. Open the table with the devices from the device selection.
2. Use one of the following ways to select the devices that you want to export:
   • To select particular devices, select the check boxes next to them.
   • To select all devices from the current table page, select the check box in the device table header, and then select the Select all on current page check box.
   • To select all devices from the table, select the check box in the device table header, and then select the Select all check box.

Click the Export to CSV or Export to TXT button. All information about the selected devices included in the table will be exported.

Note that if you applied a filter criterion to the device table, only the filtered data from the displayed columns will be exported.

Removing devices from administration groups in a selection

When working with a device selection, you can remove devices from administration groups right in this selection, without switching to the administration groups from which these devices must be removed.

To remove devices from administration groups:

1. In the main menu, go to Assets (Devices) → Device selections or Discovery & deployment → Device selections.
2. In the selection list, click the name of the device selection.

   The page displays a table with information about the devices included in the device selection.

3. Select the devices that you want to remove, and then click Delete.

   The selected devices are removed from their respective administration groups.

Viewing and configuring the actions when devices show inactivity

Expand all | Collapse all

If client devices within a group are inactive, you can get notifications about it. You can also automatically delete such devices.

To view or configure the actions when the devices in the group show inactivity:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. Click the name of the required administration group.

   The administration group properties window opens.

3. In the properties window, go to the Settings tab.
4. In the Inheritance section, enable or disable the following options:
   • Inherit from parent group

     The settings in this section will be inherited from the parent group in which the client device is included. If this option is enabled, the settings under Device activity on the network are locked from any changes.

     This option is available only if the administration group has a parent group.

     By default, this option is enabled.

   • Force inheritance of settings in child groups

     The setting values will be distributed to child groups but in the properties of the child groups these settings are locked.

     By default, this option is disabled.

5. In the Device activity section, enable or disable the following options:
   • Notify the administrator if the device has been inactive for longer than (days)

     If this option is enabled, the administrator receives notifications about inactive devices. You can specify the time interval after which the Device has remained inactive on the network in a long time event is created. The default time interval is 7 days.

     By default, this option is enabled.

   • Remove the device from the group if it has been inactive for longer than (days)

     If this option is enabled, you can specify the time interval after which the device is automatically removed from the group. The default time interval is 60 days.

     By default, this option is enabled.

6. Click Save.

Your changes are saved and applied.

About device statuses

Kaspersky Security Center Cloud Console assigns a status to each managed device. The particular status depends on whether the conditions defined by the user are met. In some cases, when assigning a status to a device, Kaspersky Security Center Cloud Console takes into consideration the device's visibility flag on the network (see the table below). If Kaspersky Security Center Cloud Console does not find a device on the network within two hours, the visibility flag of the device is set to Not Visible.

The statuses are the following:

• Critical or Critical/Visible
• Warning or Warning/Visible
• OK or OK/Visible

The table below lists the default conditions that must be met to assign the Critical or Warning status to a device, with all possible values.

Conditions for assigning a status to a device

Kaspersky Security Center Cloud Console enables you to set up automatic switching of the status of a device in an administration group when specified conditions are met. When specified conditions are met, the client device is assigned one of the following statuses: Critical or Warning. When specified conditions are not met, the client device is assigned the OK status.

Different statuses may correspond to different values of one condition. For example, by default, if the Databases are outdated condition has the More than 3 days value, the client device is assigned the Warning status; if the value is More than 7 days, the Critical status is assigned.

When Kaspersky Security Center Cloud Console assigns a status to a device, for some conditions (see the Condition description column) the visibility flag is taken into consideration. For example, if a managed device was assigned the Critical status because the Databases are outdated condition was met, and later the visibility flag was set for the device, then the device is assigned the OK status.

Configuring the switching of device statuses

You can change conditions to assign the Critical or Warning status to a device.

To enable changing the device status to Critical:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
3. In the properties window that opens, select the Device status tab.
4. In the left pane, select Critical.
5. In the right pane, in the Set to Critical if these are specified section, enable the condition to switch a device to the Critical status.

   You can change only settings that are not locked in the parent policy.

6. Select the radio button next to the condition in the list.
7. In the upper-left corner of the list, click the Edit button.
8. Set the required value for the selected condition.

   Values cannot be set for every condition.

9. Click OK.

When specified conditions are met, the managed device is assigned the Critical status.

To enable changing the device status to Warning:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
3. In the properties window that opens, select the Device status tab.
4. In the left pane, select Warning.
5. In the right pane, in the Set to Warning if these are specified section, enable the condition to switch a device to the Warning status.

   You can change only settings that are not locked in the parent policy.

6. Select the radio button next to the condition in the list.
7. In the upper-left corner of the list, click the Edit button.
8. Set the required value for the selected condition.

   Values cannot be set for every condition.

9. Click OK.

When specified conditions are met, the managed device is assigned the Warning status.

Changing the Administration Server for client devices

Expand all | Collapse all

You can change the Administration Server that manages client devices to a different Server using the Change Administration Server task. After the task completion, the selected client devices will be put under the management of the Administration Server that you specify. You can switch the device management between the following Administration Servers:

• Primary Administration Server and one of its virtual Administration Servers
• Two virtual Administration Servers of the same primary Administration Server

To change the Administration Server that manages client devices to a different Server:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Proceed through the wizard by using the Next button.

3. At the New task settings step, specify the following settings:
   1. In the Application drop-down list, select Kaspersky Security Center Cloud Console.
   2. In the Task type field, select Change Administration Server.
   3. In the Task name field, specify the name for the task that you are creating.

      A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

   4. Select devices to which the task will be assigned:
      • Assign task to an administration group

        The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

        For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

        If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

      • Specify device addresses manually or import addresses from a list

        You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

        You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

      • Assign task to a device selection

        The task is assigned to devices included in a device selection. You can specify one of the existing selections.

        For example, you may want to use this option to run a task on devices with a specific operating system version.

4. At the Task scope step, specify an administration group, devices with specific addresses, or a device selection.
5. At the next step, confirm that you agree to the terms of changing the Administration Server for client devices.
6. At the next step, select the virtual Administration Server that you want to use to manage the selected devices.
7. At the Selecting an account to run the task step, specify the account settings:
   • Default account

     The task will be run under the same account as the application that performs this task.

     By default, this option is selected.

   • Specify account

     Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

     • Account

       Account under which the task is run.

     • Password

       Password of the account under which the task will be run.

8. If on the Finish task creation page you enable the Open task details when creation is complete option, you can modify the default task settings.

   If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.

9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs.
12. Click the Save button.

    The task is created and configured.

13. Run the created task.

After the task is complete, the client devices for which it was created are put under the management of the Administration Server specified in the task settings.

Avoiding conflicts between multiple Administration Servers

If you have more than one Administration Server on your network, they can see the same client devices. This may result, for example, in remote installation of the same application to one and the same device from more than one Server and other conflicts. To avoid such a situation, Kaspersky Security Center Cloud Console allows you to prevent an application from being installed on a device managed by another Administration Server.

You can also use the Managed by a different Administration Server property as a criterion for the following purposes:

• Displaying managed devices
• Device selections
• Device moving rules
• Auto-tagging rules

Kaspersky Security Center Cloud Console uses heuristics to determine whether a client device is managed by the Administration Server you are working with or by a different Administration Server.

Creating Administration Server connection profiles

To allow out-of-office users to change the method of connecting Network Agent to Administration Server, you have to configure Administration Server connection profiles.

Connection profiles are supported only for devices running Windows and macOS.

To create a connection profile:

1. In the main menu, go to Assets (Devices), and do one of the following:
   • If you want to create a connection profile for a group of managed devices, click Policies & profiles, and then click Kaspersky Security Center Network Agent.
   • If you want to create a connection profile for a specific managed device, click Managed devices, and then click the name of the device. In the window that opens, go to the Applications tab, and then click Kaspersky Security Center Network Agent.

   The properties window of the Network Agent policy opens.

2. Go to the Application settings tab, and then go to the Connectivity section.
3. In the Connection profiles section, click the Settings button.

   The Administration Server connection profiles subsection displays the table of connection profiles.

   You cannot view, modify, or delete the Home Administration Server and Offline mode connection profiles.

4. Click the Add button, and then in the window that opens, specify the profile name.

   The name must be unique. You cannot use the same name for several profiles.

5. If necessary, select the check boxes in the following fields:
   • Enable out-of-office mode when Administration Server is not available.
   • Use proxy server.

     If you select this option, do the following:

     • Specify information in the Address and the Port number fields.
     • If necessary, select the Proxy server authentication check box, and then specify the user name and the password in the corresponding fields.
6. Click the Save button.

The new profile is displayed in the table of connection profiles. You can use it when configuring the Network location settings.

You can edit and delete connection profiles.

To edit a connection profile:

1. In the table of connection profiles click the name of the connection profile that you want to edit.
2. Make all necessary changes, and then click the Save button.

The changes are applied to the connection profile.

To delete a connection profile:

1. In the table of connection profiles select the check boxes next to the connection profiles that you want to delete.
2. Click the Delete button.

The selected connection profiles are deleted.

About clusters and server arrays

Kaspersky Security Center Cloud Console supports cluster technology. If Network Agent sends information to Administration Server confirming that an application installed on a client device is part of a server array, this client device becomes a cluster node.

If an administration group contains clusters or server arrays, the Managed devices page displays two tabs—one for individual devices, and one for clusters and server arrays. After the managed devices are detected as cluster nodes, the cluster is added as an individual object to the Clusters and server arrays tab.

The cluster or server array nodes are listed on the Devices tab, along with other managed devices. You can view properties of the nodes as individual devices and perform other operations, but you cannot delete a cluster node or move it to another administration group separately from its cluster. You can only delete or move an entire cluster.

You can perform the following operations with clusters or server arrays:

• View properties
• Move the cluster or server array to another administration group

  When you move a cluster or server array to another group, all of its nodes move with it, because a cluster and any of its nodes always belong to the same administration group.

• Delete

  It is reasonable to delete a cluster or server array only when the cluster or server array does not exist in the organization network any longer. If a cluster is still visible on your network and Network Agent and the Kaspersky security application are still installed on the cluster nodes, Kaspersky Security Center Cloud Console returns the deleted cluster and its nodes back to the list of managed devices automatically.

Properties of a cluster or server array

Expand all | Collapse all

To view the settings of a cluster or server array:

1. In the main menu, go to Assets (Devices) → Managed devices → Clusters and server arrays.

   The list of clusters and server arrays is displayed.

2. Click the name of the required cluster or server array.

The properties window of the selected cluster or server array is displayed.

General

The General section displays general information about the cluster or server array. Information is provided on the basis of data received during the last synchronization of the cluster nodes with the Administration Server:

• Name
• Description
• Windows domain

  Windows domain or workgroup, which contains the cluster or server array.

• NetBIOS name

  Windows network name of the cluster or server array.

• DNS name

  Name of the DNS domain of the cluster or server array.

Tasks

In the Tasks tab, you can manage the tasks assigned to the cluster or server array: view the list of existing tasks; create new ones; remove, start, and stop tasks; modify task settings; and view execution results. The listed tasks relate to the Kaspersky security application installed on the cluster nodes. Kaspersky Security Center Cloud Console receives the task list and the task status details from the cluster nodes. If a connection is not established, the status is not displayed.

Nodes

This tab displays a list of nodes included into the cluster or server array. You can click a node name to view the device properties window.

Kaspersky application

The properties window may also contain additional tabs with the information and settings related to the Kaspersky security application installed on the cluster nodes.

Device tags

Kaspersky Security Center Cloud Console enables you to tag devices. A tag is the label of a device that can be used for grouping, describing, or finding devices. Tags assigned to devices can be used for creating selections, for finding devices, and for distributing devices among administration groups.

You can tag devices manually or automatically. You may use manual tagging when you want to tag an individual device. Auto-tagging is performed by Kaspersky Security Center Cloud Console in accordance with the specified tagging rules.

Devices are tagged automatically when specified rules are met. An individual rule corresponds to each tag. Rules are applied to the network properties of the device, operating system, applications installed on the device, and other device properties. For example, if your network includes devices running Windows, Linux, and macOS, you can set up a rule that will assign the [Linux] tag to all Linux-based devices. Then, you can use this tag when creating a device selection; this will help you sort all Linux-based devices and assign them a task. A tag is automatically removed from a device in the following cases:

• When the device stops meeting conditions of the rule that assigns the tag.
• When the rule that assigns the tag is disabled or deleted.

The list of tags and the list of rules on each Administration Server are independent of all other Administration Servers, including a primary Administration Server or subordinate virtual Administration Servers. A rule is applied only to devices from the same Administration Server on which the rule is created.

Creating a device tag

To create a device tag:

1. In the main menu, go to Assets (Devices) → Tags → Device tags.
2. Click Add.

   A new tag window opens.

3. In the Tag field, enter the tag name.
4. Click Save to save the changes.

The new tag appears in the list of device tags.

Renaming a device tag

To rename a device tag:

1. In the main menu, go to Assets (Devices) → Tags → Device tags.
2. Click the name of the tag that you want to rename.

   A tag properties window opens.

3. In the Tag field, change the tag name.
4. Click Save to save the changes.

The updated tag appears in the list of device tags.

Deleting a device tag

To delete a device tag:

1. In the main menu, go to Assets (Devices) → Tags → Device tags.
2. In the list, select the device tag that you want to delete.
3. Click the Delete button.
4. In the window that opens, click Yes.

The device tag is deleted. The deleted tag is automatically removed from all of the devices to which it was assigned.

The tag that you have deleted is not removed automatically from auto-tagging rules. After the tag is deleted, it will be assigned to a new device only when the device first meets the conditions of a rule that assigns the tag.

The deleted tag is not removed automatically from the device if this tag is assigned to the device by an application or Network Agent. To remove the tag from your device, use the klscflag utility.

Viewing devices to which a tag is assigned

To view devices to which a tag is assigned:

1. In the main menu, go to Assets (Devices) → Tags → Device tags.
2. Click the View devices link next to the tag for which you want to view assigned devices.

   You will be redirected to the Managed devices section of the main menu, with the devices filtered by the tag for which you clicked the View devices link.

3. If you want to return to the list of device tags, click the Back button of your browser.

After you view the devices to which the tag is assigned, you can either create and assign a new tag or assign the existing tag to other devices. In this case, you have to remove the filter by tag, select the devices, and then assign the tag.

Viewing tags assigned to a device

To view tags assigned to a device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.

The list of tags assigned to the selected device is displayed. In the Tag assigned column you can view how the tag was assigned.

You can assign another tag to the device or remove an already assigned tag. You can also view all device tags that exist on the Administration Server.

You can also view tags assigned to a device in the command line, by using the klscflag utility.

To view tags assigned to a device in the command line, run the following command:

klscflag -ssvget -pv 1103/1.0.0.0 -s KLNAG_SECTION_TAGS_INFO -n KLCONN_HOST_TAGS -svt ARRAY_T -ss "|ss_type = \"SS_PRODINFO\";"

Tagging devices manually

To assign a tag to a device:

1. View tags assigned to the device to which you want to assign another tag.
2. Click Add.
3. In the window that opens, do one of the following:
   • To create and assign a new tag, select Create new tag, and then specify the name of the new tag.
   • To select an existing tag, select Assign existing tag, and then select the necessary tag in the drop-down list.
4. Click OK to apply the changes.
5. Click Save to save the changes.

The selected tag is assigned to the device.

To assign a tag to several devices:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Select the devices to which you want to assign a tag.
3. Click Tags, and then select Assign from the drop-down list.
4. In the window that opens, select a tag from the drop-down list.

   If necessary, you can select several tags.

   You can also do the following:

   • Edit the name of a tag by clicking the Edit () icon.

     Specify the new name of the tag, and then click the Save button.

     Note that the tag will also be renamed in the list of device tags.

   • Delete a tag by clicking the Delete () icon.

     In the window that opens, click Delete.

     Note that the tag will also be deleted from the Administration Server.

5. Click the Save button.

The tags are assigned to the selected devices. You can remove the assigned tags.

Removing assigned tags from devices

The unassigned device tag is not deleted. If you want, you can delete it manually.

You cannot manually remove tags assigned to the device by applications or Network Agent. To remove these tags, use the klscflag utility.

To remove a tag from a device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click the name of the device whose tags you want to view.
3. In the device properties window that opens, select the Tags tab.
4. Select the check box next to the tag that you want to remove.
5. At the top of the list, click the Unassign tag? button.
6. In the window that opens, click Yes.

The tag is removed from the device.

To remove tags from several devices:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Select the devices whose tags you want to remove.
3. Click Tags, and then select Unassign from the drop-down list.
4. In the window that opens, select the check boxes next to the tags that you want to remove.

   The window displays all tags assigned to all the devices that you selected at step 2.

5. Click the Save button.

The tags are removed from the devices.

Viewing rules for tagging devices automatically

To view rules for tagging devices automatically,

Do any of the following:

• In the main menu, go to Assets (Devices) → Tags → Auto-tagging rules.
• In the main menu, go to Assets (Devices) → Tags → Device tags, and then click the Set up auto-tagging rules link.
• View tags assigned to a device and then click the Settings button.

The list of rules for auto-tagging devices appears.

Editing a rule for tagging devices automatically

To edit a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Click the name of the rule that you want to edit.

   A rule settings window opens.

3. Edit the general properties of the rule:
   1. In the Rule name field, change the rule name.

      The name cannot be more than 256 characters long.

   2. Do any of the following:
      • Enable the rule by switching the toggle button to Rule enabled.
      • Disable the rule by switching the toggle button to Rule disabled.
4. Do any of the following:
   • If you want to add a new condition, click the Add button, and specify the settings of the new condition in the window that opens.
   • If you want to edit an existing condition, click the name of the condition that you want to edit, and then edit the condition settings.
   • If you want to delete a condition, select the check box next to the name of the condition that you want to delete, and then click Delete.
5. Click OK in the conditions settings window.
6. Click Save to save the changes.

The edited rule is shown in the list.

Creating a rule for tagging devices automatically

To create a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Click Add.

   A new rule settings window opens.

3. Configure the general properties of the rule:
   1. In the Rule name field, enter the rule name.

      The name cannot be more than 256 characters long.

   2. Do one of the following:
      • Enable the rule by switching the toggle button to Rule enabled.
      • Disable the rule by switching the toggle button to Rule disabled.
   3. In the Tag field, enter the new device tag name or select one of the existing device tags from the list.

      The name cannot be more than 256 characters long.

4. In the conditions section, click the Add button to add a new condition.

   A new condition settings window open.

5. Enter the condition name.

   The name cannot be more than 256 characters long. The name must be unique within a rule.

6. Set up the triggering of the rule according to the following conditions. You can select multiple conditions.
   • Network—Network properties of the device, such as the device name on the Windows network, or device inclusion in a domain or an IP subnet.

     If case sensitive collation is set for the database that you use for Kaspersky Security Center Cloud Console, keep case when you specify a device DNS name. Otherwise, the auto-tagging rule will not work.

   • Applications—Presence of Network Agent on the device, operating system type, version, and architecture.
   • Virtual machines—Device belongs to a specific type of virtual machine.
   • Active Directory—Presence of the device in an Active Directory organizational unit and membership of the device in an Active Directory group.
   • Applications registry—Presence of applications of different vendors on the device.
7. Click OK to save the changes.

   If necessary, you can set multiple conditions for a single rule. In this case, the tag will be assigned to a device if it meets at least one condition.

8. Click Save to save the changes.

The newly created rule is enforced on devices managed by the selected Administration Server. If the settings of a device meet the rule conditions, the device is assigned the tag.

Later, the rule is applied in the following cases:

• Automatically and periodically, depending on the server workload
• After you edit the rule
• When you run the rule manually
• After the Administration Server detects a change in the settings of a device that meets the rule conditions or the settings of a group that contains such device

You can create multiple tagging rules. A single device can be assigned multiple tags if you have created multiple tagging rules and if the respective conditions of these rules are met simultaneously. You can view the list of all assigned tags in the device properties.

Running rules for auto-tagging devices

When a rule is run, the tag specified in properties of this rule is assigned to devices that meet conditions specified in properties of the same rule. You can run only active rules.

To run rules for auto-tagging devices:

1. View rules for tagging devices automatically.
2. Select check boxes next to active rules that you want to run.
3. Click the Run rule button.

The selected rules are run.

Deleting a rule for tagging devices automatically

To delete a rule for tagging devices automatically:

1. View rules for tagging devices automatically.
2. Select the check box next to the rule that you want to delete.
3. Click Delete.
4. In the window that opens, click Delete again.

The selected rule is deleted. The tag that was specified in properties of this rule is unassigned from all of the devices that it was assigned to.

The unassigned device tag is not deleted. If you want, you can delete it manually.

Quarantine and Backup

Kaspersky anti-virus applications installed on client devices may place files in Quarantine or Backup during device scan.

Quarantine is a special repository for storing files that are probably infected with viruses and files that cannot be disinfected at the time when they are detected.

Backup is designed for storing backup copies of files that have been deleted or modified during the disinfection process.

Kaspersky Security Center Cloud Console creates a summarized list of files placed in Quarantine or Backup by Kaspersky applications on the devices. Network Agents on client devices transmit information about the files in Quarantine and Backup to the Administration Server.

Kaspersky Security Center Cloud Console does not copy files from repositories to Administration Server. All files are stored in repositories on the devices.

Downloading a file from repositories

Kaspersky Security Center Cloud Console enables you to download copies of files that a security application placed in Quarantine or Backup on a client device. Files are copied to the destination that you specify.

You can download files only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.

The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

To save a copy of file from Quarantine or Backup to a hard drive:

1. Do one of the following:
   • If you want to save a copy of file from Quarantine, in the main menu, go to Operations → Repositories → Quarantine.
   • If you want to save a copy of file from Backup, in the main menu, go to Operations → Repositories → Backup.
2. In the window that opens, select a file that you want to download and click Download.

The download starts. A copy of the file that had been placed in Quarantine on the client device is saved to the specified folder.

Deleting files from repositories

To delete a file from Quarantine or Backup:

1. Do one of the following:
   • If you want to save a copy of file from Quarantine, in the main menu, go to Operations → Repositories → Quarantine.
   • If you want to save a copy of file from Backup, in the main menu, go to Operations → Repositories → Backup.
2. In the window that opens, select a file that you want to delete and click Delete.
3. Confirm that you want to delete the file.

The security application on the client device that had placed files in the repository (Quarantine or Backup) deletes the same files from this repository.

Remote diagnostics of client devices

You can use remote diagnostics for remote execution of the following operations on Windows-based and Linux-based client devices:

• Enabling and disabling tracing, changing the tracing level, and downloading the trace file
• Downloading system information and application settings
• Downloading event logs
• Generating a dump file for an application
• Starting diagnostics and downloading diagnostics reports
• Starting, stopping, and restarting applications

You can use event logs and diagnostics reports downloaded from a client device to troubleshoot problems on your own. Also, if you contact Kaspersky Technical Support, a Technical Support specialist might ask you to download trace files, dump files, event logs, and diagnostics reports from a client device for further analysis at Kaspersky.

Opening the remote diagnostics window

To perform remote diagnostics on Windows-based and Linux-based client devices, you first have to open the remote diagnostics window.

To open the remote diagnostics window:

1. To select the device for which you want to open the remote diagnostics window, perform one of the following:
   • If the device belongs to an administration group, in the main menu, go to Assets (Devices) → Groups → <group name> → Managed devices.
   • If the device belongs to the Unassigned devices group, in the main menu, go to Discovery & deployment → Unassigned devices.
2. Click the name of the required device.
3. In the device properties window that opens, select the Advanced tab.
4. In the window that opens, click Remote diagnostics.

   This opens the Remote diagnostics window of a client device. If connection between Administration Server and the client device is not established, the error message is displayed.

Alternatively, if you need to obtain all diagnostic information about a Linux-based client device at once, you can run the collect.sh script on this device.

Enabling and disabling tracing for applications

Expand all | Collapse all

You can enable and disable tracing for applications, including Xperf tracing.

Enabling and disabling tracing

To enable or disable tracing on a remote device:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, select the Kaspersky applications tab.

   In the Application management section, the list of Kaspersky applications installed on the device displays.

3. In the application list, select the application for which you want to enable or disable tracing.

   The list of remote diagnostics options opens.

4. If you want to enable tracing:
   1. In the Tracing section, click Enable tracing.
   2. In the Modify tracing level window that opens, we recommend that you keep the default values of the settings. When required, a Technical Support specialist will guide you through the configuration process. The following settings are available:
      • Tracing level

        The tracing level defines the amount of detail that the trace file contains.

      • Rotation-based tracing

        The application overwrites the tracing information to prevent excessive increase in the size of the trace file. Specify the maximum number of files to be used to store the tracing information, and the maximum size of each file. If the maximum number of trace files of the maximum size are written, the oldest trace file is deleted so that a new trace file can be written.

        This setting is available for Kaspersky Endpoint Security only.

   3. Click Save.

   The tracing is enabled for the selected application. In some cases, the security application and its task must be restarted in order to enable tracing.

   On Linux-based client devices, tracing for the Updater of Kaspersky Security Agent component is regulated by the Network Agent settings. Therefore, the Enable tracing and Modify tracing level options are disabled for this component on client devices running Linux.

5. If you want to disable tracing for the selected application, click Disable tracing.

   The tracing is disabled for the selected application.

Enabling Xperf tracing

For Kaspersky Endpoint Security, a Technical Support specialist may ask you to enable Xperf tracing for information about the system performance.

To enable and configure Xperf tracing or disable it:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, select the Kaspersky applications tab.

   In the Application management section, the list of Kaspersky applications installed on the device displays.

3. In the list of applications, select Kaspersky Endpoint Security for Windows.

   The list of remote diagnostics options for Kaspersky Endpoint Security for Windows displays.

4. In the Xperf tracing section, click Enable Xperf tracing.

   If Xperf tracing is already enabled, the Disable Xperf tracing button is displayed instead. Click this button if you want to disable Xperf tracing for Kaspersky Endpoint Security for Windows.

5. In the Change Xperf tracing level window that opens, depending on the request from the Technical Support specialist, do the following:
   1. Select one of the following tracing levels:
      • Light level

        A trace file of this type contains the minimum amount of information about the system.

        By default, this option is selected.

      • Deep level

        A trace file of this type contains more detailed information than trace files of the Light type and may be requested by Technical Support specialists when a trace file of the Light type is not enough for the performance evaluation. A Deep trace file contains technical information about the system including information about hardware, operating system, list of started and finished processes and applications, events used for performance evaluation, and events from Windows System Assessment Tool.

   2. Select one of the following Xperf tracing types:
      • Basic type

        The tracing information is received during operation of the Kaspersky Endpoint Security application.

        By default, this option is selected.

      • On-restart type

        The tracing information is received when the operating system starts on the managed device. This tracing type is effective when the issue that affects the system performance occurs after the device is turned on and before Kaspersky Endpoint Security starts.

      You may also be asked to enable the Rotation file size, in MB option to prevent excessive increase in the size of the trace file. Then specify the maximum size of the trace file. When the file reaches the maximum size, the oldest tracing information is overwritten with new information.

   3. Define the rotation file size.
   4. Click Save.

   Xperf tracing is enabled and configured.

6. If you want to disable Xperf tracing for Kaspersky Endpoint Security for Windows, click Disable Xperf tracing in the Xperf tracing section.

   Xperf tracing is disabled.

Downloading trace files of an application

You can download trace files from a client device only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.

The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

To download a trace file of an application:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, select the Kaspersky applications tab.

   In the Application management section, the list of Kaspersky applications installed on the device displays.

3. In the list of applications, select the application for which you want to download a trace file.
4. In the Tracing section, click the Trace files button.

   This opens the Device tracing logs window, where a list of trace files is displayed.

5. In the list of trace files, select the file that you want to download.
6. Do one of the following:
   • Download the selected file by clicking the Download. You can select one or several files for downloading.
   • Download a portion of the selected file:
     1. Click Download a portion.

        You cannot download portions of several files at the same time. If you select more than one trace file, the Download a portion button will be disabled.

     2. In the window that opens, specify the name and the file portion to download, according to your needs.

        For Linux-based devices, editing the file portion name is not available.

     3. Click Download.

The selected file, or its portion, is downloaded to the location that you specify.

Deleting trace files

You can delete trace files that are no longer needed.

To delete a trace file:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window that opens, select the Event logs tab.
3. In the Trace files section, click Windows Update logs or Remote installation logs, depending on which trace files you want to delete.

   This opens the Device tracing logs window, where a list of trace files is displayed.

4. In the list of trace files, select one or several files that you want to delete.
5. Click the Remove button.

The selected trace files are deleted.

Downloading application settings

You can download application settings from a client device only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.

The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

To download application settings from a client device:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, select the Kaspersky applications tab.
3. In the Application settings section, click the Download button to download information about the settings of the applications installed on the client device.

The ZIP archive with information is downloaded to the specified location.

Downloading system information from a client device

You can download system information to your device from a client device only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.

The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

To download system information from a client device:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, select the System information tab.
3. Click the Download button to download the system information about the client device.

The file with information is downloaded to the specified location.

Downloading event logs

You can download event logs to your device from a client device only if one of the following conditions is met: the Do not disconnect from the Administration Server option is enabled in the settings of the device, a push server is in use, or a connection gateway is in use. Otherwise, downloading is not possible.

The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

To download an event log from a remote device:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, on the Event logs tab, click All device logs.
3. In the All device logs window, select one or several relevant logs.
4. Do one of the following:
   • Download the selected log by clicking Download entire file.
   • Download a portion of the selected log:
     1. Click Download a portion.

        You cannot download portions of several logs at the same time. If you select more than one event log, the Download a portion button will be disabled.

     2. In the window that opens, specify the name and the log portion to download, according to your needs.
     3. Click Download.

The selected event log, or a portion of it, is downloaded to the specified location.

Starting, stopping, restarting the application

You can start, stop, and restart applications on a client device.

To start, stop, or restart an application:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, select the Kaspersky applications tab.

   In the Application management section, the list of Kaspersky applications installed on the device displays.

3. In the list of applications, select the application that you want to start, stop, or restart.
4. Select an action by clicking one of the following buttons:
   • Stop application

     This button is available only if the application is currently running.

   • Restart application

     This button is available only if the application is currently running.

   • Start application

     This button is available only if the application is not currently running.

Depending on the action that you have selected, the required application is started, stopped, or restarted on the client device.

If you restart the Network Agent, a message is displayed stating that the current connection of the device to the Administration Server will be lost.

Running the remote diagnostics of an application and downloading the results

To start diagnostics for an application on a remote device and download the results:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, select the Kaspersky applications tab.

   In the Application management section, the list of Kaspersky applications installed on the device displays.

3. In the list of applications, select the application for which you want to run remote diagnostics.

   The list of remote diagnostics options opens.

4. In the Diagnostics report section, click the Run diagnostics button.

   This starts the remote diagnostics process and generates a diagnostics report. When the diagnostics process is complete, the Download diagnostics report button becomes available.

5. Click the Download diagnostics report button to download the report.

The report is downloaded to the specified location.

Running an application on a client device

You may have to run an application on the client device, if a Kaspersky support specialist requests it. You do not have to install the application on that device.

To run an application on the client device:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, select the Running a remote application tab.
3. In the Running a remote application section, click the Upload button to select a ZIP archive containing the application that you want to run on the client device.

   The ZIP archive must include the utility folder. This folder contains the executable file to be run on a remote device.

   You can specify the executable file name and the command-line arguments, if necessary. To do this, fill in the Executable file in an archive to be run on a remote device and Command line arguments fields.

4. Click the Upload and run button to run the specified application on a client device.
5. Follow the instructions of the Kaspersky support specialist.

Generating a dump file for an application

An application dump file allows you to view parameters of the application running on a client device at a point in time. This file also contains information about modules that were loaded for an application.

Generating dump files is available only for 32-bit processes running on Windows-based client devices. For client devices running Linux and for 64-bit processes this feature is not supported.

To create a dump file for an application:

1. Open the remote diagnostics window of a client device.
2. In the remote diagnostics window, select click the Running a remote application tab.
3. In the Generating the process dump file section, specify the executable file of the application for which you want to generate a dump file.
4. Click the Download button to save the dump file for the specified application.

   If the specified application is not running on the client device, the error message will be displayed.

Remotely connecting to the desktop of a client device

You can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.

Upon establishing the connection with the device, you gain full access to information stored on this device and can manage applications installed on it.

Remote connection must be allowed in the operating system settings of the target managed device. For example, in Windows 10, this option is called Allow Remote Assistance connections to this computer (you can find this option at Control Panel → System and Security → System → Remote settings). If you have a license for the Vulnerability and patch management feature, you can enable this option forcibly when you establish connection to a managed device. If you do not have the license, enable this option locally on the target managed device. If this option is disabled, remote connection is not possible.

To establish remote connection to a device, you must have two utilities:

• Kaspersky utility named klsctunnel. This utility must be stored on your workstation. You use this utility for tunneling the connection between a client device and the Administration Server.

  Kaspersky Security Center Cloud Console allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.

  Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:

  • The remote device is connected to a local network that uses the NAT mechanism.
  • The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
• Standard Microsoft Windows component named Remote Desktop Connection. Connection to a remote desktop is established through the standard Windows utility mstsc.exe in accordance with the utility's settings.

  Connection to the current remote desktop session of the user is established without the user's knowledge. Once you connect to the session, the device user is disconnected from the session without an advance notification.

To connect to the desktop of a client device, one of the following conditions must be met:

• Client device is a member of an administration group that has a distribution point with the Do not disconnect from the Administration Server option enabled.
• In the client device settings, the Do not disconnect from the Administration Server option is enabled.

  The maximum total number of client devices with the Do not disconnect from the Administration Server option enabled is 300.

To connect to the desktop of a client device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Select the check box next to the name of the device to which you want to obtain access.
3. Click the Connect to Remote Desktop button.

   The Connect to Remote Desktop window opens.

4. Click the Download button to download the klsctunnel utility.
5. Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large Object (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.

   A BLOB is valid for 3 minutes. If it has expired, reopen the Connect to Remote Desktop window to generate a new BLOB.

6. Run the klsctunnel utility.

   The utility window opens.

7. Paste the copied text into the text field.
8. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
9. Click the Open port button.

   The Remote Desktop Connection login window opens.

10. Specify the credentials of the account under which you are currently logged in to Kaspersky Security Center Cloud Console.
11. Click the Connect button.

When connection to the device is established, the desktop is available in the Remote Desktop Connection window of Microsoft Windows.

Connecting to devices through Windows Desktop Sharing

You can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.

You can connect to an existing session on a client device without disconnecting the user in this session. In this case, you and the session user on the device share access to the desktop.

To establish remote connection to a device, you must have two utilities:

• Kaspersky utility named klsctunnel. This utility must be stored on your workstation. You use this utility for tunneling the connection between a client device and the Administration Server.

  Kaspersky Security Center Cloud Console allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.

  Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:

  • The remote device is connected to a local network that uses the NAT mechanism.
  • The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
• Windows Desktop Sharing. When connecting to an existing session of the remote desktop, the session user on the device receives a connection request from you. No information about remote activity on the device and its results will be saved in reports created by Kaspersky Security Center Cloud Console.

  You can configure an audit of user activity on a remote client device. During the audit, the application saves information about files on the client device that have been opened and/or modified by the administrator.

To connect to the desktop of a client device through Windows Desktop Sharing, the following conditions must be met:

• Microsoft Windows Vista or later is installed on your workstation.

  To check whether the Windows Desktop Sharing feature is included in your Windows edition, make sure that CLSID {32BE5ED2-5C86-480F-A914-0FF8885A1B3F} is included in the 32-bit registry.

• Microsoft Windows Vista or later is installed on the client device.
• Kaspersky Security Center Cloud Console uses a license for Vulnerability and patch management.
• The client device is a member of an administration group that has a distribution point with the Do not disconnect from the Administration Server option enabled, or this option is enabled in the client device settings.

  Note that the maximum total number of client devices with the Do not disconnect from the Administration Server option enabled is 300.

To connect to the desktop of a client device through Windows Desktop Sharing:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Select the check box next to the name of the device to which you want to obtain access.
3. Click the Windows Desktop Sharing button.

   The Windows Desktop Sharing wizard opens.

4. Click the Download button to download the klsctunnel utility, and wait for the download process to complete.

   If you already have the klsctunnel utility, skip this step.

5. Click the Next button.
6. Select the session on the device to which you want to connect, and then click the Next button.
7. On the target device, in the dialog box that opens, the user must allow a desktop sharing session. Otherwise, the session is not possible.

   After the device user confirms the desktop sharing session, the next page of the wizard opens.

8. Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large Object (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.

   A BLOB is valid for 3 minutes. If it has expired, generate a new BLOB.

9. Run the klsctunnel utility.

   The utility window opens.

10. Paste the copied text into the text field.
11. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
12. Click the Open port button.

Desktop sharing starts in a new window. If you want to interact with the device, click the menu icon () in the upper-left corner of the window, and then select Interactive mode.

Triggering of rules in Smart Training mode

This section provides information about the detections performed by the Adaptive Anomaly Control rules in Kaspersky Endpoint Security for Windows on client devices.

The rules detect anomalous behavior on client devices and may block it. If the rules work in Smart Training mode, they detect anomalous behavior and send reports about every such occurrence to Kaspersky Security Center Cloud Console Administration Server. This information is stored as a list in the Rule triggers in Smart Training state subfolder of the Repositories folder. You can confirm detections as correct or add them as exclusions, so that this type of behavior is not considered anomalous anymore.

Information about detections is stored in the event log on the Administration Server (along with other events) and in the Adaptive Anomaly Control report.

For more information about Adaptive Anomaly Control, the rules, their modes and statuses, refer to Kaspersky Endpoint Security Help.

Viewing the list of detections performed using Adaptive Anomaly Control rules

Expand all | Collapse all

To view the list of detections performed by Adaptive Anomaly Control rules:

1. In the main menu, go to Operations → Repositories.
2. Click the Rule triggers in Smart Training state link.

   The list displays the following information about detections performed using Adaptive Anomaly Control rules:

   • Administration group

     The name of the administration group where the device belongs.

   • Device name

     The name of the client device where the rule was applied.

   • Name

     The name of the rule that was applied.

   • Status

     Excluding—If the Administrator processed this item and added it as an exclusion to the rules. This status remains till the next synchronization of the client device with the Administration Server; after the synchronization, the item disappears from the list.

     Confirming—If the Administrator processed this item and confirmed it. This status remains till the next synchronization of the client device with the Administration Server; after the synchronization, the item disappears from the list.

     Empty—If the Administrator did not process this item.

   • User name

     The name of the client device user who run the process that generated the detect.

   • Processed

     Date when the anomaly was detected.

   • Source process path

     Path to the source process, i.e. to the process that performs the action (for more information, refer to the Kaspersky Endpoint Security help).

   • Source process hash

     SHA256 hash of the source process file (for more information, refer to the Kaspersky Endpoint Security help).

   • Source object path

     Path to the object that started the process (for more information, refer to the Kaspersky Endpoint Security help).

   • Source object hash

     SHA256 hash of the source file (for more information, refer to the Kaspersky Endpoint Security help).

   • Target process path

     Path to the target process (for more information, refer to the Kaspersky Endpoint Security help).

   • Target process hash

     SHA256 hash of the target file (for more information, refer to the Kaspersky Endpoint Security help).

   • Target object path

     Path to the target object (for more information, refer to the Kaspersky Endpoint Security help).

   • Target object hash

     SHA256 hash of the target file (for more information, refer to the Kaspersky Endpoint Security help).

To view properties of each information element:

1. In the main menu, go to Operations → Repositories.
2. Click the Rule triggers in Smart Training state link.
3. In the window that opens, select the object that you want.
4. Click the Properties link.

The properties window of the object opens and displays information about the selected element.

You can confirm or add to exclusions any element in the list of detections of Adaptive Anomaly Control rules.

To confirm an element,

Select an element (or several elements) in the list of detections and click the Confirm button.

The status of the element(s) will be changed to Confirming.

Your confirmation will contribute to the statistics used by the rules (for more information, refer to Kaspersky Endpoint Security for Windows documentation).

To add an element as an exclusion,

Select an element (or several elements) in the list of detections and click the Exclude button.

The Add exclusion wizard starts. Follow the instructions of the wizard.

If you reject or confirm an element, it will be excluded from the list of detections after the next synchronization of the client device with the Administration Server, and will no longer appear in the list.

Adding exclusions from the Adaptive Anomaly Control rules

The Add exclusion wizard enables you to add exclusions from the Adaptive Anomaly Control rules for Kaspersky Endpoint Security for Windows.

To start the Add exclusion wizard through the Adaptive Anomaly Control node:

1. In the main menu, go to Operations → Repositories → Rule triggers in Smart Training state.
2. In the window that opens, select an element (or several elements) in the list of detections, and then click the Exclude button.

   You can add up to 1000 exclusions at a time. If you select more elements and try to add them to exclusions, an error message is displayed.

The Add exclusion wizard starts. Proceed through the wizard by using the Next button.

Managing administration groups

This section provides information about how to manage administration groups.

You can perform the following actions on administration groups:

• Add any number of nested groups at any level of hierarchy to administration groups.
• Add devices to administration groups.
• Change the hierarchy of administration groups by moving individual devices and entire groups to other groups.
• Remove nested groups and devices from administration groups.
• Add secondary and virtual Administration Servers to administration groups.
• Move devices from the administration groups of an Administration Server to those of another Server.
• Define which Kaspersky applications will be automatically installed on devices included in a group.

You can perform these actions only if you have the Modify permission in the Management of administration groups area for the administration groups you want to manage or for the Administration Server to which these groups belong.

Creating administration groups

Initially, the hierarchy of administration groups contains only one administration group called Managed devices group. You can add devices and subgroups into the Managed devices group.

To create an administration group:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. In the hierarchy, select the administration group that is to include the new administration group.
3. Click the Add button.
4. In the window that opens, enter a name for the group and click Add.

A new administration group with the specified name appears in the administration group hierarchy.

The application allows creating a hierarchy of administration groups based on the structure of Active Directory or the domain network's structure. Also, you can create a structure of groups from a text file.

To create a structure of administration groups:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. Click the Import button.

The New administration group structure wizard starts. Follow the instructions of the wizard.

Automatic installation of applications on devices in an administration group

You can specify which installation packages must be used for automatic remote installation of Kaspersky applications to client devices in an administration group.

To configure automatic installation of applications on the devices in an administration group:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups, and click the name of the required administration group.
2. In the properties window that opens, go to the Automatic installation tab.
3. Select the installation packages of the applications to be installed on the devices, and then click the Save button.

   If you select several installation packages of the same application that differ only in their versions, the installation package with the latest version is saved.

After you select the installation packages, a group tasks for installation of the applications on the devices in the administration group is created for each of the application. These tasks are run on the client devices immediately after they are added to the administration group.

Moving administration groups

You can move nested administration groups within the groups hierarchy.

An administration group is moved together with all nested groups, secondary Administration Servers, devices, group policies, and tasks. The application applies to the group all the settings that correspond to its new position in the hierarchy of administration groups.

The name of the group must be unique within one level of the hierarchy. If a group with the same name already exists in the folder into which you move the administration group, you must change the name of the latter. If you have not changed the name of the moved group, an index in (<next sequence number>) format is automatically added to its name when it is moved, for example: (1), (2).

You cannot rename and move the Managed devices group.

To move an administration group to another level of the administration groups hierarchy:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups, and then select the check box next to the administration group that you want to move.
2. On the toolbar, click the Move button.
3. In the window that opens, select where you want to move the administration group, and then click the Move button.

The window is closed, and the administration group is moved to another level of the groups hierarchy.

Deleting administration groups

If you delete an administration group that contains secondary Administration Servers, nested groups, client devices, group tasks, or policies created for this group, all of them will also be deleted.

Before deleting an administration group, you must delete all secondary Administration Servers, nested groups, and client devices from that group.

To delete an administration group:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups, and then select the check box next to the administration group that you want to delete.
2. On the toolbar, click the Delete button.

The administration group is deleted.

Policies and policy profiles

In Kaspersky Security Center Cloud Console, you can create policies for Kaspersky applications. This section describes policies and policy profiles, and provides instructions for creating and modifying them.

About policies

A policy is a set of Kaspersky application settings that are applied to an administration group and its subgroups. You can install several Kaspersky applications on the devices of an administration group. Kaspersky Security Center Cloud Console provides a single policy for each Kaspersky application in an administration group. A policy has one of the following statuses (see the table below):

The status of the policy

Policies function according to the following rules:

• Multiple policies with different values can be configured for a single application.
• Only one policy can be active for the current application.
• You can activate an inactive policy when a specific event occurs. For example, you can enforce stricter anti-virus protection settings during virus outbreaks.
• A policy can have child policies.

Generally, you can use policies as preparations for emergency situations, such as a virus attack. For example, if there is an attack via flash drives, you can activate a policy that blocks access to flash drives. In this case, the current active policy automatically becomes inactive.

In order to prevent maintaining multiple policies, for example, when different occasions assume changing of several settings only, you may use policy profiles.

A policy profile is a named subset of policy settings values that replaces the settings values of a policy. A policy profile affects the effective settings formation on a managed device. Effective settings are a set of policy settings, policy profile settings, and local application settings that are currently applied for the device.

Policy profiles function according to the following rules:

• A policy profile takes an effect when a specific activation condition occurs.
• Policy profiles contain values of settings that differ from the policy settings.
• Activation of a policy profile changes the effective settings of the managed device.
• A policy can include a maximum of 100 policy profiles.

You cannot create an Administration Server policy.

About lock and locked settings

Each policy setting has a lock button icon (). The table below shows lock button statuses:

Lock button statuses

We highly recommend that you close locks for the policy settings that you want to apply on the managed devices. The unlocked policy settings can be reassigned by Kaspersky application settings on a managed device.

You can use a lock button for performing the following actions:

• Locking settings for an administration subgroup policy
• Locking settings of a Kaspersky application on a managed device

Thus, a locked setting is used for implementing effective settings on a managed device.

A process of effective settings implementation includes the following actions:

• Managed device applies settings values of Kaspersky application.
• Managed device applies locked settings values of a policy.

A policy and managed Kaspersky application contain the same set of settings. When you configure policy settings, the Kaspersky application settings change values on a managed device. You cannot adjust locked settings on a managed device (see the figure below):

Locks and Kaspersky application settings

Inheritance of policies and policy profiles

This section provides information about the hierarchy and inheritance of policies and policy profiles.

Hierarchy of policies

If different devices need different settings, you can organize devices into administration groups.

You can specify a policy for a single administration group. Policy settings can be inherited. Inheritance means receiving policy settings values in subgroups (child groups) from a policy of a higher-level (parent) administration group.

Hereinafter, a policy for a parent group is also referred to as a parent policy. A policy for a subgroup (child group) is also referred to as a child policy.

By default, at least one managed devices group exists on Administration Server. If you want to create custom groups, they are created as subgroups (child groups) within the managed devices group.

Policies of the same application act on each other, according to a hierarchy of administration groups. Locked settings from a policy of a higher-level (parent) administration group will reassign policy settings values of a subgroup (see the figure below).

Hierarchy of policies

Policy profiles in a hierarchy of policies

Policy profiles have the following priority assignment conditions:

• A profile's position in a policy profile list indicates its priority. You can change a policy profile priority. The highest position in a list indicates the highest priority (see the figure below).

  

  Priority definition of a policy profile

• Activation conditions of policy profiles do not depend on each other. Several policy profiles can be activated simultaneously. If several policy profiles affect the same setting, the device takes the setting value from the policy profile with the highest priority (see the figure below).

  

  Managed device configuration fulfills activation conditions of several policy profiles

Policy profiles in a hierarchy of inheritance

Policy profiles from different hierarchy level policies comply with the following conditions:

• A lower-level policy inherits policy profiles from a higher-level policy. A policy profile inherited from a higher-level policy obtains higher priority than the original policy profile's level.
• You cannot change a priority of an inherited policy profile (see the figure below).

  

  Inheritance of policy profiles

Policy profiles with the same name

If there are two policies with the same names in different hierarchy levels, these policies function according to the following rules:

• Locked settings and the profile activation condition of a higher-level policy profile changes the settings and profile activation condition of a lower-level policy profile (see the figure below).

  

  Child profile inherits settings values from a parent policy profile

• Unlocked settings and the profile activation condition of a higher-level policy profile do not change the settings and profile activation condition of a lower-level policy profile.

How settings are implemented on a managed device

Implementation of effective settings on a managed device can be described as follows:

• The values of all settings that have not been locked are taken from the policy.
• Then they are overwritten with the values of managed application settings.
• And then the locked settings values from the effective policy are applied. Locked settings values change the values of unlocked effective settings.

Managing policies

This section describes managing policies and provides information about viewing the list of policies, creating a policy, modifying a policy, copying a policy, moving a policy, forced synchronization, viewing the policy distribution status chart, and deleting a policy.

Viewing the list of policies

You can view lists of policies created for the Administration Server or for any administration group.

To view a list of policies:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. In the administration group structure, select the administration group for which you want to view the list of policies.

The list of policies appears in tabular format. If there are no policies, the table is empty. You can show or hide the columns of the table, change their order, view only lines that contain a value that you specify, or use search.

Creating a policy

You can create policies; you can also modify and delete existing policies.

You cannot create an Administration Server policy.

To create a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click Add.

   The Select application window opens.

3. Select the application for which you want to create a policy.
4. Click Next.

   The new policy settings window opens with the General tab selected.

5. If you want, change the default name, default status, and default inheritance settings of the policy.
6. Click the Application settings tab.

   Or, you can click Save and exit. The policy will appear in the list of policies, and you can edit its settings later.

7. On the Application settings tab, in the left pane select the category that you want and in the results pane on the right, edit the settings of the policy. You can edit policy settings in each category (section).

   The application settings depend on the application for which you create a policy. For details, refer to the following:

   • Administration Server configuration
   • Network Agent policy settings
   • Kaspersky Endpoint Security for Windows documentation

   For details about settings of other security applications, refer to the documentation for the corresponding application.

   When editing the settings, you can click Cancel to cancel the last operation.

8. Click Save to save the policy.

The policy will appear in the list of policies.

Modifying a policy

To modify a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the policy that you want to modify.

   The policy settings window opens.

3. Specify the general settings and settings of the application for which you create a policy. For details, refer to the following:
   • Administration Server configuration
   • Network Agent policy settings
   • Kaspersky Endpoint Security for Windows documentation

   For details about settings of other security applications, refer to the documentation for that application.

4. Click Save.

The changes made to the policy will be saved in the policy properties, and will appear in the Revision history section.

General policy settings

Expand all | Collapse all

General

On the General tab, you can modify the policy status and specify the inheritance of policy settings:

• In the Policy status block, you can select one of the policy modes:
  • Active
  • Out-of-office

    If this option is selected, the policy becomes active when the device leaves the corporate network.

  • Inactive

    If this option is selected, the policy becomes inactive, but it is still stored in the Policies folder. If required, the policy can be activated.

• In the Settings inheritance settings group, you can configure the policy inheritance:
  • Inherit settings from parent policy

    If this option is enabled, the policy setting values are inherited from the upper-level group policy and, therefore, are locked.

    By default, this option is enabled.

  • Force inheritance of settings in child policies

    If this option is enabled, after policy changes are applied, the following actions will be performed:

    • The values of the policy settings will be propagated to the policies of administration subgroups, that is, to the child policies.
    • In the Settings inheritance block of the General section in the properties window of each child policy, the Inherit settings from parent policy option will be automatically enabled.

    If this option is enabled, the child policies settings are locked.

    By default, this option is disabled.

Event configuration

The Event configuration tab enables you to configure event logging and event notification. Events are distributed by importance level on the following tabs:

• Critical

  The Critical section is not displayed in the Network Agent policy properties.

• Functional failure
• Warning
• Info

In each section, the list shows the types of events and the default event storage term on the Administration Server (in days). Clicking an event type lets you specify the following settings:

• Event registration

  You can specify how many days to store the event and select where to store the event:

  • Store in the Administration Server database for (days)
  • Store in the OS event log on device
• Event notifications

  You can select if you want to be notified about the event by email.

  By default, the notification settings specified on the Administration Server properties tab (such as recipient address) are used. If you want, you can change these settings on the Email tab.

Also, the Event configuration tab displays a notification when new event types are added (for example, in a new version of the product) and enables you to apply the new settings by clicking the Save or Save and close button.

Revision history

The Revision history tab enables you to view the list of the policy revisions and roll back changes made to the policy, if necessary.

Enabling and disabling a policy inheritance option

To enable or disable the inheritance option in a policy:

1. Open the required policy.
2. Open the General tab.
3. Enable or disable policy inheritance:
   • If you enable Inherit settings from parent policy in a child policy and an administrator locks some settings in the parent policy, then you cannot change these settings in the child policy.
   • If you disable Inherit settings from parent policy in a child policy, then you can change all of the settings in the child policy, even if some settings are locked in the parent policy.
   • If you enable Force inheritance of settings in child policies in the parent group, this enables the Inherit settings from parent policy option for each child policy. In this case, you cannot disable this option for any child policy. All of the settings that are locked in the parent policy are forcibly inherited in the child groups, and you cannot change these settings in the child groups.
4. Click the Save button to save changes or click the Cancel button to reject changes.

By default, the Inherit settings from parent policy option is enabled for a new policy.

If a policy has profiles, all of the child policies inherit these profiles.

Copying a policy

You can copy policies from one administration group to another.

To copy a policy to another administration group:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select the check box next to the policy (or policies) that you want to copy.
3. Click the Copy button.

   On the right side of the screen, the tree of the administration groups appears.

4. In the tree, select the target group, that is, the group to which you want to copy the policy (or policies).
5. Click the Copy button at the bottom of the screen.
6. Click OK to confirm the operation.

The policy (policies) will be copied to the target group with all its profiles. The status of each copied policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with the name identical to that of the newly moved policy already exists in the target group, the name of the newly moved policy is expanded with the (<next sequence number>) index, for example: (1).

Moving a policy

You can move policies from one administration group to another. For example, you want to delete a group, but you want to use its policies for another group. In this case, you may want move the policy from the old group to the new one before deleting the old group.

To move a policy to another administration group:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select the check box next to the policy (or policies) that you want to move.
3. Click the Move button.

   On the right side of the screen, the tree of the administration groups appears.

4. In the tree, select the target group, that is, the group to which you want to move the policy (or policies).
5. Click the Move button at the bottom of the screen.
6. Click OK to confirm the operation.

If a policy is not inherited from the source group, it is moved to the target group with all its profiles. The status of the policy in the target group is Inactive. You can change the status to Active at any time.

If a policy is inherited from the source group, it remains in the source group. It is copied to the target group with all its profiles. The status of the policy in the target group is Inactive. You can change the status to Active at any time.

If a policy with the name identical to that of the newly moved policy already exists in the target group, the name of the newly moved policy is expanded with the (<next sequence number>) index, for example: (1).

Exporting a policy

Kaspersky Security Center Cloud Console allows you to save a policy, its settings, and the policy profiles to a KLP file. You can use this KLP file to import the saved policy both to Kaspersky Security Center Windows and Kaspersky Security Center Linux.

To export a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select the check box next to the policy that you want to export.

   You cannot export multiple policies at the same time. If you select more than one policy, the Export button will be disabled.

3. Click the Export button.
4. In the opened Save as window, specify the policy file name and path. Click the Save button.

   The Save as window is displayed only if you use Google Chrome, Microsoft Edge, or Opera. If you use another browser, the policy file is automatically saved in the Downloads folder.

Importing a policy

Kaspersky Security Center Cloud Console allows you to import a policy from a KLP file. The KLP file contains the exported policy, its settings, and the policy profiles.

To import a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the Import button.
3. Click the Browse button to choose a policy file that you want to import.
4. In the opened window, specify the path to the KLP policy file, and then click the Open button. Note that you can select only one policy file.

   The policy processing starts.

5. After the policy is processed successfully, select the administration group to which you want to apply the policy.
6. Click the Complete button to finish the policy import.

The notification with the import results appears. If the policy is imported successfully, you can click the Details link to view the policy properties.

After a successful import, the policy is displayed in the policy list. The settings and profiles of the policy are also imported. Regardless of the policy status that was selected during the export, the imported policy is inactive. You can change the policy status in the policy properties.

If the newly imported policy has a name identical to that of an existing policy, the name of the imported policy is expanded with the (<next sequence number>) index, for example: (1), (2).

Viewing the policy distribution status chart

In Kaspersky Security Center Cloud Console, you can view the status of policy application on each device in a policy distribution status chart.

To view the policy distribution status on each device:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select check box next to the name of the policy for which you want to view the distribution status on devices.
3. In the menu that appears, click the Distribution link.

   The <Policy name> distribution results window opens.

4. In the <Policy name> distribution results window that opens, the Status description (if available) of the policy is displayed.

You can change number of results displayed in the list with policy distribution. The maximum number of devices is 100,000.

To change the number of devices displayed in the list with policy distribution results:

1. In the main menu, go to your account settings, and then select Interface options.
2. In the Maximum number of devices displayed in policy distribution results, enter the number of devices (up to 100,000).

   By default, the number is 5000.

3. Click Save.

The settings are saved and applied.

Activating a policy automatically at the Virus outbreak event

To make a policy perform automatic activation at a Virus outbreak event:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens, with the General tab selected.

2. Select the Virus outbreak section.
3. In the right pane, click the Configure policies to activate when a virus outbreak event occurs link.

   The Policy activation window opens.

4. In the section relating to the component that detects a virus outbreak—Anti-Virus for workstations and file servers, Anti-Virus for mail servers, or Anti-Virus for perimeter defense—select the option button next to the entry you want, and then click Add.

   A window opens with the Managed devices administration group.

5. Click the chevron icon () next to Managed devices.

   A hierarchy of administration groups and their policies is displayed.

6. In the hierarchy of administration groups and their policies, click the name of a policy or policies that are activated when a virus outbreak is detected.

   To select all policies in the list or in a group, select the check box next to the required name.

7. Click the Save button.

   The window with the hierarchy of administration groups and their policies is closed.

The selected policies are added to the list of policies that are activated when a virus outbreak is detected. The selected policies are activated at the virus outbreak, independent whether they are active or inactive.

If a policy has been activated on the Virus outbreak event, you can return to the previous policy only by using the manual mode.

Forced synchronization

Although Kaspersky Security Center Cloud Console automatically synchronizes the status, settings, tasks, and policies for managed devices, in some cases you need to know for certain, at a given moment, whether synchronization has already been performed for a specified device.

Synchronizing a single device

To force synchronization between the Administration Server and a managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click the name of the device that you want to synchronize with the Administration Server.

   A property window opens with the General section selected.

3. Click the Force synchronization button.

The application synchronizes the selected device with the Administration Server.

Synchronizing multiple devices

To force synchronization between the Administration Server and multiple managed devices:

1. Open the device list of an administration group or a device selection:
   • In the main menu, go to Assets (Devices) → Managed devices → Groups, and then select the administration group that contains devices to synchronize.
   • Run a device selection to view the device list.
2. Select the check boxes next to the devices that you want to synchronize with the Administration Server.
3. Click the Force synchronization button.

   The application synchronizes the selected devices with the Administration Server.

4. In the device list, check that the time of last connection to the Administration Server has changed, for the selected devices, to the current time. If the time has not changed, update the page content by clicking the Refresh button.

The selected devices are synchronized with the Administration Server.

Viewing the time of a policy delivery

After changing a policy for a Kaspersky application on the Administration Server, you can check whether the changed policy has been delivered to a specific managed device. A policy can be delivered during a regular synchronization or a forced synchronization.

To view the date and time that an application policy was delivered to a managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click the name of the device that you want to synchronize with the Administration Server.

   A property window opens with the General section selected.

3. Click the Applications tab.
4. Select the application for which you want to view the policy synchronization date.

The application policy window opens with the General section selected and the policy delivery date and time displayed.

Deleting a policy

You can delete a policy if you do not need it anymore. You can delete only a policy that is not inherited in the specified administration group. If a policy is inherited, you can only delete it in the upper-level group for which it was created.

To delete a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select the check box next to the policy that you want to delete, and click Delete.

   The Delete button becomes unavailable (dimmed) if you select an inherited policy.

3. Click OK to confirm the operation.

The policy is deleted together with all its profiles.

Managing policy profiles

This section describes managing policy profiles and provides information about viewing the profiles of a policy, changing a policy profile priority, creating a policy profile, modifying a policy profile, copying a policy profile, creating a policy profile activation rule, and deleting a policy profile.

Viewing the profiles of a policy

To view profiles of a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the name of the policy whose profiles you want to view.

   The policy properties window opens with the General tab selected.

3. Open the Policy profiles tab.

The list of policy profiles appears in tabular format. If the policy does not have profiles, an empty table appears.

Changing a policy profile priority

To change a policy profile priority:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, select the check box next to the policy profile for which you want to change priority.
3. Set a new position of the policy profile in the list by clicking Prioritize or Deprioritize.

   The higher a policy profile is located in the list, the higher its priority.

4. Click the Save button.

Priority of the selected policy profile is changed and applied.

Creating a policy profile

To create a policy profile:

1. Proceed to the list of profiles of the policy that you want.

   The list of policy profiles appears. If the policy does not have profiles, an empty table appears.

2. Click Add.
3. If you want, change the default name and default inheritance settings of the profile.
4. Select the Application settings tab.

   Alternatively, you can click Save and exit. The profile that you have created appears in the list of policy profiles, and you can edit its settings later.

5. On the Application settings tab, in the left pane, select the category that you want and in the results pane on the right, edit the settings for the profile. You can edit policy profile settings in each category (section).

   When editing the settings, you can click Cancel to cancel the last operation.

6. Click Save to save the profile.

The profile will appear in the list of policy profiles.

Modifying a policy profile

The capability to edit a policy profile is only available for policies of Kaspersky Endpoint Security for Windows.

To modify a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, click the policy profile that you want to modify.

   The policy profile properties window opens.

3. Configure the profile in the properties window:
   • If necessary, on the General tab, change the profile name and enable or disable the profile.
   • Edit the profile activation rules.
   • Edit the application settings.

   For details about settings of security applications, please see the documentation of the corresponding application.

4. Click Save.

The modified settings will take effect either after the device is synchronized with the Administration Server (if the policy profile is active), or after an activation rule is triggered (if the policy profile is inactive).

Copying a policy profile

You can copy a policy profile to the current policy or to another, for example, if you want to have identical profiles for different policies. You can also use copying if you want to have two or more profiles that differ in only a small number of settings.

To copy a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears. If the policy does not have profiles, an empty table appears.

2. On the Policy profiles tab, select the policy profile that you want to copy.
3. Click Copy.
4. In the window that opens, select the policy to which you want to copy the profile.

   You can copy a policy profile to the same policy or to a policy that you specify.

5. Click Copy.

The policy profile is copied to the policy that you selected. The newly copied profile gets the lowest priority. If you copy the profile to the same policy, the name of the newly copied profile will be expanded with the () index, for example: (1), (2).

Later, you can change the settings of the profile, including its name and its priority; the original policy profile will not be changed in this case.

Creating a policy profile activation rule

Expand all | Collapse all

To create a policy profile activation rule:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, click the policy profile for which you need to create an activation rule.

   If the list of policy profiles is empty, you can create a policy profile.

3. On the Activation rules tab, click the Add button.

   The window with policy profile activation rules opens.

4. Specify a name for the rule.
5. Select the check boxes next to the conditions that must affect activation of the policy profile that you are creating:
   • General rules for policy profile activation

     Select this check box to set up policy profile activation rules on the device depending on the status of the device offline mode, rule for connection to Administration Server, and tags assigned to the device.

     For this option, specify at the next step:

     • Device status

       Defines the condition for device presence on the network:

       • Online—The device is on the network, and so the Administration Server is available.
       • Offline—The device is on an external network, which means that the Administration Server is not available.
       • N/A—The criterion will not be applied.
     • Rule for Administration Server connection is active on this device

       Choose the condition of policy profile activation (whether the rule is executed or not) and select the rule name.

       The rule defines the network location of the device for connection to the Administration Server, whose conditions must be met (or must not be met) for activation of the policy profile.

       A network location description of devices for connection to an Administration Server can be created or configured in a Network Agent switching rule.

   • Rules for specific device owner

     For this option, specify at the next step:

     • Device owner

       Enable this option to configure and enable the rule for profile activation on the device according to its owner. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device belongs to the specified owner ("=" sign).
       • The device does not belong to the specified owner ("≠" sign).

         Note that the user list is filtered and displays device owners who are internal users.

         If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the device owner when the option is enabled. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device owner is included in an internal security group

       Enable this option to configure and enable the rule of profile activation on the device by the owner's membership in an internal security group of Kaspersky Security Center Cloud Console. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device owner is a member of the specified security group ("=" sign).
       • The device owner is not a member of the specified security group ("≠" sign).

         Note that the user list is filtered and displays device owners who are internal users.

         If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify a security group of Kaspersky Security Center Cloud Console. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

   • Rules for hardware specifications

     Select this check box to set up rules for policy profile activation on the device depending on the memory volume and the number of logical processors.

     For this option, specify at the next step:

     • RAM size, in MB

       Enable this option to configure and enable the rule of profile activation on the device by the RAM volume available on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device RAM size is less than the specified value ("<" sign).
       • The device RAM size is greater than the specified value (">" sign).

       If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the RAM volume on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Number of logical processors

       Enable this option to configure and enable the rule of profile activation on the device by the number of logical processors on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The number of logical processors on the device is less than or equal to the specified value ("<" sign).
       • The number of logical processors on the device is greater than or equal to the specified value (">" sign).

       If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the number of logical processors on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

   • Rules for role assignment

     For this option, specify at the next step:

     Activate policy profile by specific role of device owner

     Select this option to configure and enable the rule of profile activation on the device depending on the owner's role. Add the role manually from the list of existing roles.

     If this option is enabled, the profile is activated on the device in accordance with the criterion configured.

   • Rules for tag usage

     Select this check box to set up rules for policy profile activation on the device depending on the tags assigned to the device. You can activate the policy profile to the devices that either have the selected tags or do not have them.

     For this option, specify at the next step:

     • Tag

       In the list of tags, specify the rule for device inclusion in the policy profile by selecting the check boxes next to the relevant tags.

       You can add new tags to the list by entering them in the field over the list and clicking the Add button.

       The policy profile includes devices with descriptions containing all the selected tags. If check boxes are cleared, the criterion is not applied. By default, these check boxes are cleared.

     • Apply to devices without the specified tags

       Enable this option if you have to invert your selection of tags.

       If this option is enabled, the policy profile includes devices with descriptions that contain none of the selected tags. If this option is disabled, the criterion is not applied.

       By default, this option is disabled.

   • Rules for Active Directory usage

     Select this check box to set up rules for policy profile activation on the device depending on the presence of the device in an Active Directory organizational unit (OU), or on membership of the device (or its owner) in an Active Directory security group.

     For this option, specify at the next step:

     • Device owner's membership in an Active Directory security group

       If this option is enabled, the policy profile is activated on the device whose owner is a member of the specified security group. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device membership in Active Directory security group

       If this option is enabled, the policy profile is activated on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device allocation in Active Directory organizational unit

       If this option is enabled, the policy profile is activated on the device which is included in the specified Active Directory organizational unit (OU). If this option is disabled, the profile activation criterion is not applied.

       By default, this option is disabled.

   The number of additional pages of the wizard depends on the settings that you select at the first step. You can modify policy profile activation rules later.

6. Check the list of the configured parameters. If the list is correct, click Create.

The profile will be saved. The profile will be activated on the device when activation rules are triggered.

Policy profile activation rules created for the profile are displayed in the policy profile properties on the Activation rules tab. You can modify or remove any policy profile activation rule.

Multiple activation rules can be triggered simultaneously.

Deleting a policy profile

To delete a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, select the check box next to the policy profile that you want to delete, and click Delete.
3. In the window that opens, click Delete again.

The policy profile is deleted. If the policy is inherited by a lower-level group, the profile remains in that group, but becomes the policy profile of that group. This is done to eliminate significant change in settings of the managed applications installed on the devices of lower-level groups.

Data encryption and protection

Data encryption reduces the risk of unintentional leakage in case your laptop or hard drive is stolen or lost, or upon access by unauthorized users and applications.

The following Kaspersky applications support encryption:

• Kaspersky Endpoint Security for Windows
• Kaspersky Endpoint Security for Mac

You can show or hide some of the interface elements related to the encryption management feature by using the user interface settings.

Encryption of data in Kaspersky Endpoint Security for Windows

You can manage the BitLocker Drive Encryption technology on devices running a Windows operating system for servers or workstations.

By using these components of Kaspersky Endpoint Security for Windows, you can, for example, enable or disable encryption, view the list of encrypted drives, or generate and view reports about encryption.

You configure encryption by defining policies of Kaspersky Endpoint Security for Windows in Kaspersky Security Center Cloud Console. Kaspersky Endpoint Security for Windows performs encryption and decryption according to the active policy. For detailed instructions on how to configure rules and a description of encryption features, see the Kaspersky Endpoint Security for Windows Help.

Encryption of data in Kaspersky Endpoint Security for Mac

You can use FileVault encryption on devices running macOS. While working with Kaspersky Endpoint Security for Mac, you can enable or disable this encryption.

You configure encryption by defining policies of Kaspersky Endpoint Security for Mac in Kaspersky Security Center Cloud Console. Kaspersky Endpoint Security for Mac performs encryption and decryption according to the active policy. For a detailed description of encryption features, see the Kaspersky Endpoint Security for Mac Help.

Viewing the list of encrypted drives

In Kaspersky Security Center Cloud Console, you can view details about encrypted drives and devices that are encrypted at the drive level. After the information on a drive is decrypted, the drive is automatically removed from the list.

To view the list of encrypted drives,

In the main menu, go to Operations → Data encryption and protection → Encrypted drives.

If the section is not on the menu, this means that it is hidden. In the user interface settings, enable the Show data encryption and protection option to display the section.

You can export the list of encrypted drives to a CSV or TXT file. To do this, click the Export to CSV or Export to TXT button.

Creating and viewing encryption reports

You can generate the following reports:

• Report on encryption status of managed devices. This report provides details about the data encryption of various managed devices. For example, the report shows the number of devices to which the policy with configured encryption rules applies. Also, you can find out, for instance, how many devices need to be rebooted. The report also contains information about the encryption technology and algorithm for every device.
• Report on encryption status of mass storage devices. This report contains similar information as the report on the encryption status of managed devices, but it provides data only for mass storage devices and removable drives.
• Report on rights to access encrypted drives. This report shows which user accounts have access to encrypted drives.
• Report on file encryption errors. This report contains information about errors that occurred when the data encryption or decryption tasks were run on devices.
• Report on blockage of access to encrypted files. This report contains information about blocking application access to encrypted files. This report is helpful if an unauthorized user or application tries to access encrypted files or drives.

You can generate any report in the Monitoring & reporting → Reports section. Alternatively, in the Operations → Data encryption and protection section, you can generate the following encryption reports:

• Report on encryption status of mass storage devices
• Report on rights to access encrypted drives
• Report on file encryption errors

To generate an encryption report in the Data encryption and protection section:

1. Make sure that you enabled the Show data encryption and protection option in the Interface options.
2. In the main menu, go to Operations → Data encryption and protection.
3. Open the Encrypted drives section to generate the report on encryption status of mass storage devices or the report on rights to access encrypted drives.
4. Click the name of the report that you want to generate.

The report generation starts.

Granting access to an encrypted drive in offline mode

A user can request access to an encrypted device, for example, when Kaspersky Endpoint Security for Windows is not installed on the managed device. After you receive the request, you can create an access key file and send it to the user. All of the use cases and detailed instructions are provided in the Kaspersky Endpoint Security for Windows Help.

To grant access to an encrypted drive in offline mode:

1. Get a request access file from a user (a file with the FDERTC extension). Follow the instructions in the Kaspersky Endpoint Security for Windows Help to generate the file in Kaspersky Endpoint Security for Windows.
2. In the main menu, go to Operations → Data encryption and protection → Encrypted drives.

   A list of encrypted drives appears.

3. Select the drive to which the user requested access.
4. Click the Grant access to the device in offline mode button.
5. In the window that opens, select the plug-in corresponding to the Kaspersky application that was used to encrypt the selected drive.

   If a drive is encrypted with a Kaspersky application that is not supported by Kaspersky Security Center Cloud Console, use Microsoft Management Console-based Administration Console to grant the offline access.

6. Follow the instructions provided in the Kaspersky Endpoint Security for Windows Help (see expanding blocks at the end of the section).

After that, the user applies the received file to access the encrypted drive and read data stored on the drive.

Users and user roles

This section describes users and user roles, and provides instructions for creating and modifying them, for assigning roles and groups to users, and for associating policy profiles with roles.

About user accounts

Kaspersky Security Center Cloud Console allows you to manage user accounts and groups of accounts. The application supports two types of accounts:

• Accounts of organization employees. Administration Server retrieves data of the accounts of those local users when polling the organization's network.
• Accounts of internal users of Kaspersky Security Center Cloud Console. You can create accounts of internal users. These accounts are used only within Kaspersky Security Center Cloud Console.

To view tables of user accounts and security groups:

1. In the main menu, go to Users & roles → Users & groups.
2. Select the Users or the Groups tab.

The table of users or security groups opens. By default, the opened table is filtered by the Subtype and Has assigned roles columns. The table displays internal users or groups that have assigned roles.

If you want to view the table with only the accounts of local users, set the Subtype filter criteria to Local.

If you switch to a secondary Administration Server version 14.2 or earlier, and then open the list of users or security groups, the opened table will be filtered only by the Subtype column. The filter by the Has assigned roles column will not be applied by default. The filtered table will contain all internal users or security groups with the assigned role and without it.

Adding an account of an internal user

If you want, you can add internal users of your workspace on the portal. After you add an internal user, you can assign a role to him or her in the Kaspersky Security Center Cloud Console.

About user roles

A user role (also referred to as a role) is an object containing a set of rights and privileges. A role can be associated with settings of Kaspersky applications installed on a user device. You can assign a role to a set of users or to a set of security groups at any level in the hierarchy of administration groups, Administration Servers, or at the level of specific objects.

If you manage devices through a hierarchy of Administration Servers that includes virtual Administration Servers, note that you can create, modify, or delete user roles only from a physical Administration Server. Then, you can propagate the user roles to secondary Administration Servers, including virtual ones.

You can associate user roles with policy profiles. If a user is assigned a role, this user gets security settings necessary to perform job functions.

A user role can be associated with users of devices in a specific administration group.

User role scope

A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

Advantage of using roles

An advantage of using roles is that you do not have to specify security settings for each of the managed devices or for each of the users separately. The number of users and devices in a company may be quite large, but the number of different job functions that require different security settings is considerably smaller.

Differences from using policy profiles

Policy profiles are properties of a policy that is created for each Kaspersky application separately. A role is associated with many policy profiles created for different applications. Therefore, a role is a method of uniting settings for a certain user type in one place.

Configuring access rights to application features. Role-based access control

Kaspersky Security Center Cloud Console provides facilities for role-based access to the features of Kaspersky Security Center Cloud Console and of managed Kaspersky applications.

You can configure access rights to application features for Kaspersky Security Center Cloud Console users in one of the following ways:

• By configuring the rights for each user or group of users individually.
• By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

Access rights to application features

The table below shows the Kaspersky Security Center Cloud Console features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Write, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

The General features: Access objects regardless of their ACLs functional area is intended for audit purposes. When users are granted Read rights in this functional area, they get full Read access to all objects and are able to execute any created tasks on selections of devices connected to the Administration Server via Network Agent with local administrator rights (root for Linux). We recommend granting these rights carefully and to a limited set of users who need them to perform their official duties.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Predefined user roles

User roles assigned to Kaspersky Security Center Cloud Console users provide them with sets of access rights to application features.

Users created on a virtual Server cannot be assigned a role on the Administration Server.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Kaspersky Security Center Cloud Console can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor (these roles are present in Kaspersky Security Center Cloud Console starting from the version 11). Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.

Examples of roles for specific job positions

The table below shows the access rights assigned to each predefined user role.

Access rights of predefined user roles