Kaspersky applications initial deployment

This section describes the initial deployment of Kaspersky applications on client devices in your organization.

Scenario: Kaspersky applications initial deployment

This scenario describes how to install Kaspersky applications on client devices in Kaspersky Security Center Cloud Console. First, you must deploy distribution points on your network. Then, by means of the distribution points, you must perform network polling and discover networked devices on your network. After that, you can deploy Kaspersky applications on networked devices.

When the scenario is complete, the Kaspersky applications are deployed on the selected client devices in your organization's network. You can manage all the devices with Kaspersky applications installed.

Prerequisites

Before you start, make sure that the following prerequisites are met:

• The quick start wizard has finished.
• Network Agent and security applications installation packages are created.
• The address https://aes.s.kaspersky-labs.com/endpoints/ is included in managed device firewall exceptions.
• You have information about internet settings for client devices in your organization, information about the gateway, and proxy server settings.
• Client devices in your organization are not encrypted.

Stages

The Kaspersky applications initial deployment proceeds in stages:

1. Selecting a device to act as a distribution point

   In Kaspersky Security Center Cloud Console, a distribution point is intended for:

   • Network polling and device discovery
   • Remote installation of Network Agent on client devices
   • Connection of client devices to Administration Server (when a distribution point is acting as a connection gateway)

   Select a device on your organization's network to act as a distribution point for an

   administration group

   A set of devices grouped by function and by installed Kaspersky applications. Devices are grouped as a single entity for the convenience of management. A group can include other groups. Group policies and group tasks can be created for each installed application in the group.

   . The selected device must meet the requirements for distribution point. Depending on the amount of client devices in your organization's network, select the correct number of devices to act as distribution points.

2. Creating a stand-alone installation package for Network Agent

   Create a stand-alone installation package for Network Agent to install on the distribution point.

   If your client devices do not have direct internet access to connect to Administration Server, in the Network Agent installation package settings, configure the connection gateway and proxy server settings.

3. Installing Network Agent on the selected device to act as a distribution point

   Deliver the stand-alone installation package for Network Agent to the selected device by any method. For example, you can copy the stand-alone installation package to a removable drive (such as a flash drive), or place it in a shared folder.

   In the Properties window of the stand-alone installation package file, verify that the stand-alone installation package for Network Agent is signed by Kaspersky.

   Run the installation of the stand-alone installation package for Network Agent on the selected device. Network Agent is now installed according to the settings of the Network Agent installation package and is connected to Administration Server. The device with Network Agent is placed in the administration group that was specified when the stand-alone installation package for Network Agent was created.

   If you install Network Agent by using a stand-alone installation package on a device running Microsoft Windows XP Professional for Embedded Systems 32-bit, the installation fails. To resolve this issue, preliminarily install the update KB2868626 for Windows XP from the Microsoft website: https://www.catalog.update.microsoft.com/Search.aspx?q=KB2868626.

4. Assigning the device with Network Agent installed to act as a distribution point

   Assign the device with Network Agent installed to act as a distribution point.

5. Configuring and performing network polling for the distribution point

   Configure network polling for the distribution point with the Network Agent installed. As an option, you can configure network polling in the Network Agent policy.

   After network polling according to schedule is complete, the client devices connected to your organization's network are discovered and placed in the Unassigned devices group.

6. Creating installation packages for Network Agent and managed Kaspersky applications

   If you did not start the quick start wizard, or skipped the step of creating installation packages, create installation packages for Kaspersky applications. You must create installation packages both for Network Agent and for managed Kaspersky applications appropriate for the operating system installed on client devices on your organization's network.

7. Removing third-party security applications

   If third-party security applications are installed on client devices on your organization's network, remove them before installing the Kaspersky application.

8. Installing Kaspersky applications on client devices

   Create tasks to install Network Agent and managed Kaspersky applications on client devices on your organization's network. When creating the tasks, use the Install application remotely task type. For the task to install Network Agent, use the Using operating system resources through distribution points option. For the task to install managed Kaspersky applications, use the Using Network Agent option. After the tasks are created, you can configure their settings. Make sure that the schedule for each task meets your requirements. First, the task to install Network Agent must be run. Then, after Network Agent is installed on client devices, the task to install managed Kaspersky applications must be run.

   As an option, you can create one remote installation task to install Network Agent and managed Kaspersky applications on client devices on your organization's network. In this case, in the Installation packages block, use the Select installation package option and the Select Network Agent option; in the Force installation package download block, use the Using operating system resources through distribution points option.

   You also can create several remote installation tasks to install managed Kaspersky applications for different administration groups or different device selections.

   If you have client devices that are out of the network with distribution point, for example, laptops of remote users, you must create and deliver the Network Agent stand-alone installation package to those client devices by any method. Install Network Agent stand-alone installation package locally on those client devices. Then you can install managed Kaspersky applications on those remote users' devices following the same instructions as for other devices discovered by the distribution point.

   Run the remote installation tasks.

   As an option, to install Kaspersky applications, you can start the Protection deployment wizard.

9. Installing Kaspersky Security for Mobile

   If you plan to manage corporate mobile devices, follow the instructions provided in the Kaspersky Security for Mobile Help for information about deployment of Kaspersky Endpoint Security for Android.

10. Verifying initial deployment of Kaspersky applications

    Generate and view the Report on Kaspersky application versions. Make sure that the managed Kaspersky applications are installed on all client devices in your organization.

For the full disk encryption, Kaspersky Security Center Cloud Console supports only BitLocker.

Creating installation packages for Kaspersky applications

To deploy Kaspersky applications on networked devices in your organization, you must create installation packages of Kaspersky applications in Kaspersky Security Center Cloud Console.

To create a Kaspersky application installation package:

1. Do one of the following:
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Installation packages.
   • In the main menu, go to Operations → Repositories → Installation packages.

   You can also view notifications about new packages in the list of onscreen notifications. If there are notifications about a new package, you can click the link next to the notification and proceed to the list of available installation packages.

   A list of installation packages available on the Administration Server is displayed.

2. Click Add.

   The New package wizard starts. Proceed through the wizard by using the Next button.

3. Select Create an installation package for a Kaspersky application.

   A list of distribution packages available on Kaspersky web servers appears.

4. Click the name of a distribution package, for example, Kaspersky Endpoint Security for Windows (<version number>).

   A window opens with information about the distribution package.

5. Read the information and click the Download and create installation package button.

   If a distribution package cannot be automatically converted to an installation package, the Download distribution package button is displayed instead of the Download and create installation package button. In this case, download the distribution package, and then use the downloaded file to create a custom installation package.

   The download of the installation package starts. You can close the wizard's window or proceed to the next step of the instruction. If you close the wizard's window, the download process will continue in background mode.

   If you want to track an installation package download process:

   1. In the main menu, go to Operations → Repositories → Installation packages → In progress ().
   2. Track the operation progress in the Download progress column and the Download status column of the table.

   When the process is complete, the installation package is added to the list on the Downloaded tab. If the download process stops and the download status switches to Accept EULA, then click the installation package name, and then proceed to the next step of the instruction.

   If you plan to perform migration from Kaspersky Security Center Web Console to Kaspersky Security Center Cloud Console and your organization's security regulations require the use of proxy when accessing the corporate network, this may affect the migration process. After you create a Network Agent installation package, you must specify the proxy settings to ensure connection between the Network Agent instances on managed devices and your Kaspersky Security Center Cloud Console workspace:

   1. Click the installation package name.
   2. In the installation package properties window that opens, go to the Settings tab.
   3. Open the Connection section.
   4. Select the Use proxy server option and fill in the Proxy server address and Proxy server port fields.
6. For some Kaspersky applications, during the download process the Show EULA button is displayed. If it is displayed, do the following:
   1. Click the Show EULA button to read the End User License Agreement (EULA).
   2. Read the EULA, which is displayed on the screen, and click the Accept button.

      The download continues after you accept the EULA. If you click Decline, the download is stopped.

7. When the download is complete, click the Close button () to close the window with information about the distribution package.

The installation package is created. The installation package appears in the list of installation packages.

You cannot add an installation package with the same localization language several times. For example, if you already added the Kaspersky Endpoint Security for Windows (English) installation package, you can add Kaspersky Endpoint Security for Windows installation packages localized in other languages, except English.

Distributing installation packages to secondary Administration Servers

To distribute installation packages to secondary Administration Servers:

1. Establish a connection with the Administration Server that controls the relevant secondary Administration Servers.
2. Create a task of installation package distribution to secondary Administration Servers in one of the following ways:
   • If you want to create a task for secondary Administration Servers in the selected administration group, launch the creation of a group task for this group.
   • If you want to create a task for specific secondary Administration Servers, launch the creation of a task for specific devices.

   The New task wizard starts. Follow the instructions of the wizard.

   In the New task window of the New task wizard, in the Task type field select Distribute installation package. You can also edit the default name of the task in the Task name field.

   At the next step, specify the secondary Administration Servers for the task scope and follow the instructions of the New task wizard. When you finish, the New task wizard will create the task of distributing the selected installation packages to specific secondary Administration Servers.

   When you create the Distribute installation package task for secondary Administration Servers running on-premises, the distribution scope—aside from custom installation packages—will only include the installation packages of Kaspersky applications that are supported by Kaspersky Security Center Web Console running on-premises, regardless of which distribution option has been selected (All installation packages or Selected installation packages).

3. Run the task manually or wait for it to launch according to the schedule you specified in the task settings.

The selected installation packages will be copied to the specific secondary Administration Servers.

Creating a stand-alone installation packages for Network Agent

You and device users in your organization can use stand-alone installation packages to install Network Agent on devices locally. Stand-alone installation packages can be created for devices running Windows, Linux, or macOS.

In Kaspersky Security Center Cloud Console, you can create stand-alone installation packages only for Network Agent.

A stand-alone installation package is an executable file that can be sent by email, or transferred to a client device by another method. The received file can be run locally on the client device to install Network Agent without involving Kaspersky Security Center Cloud Console.

For Network Agent for Linux and Network Agent for macOS, the stand-alone installation package is a script file with the .sh extension. When you run this file, the script unpacks the attached archive, which contains the installation package and its settings, and then starts the installation.

If you install Network Agent by using a stand-alone installation package on a device running Microsoft Windows XP Professional for Embedded Systems 32-bit, the installation fails. To resolve this issue, preliminarily install the update KB2868626 for Windows XP from the Microsoft website: https://www.catalog.update.microsoft.com/Search.aspx?q=KB2868626.

For authentication reasons, each stand-alone installation package is signed by using a certificate. The certificate is reissued from time to time. After each procedure of certificate reissue, Kaspersky Security Center Cloud Console automatically updates the signatures of all created stand-alone installation packages. For downloaded stand-alone installation packages, an automatic signature update cannot be performed. Therefore, the certificate expires and a certificate error might occur while you install an application from a stand-alone installation package. In this case, download the stand-alone installation package again.

To create a stand-alone installation package:

1. Do one of the following:
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Installation packages.
   • In the main menu, go to Operations → Repositories → Installation packages.

   A list of installation packages is displayed. If the Network Agent installation package is not in the list, create this installation package manually.

2. In the list of installation packages, click the name of the Network Agent installation package.

   The properties window of the Network Agent installation package is displayed.

3. Configure settings of the Network Agent installation package, if necessary, and close the properties window of the Network Agent installation package.
4. In the list of installation packages, select an installation package and, above the list, click the Deploy button.
5. Select the Using a stand-alone package option.

   The Stand-alone installation package creation wizard starts. Proceed through the wizard by using the Next button.

6. Make sure that the Install Network Agent together with this application option is enabled, if you want to install Network Agent together with the selected application.

   By default, this option is enabled. It is recommended to enable this option if you are not sure whether Network Agent is installed on the device. If Network Agent is already installed on the device, after the stand-alone installation package with Network Agent is installed Network Agent will be updated to the newer version.

   If you disable this option, Network Agent will not be installed on the device and the device will be unmanaged.

   If a stand-alone installation package for the selected application already exists on Administration Server, the wizard informs you about this fact. In this case, you must select one of the following actions:

   • Create stand-alone installation package. Select this option, for example, if you want to create a stand-alone installation package for a new application version and also want to retain a stand-alone installation package that you created for a previous application version. The new stand-alone installation package is placed in another folder.
   • Use existing stand-alone installation package. Select this option if you want to use an existing stand-alone installation package. The process of package creation will not be started.
   • Rebuild existing stand-alone installation package. Select this option if you want to create a stand-alone installation package for the same application again. The stand-alone installation package is placed in the same folder.
7. On the Move to list of managed devices step, the Do not move devices option is selected by default. If you do not want to move the client device to any administration group after Network Agent installation, do not change choice of option.

   If you want to move client device after Network Agent installation, select the Move unassigned devices to this group option and specify an administration group to which you want to move the client device. By default, the device is moved to the Managed devices group.

8. Select the Open the list of stand-alone packages option if you want the list of stand-alone installation packages to be displayed after the wizard is finished.
9. Click the Finish button.

   The Stand-alone installation package creation wizard closes.

The Network Agent stand-alone installation package is created. The created stand-alone installation package is displayed in the list of stand-alone installation packages, which you can view.

Viewing the list of stand-alone installation packages

You can view the list of stand-alone installation packages and properties of each stand-alone installation package.

To view the list of stand-alone installation packages for all installation packages:

1. Do one of the following:
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Installation packages.
   • In the main menu, go to Operations → Repositories → Installation packages.

   A list of installation packages is displayed.

2. Above the list, click the View the list of stand-alone packages button.

A list of stand-alone installation packages is displayed.

In the list of stand-alone installation packages, their properties are displayed as follows:

• Package name. Stand-alone installation package name that is automatically formed as the application name included in the package and the application version.
• Network Agent installation package name.
• Network Agent version.
• Size. File size in megabytes (MB).
• Group. Name of the group to which the client device is moved after Network Agent installation.
• Created. Date and time of the stand-alone installation package creation.
• Modified. Date and time of the stand-alone installation package modification.
• File hash. The property is used to certify that the stand-alone installation package was not changed by third-party persons and a user has the same file that you created and transferred to the user.

To view the list of stand-alone installation packages for specific installation package:

Select the installation package in the list and, above the list, click the View the list of stand-alone packages button.

In the list of stand-alone installation packages, you can do the following:

• Download a stand-alone installation package to your device by clicking the Download button.

  For authentication reasons, each stand-alone installation package is signed by using a certificate. The certificate is reissued from time to time. After each procedure of certificate reissue, Kaspersky Security Center Cloud Console automatically updates the signatures of all created stand-alone installation packages. For downloaded stand-alone installation packages, an automatic signature update cannot be performed. Therefore, the certificate expires and a certificate error might occur while you install an application from a stand-alone installation package. In this case, download the stand-alone installation package again.

• Remove a stand-alone installation package by clicking the Remove button.

Creating custom installation packages

You can use custom installation packages for the following:

• To install any application (for example, a text editor) on a client device involving Kaspersky Security Center Cloud Console, for example by means of a task.
• To create a stand-alone installation package.

A custom installation package is a folder with a set of files, including an executable file. A source to create a custom installation package is an archive file. The archive file contains file or files that have to be included in the custom installation package. Creating a custom installation package, you can specify command-line options, for example, to install the application in a silent mode.

You cannot create custom installation packages in the trial mode of Kaspersky Security Center Cloud Console.

To create a custom installation package:

1. Do one of the following:
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Installation packages.
   • In the main menu, go to Operations → Repositories → Installation packages.

   A list of installation packages available on the Administration Server is displayed.

2. Click Add.

   The New package wizard starts. Proceed through the wizard by using the Next button.

3. Select Create an installation package from a file.
4. Specify the installation package name and click the Browse button.

   A standard Open window lets you choose an archive file to create the installation package.

5. Select an archive file located on the available disks.

   You can upload a ZIP, CAB, TAR, or TAR.GZ archive file. It is not possible to create an installation package from an SFX (self-extracting archive) file.

   Files are downloaded to the Kaspersky Security Center Cloud Console Administration Server.

   If Administration Server detects that the archive includes Kaspersky application, an error message is displayed. You can download installation packages for Kaspersky applications from Kaspersky Web Servers. This operation is available by selecting Operations → Kaspersky applications → Current application versions.

6. If the selected archive file includes several executable files, select one executable file that has to be run to install the application using the created installation package.
7. If you want, specify an executable file command-line parameters.

   You can specify command-line parameters to install the application from the installation package in silent mode. Refer to the application vendor's documentation for details of the command-line parameters.

   Creation of the installation package starts.

   The wizard informs you when the process is finished.

   If the installation package is not created, an error message is displayed.

   In Kaspersky Security Center Cloud Console, the total size of all installation packages on the Administration Server is limited to 500 MB. If in the process of creating an installation package the total size limit is exceeded, delete the installation packages created earlier. The size of an installation package is displayed in its properties.

8. Click the Finish button to close the wizard.

The created custom installation package is downloaded to the Administration Server. After downloading, the installation package appears in the list of installation packages.

In the list of installation packages, you can view the following properties of a custom installation package:

• Name. Custom installation package name.
• Source. Application vendor name.
• Application. Application name packed into the custom installation package.
• Version. Application version.
• Language. Language of the application packed into the custom installation package.
• Size (MB). Size of the custom installation package.
• Operating system. Operating system for which the custom installation package is created.
• Created. Installation package creation date.
• Modified. Installation package modification date.
• Type. Kaspersky application or third-party application.

In the list of installation packages, by clicking the link with the name of a custom installation package, you can change command-line parameters and the custom installation package name.

Requirements for a distribution point

To handle up to 10,000 client devices, a distribution point must meet, at a minimum, the following requirements (a configuration for a test stand is provided):

• CPU:  Intel Core i7-7700 CPU, 3.60 GHz 4 cores.
• RAM: 8 GB.
• Free storage space: 120 GB.

In addition, a distribution point must have internet access and must always be connected.

If any remote installation tasks are pending on the Administration Server, the device with the distribution point will also require an amount of free disk space that is equal to the total size of the installation packages to be installed.

If one or multiple instances of the task for update (patch) installation and vulnerability fix are pending on the Administration Server, the device with the distribution point will also require additional free disk space, equal to twice the total size of all patches to be installed.

Network Agent installation package settings

Expand all | Collapse all

To configure a Network Agent installation package:

1. Do one of the following:
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Installation packages.
   • In the main menu, go to Operations → Repositories → Installation packages.

   A list of installation packages available on the Administration Server is displayed.

2. Click the link with the name of the Network Agent installation package.

The properties window of the Network Agent installation package opens. The information in the window is grouped on tabs and in sections.

General

The General section displays general information about the installation package:

• Installation package name
• Name and version of the application for which the installation package has been created
• Installation package size
• Installation package creation date
• Path to the installation package folder

Settings

This section presents the settings required to ensure proper functioning of Network Agent immediately after it is installed. The settings in this section are available only on devices running Windows.

In the Destination folder group of settings, you can select the client device folder in which Network Agent will be installed.

• Install in default folder

  If this option is selected, Network Agent will be installed in the <Drive>:\Program Files\Kaspersky Lab\NetworkAgent folder. If this folder does not exist, it will be created automatically.

  By default, this option is selected.

• Install in specified folder

  If this option is selected, Network Agent will be installed in the folder specified in the entry field.

In the following group of settings, you can set a password for the Network Agent remote uninstallation task:

• Use uninstallation password

  If this option is enabled, by clicking the Modify button you can enter the uninstall password (only available for Network Agent on devices running Windows operating systems).

  By default, this option is disabled.

• Status
• Protect Network Agent service against unauthorized removal or termination, and prevent changes to the settings

  When this option is enabled, after Network Agent is installed on a managed device, the component cannot be removed or reconfigured without required privileges. The Network Agent service cannot be stopped. This option has no effect on domain controllers.

  Enable this option to protect Network Agent on workstations operated with local administrator rights.

  By default, this option is disabled.

• Automatically install applicable updates and patches for components that have the Undefined status

  If this check box is selected, all downloaded updates and patches for Network Agent will be installed automatically.

  If this check box is cleared, all downloaded updates and patches will only be installed after you change their status to Approved. Updates and patches with Undefined status will not be installed.

  By default, this check box is selected.

Connection

In this section, you can configure connection of Network Agent to the Administration Server:

• Use UDP port

  UDP port number

  In this field you can specify the port to connect Administration Server to Network Agent using UDP protocol.

  The default UDP port is 15000.

• Open Network Agent ports in Microsoft Windows Firewall

  If this option is enabled, the ports used by Network Agent are added to the Microsoft Windows Firewall exclusion list.

  By default, this option is enabled.

• Do not use proxy server
• Use proxy server

  Proxy server address

  Proxy server port

• Proxy server authentication

  If this option is enabled, in the entry fields you can specify the credentials for proxy server authentication.

  We recommend that you specify the credentials of an account that has minimum privileges required only for the proxy server authentication.

  By default, this option is disabled.

  User name

  User name of the account under which connection to the proxy server is established.

  We recommend that you specify the credentials of an account that has minimum privileges required only for the proxy server authentication.

  Password

  Password of the account under which connection to the proxy server is established.

  We recommend that you specify the credentials of an account that has minimum privileges required only for the proxy server authentication.

For compatibility purposes, it is not recommended to specify proxy connection settings in the Network Agent installation package settings.

Advanced

In this section, you can configure how the connection gateway and virtual machine are used, as well as whether to register a user as a device owner:

• Connect to Administration Server by using a connection gateway
• Connection gateway address
• Enable dynamic mode for VDI

  If this option is enabled, dynamic mode for Virtual Desktop Infrastructure (VDI) will be enabled for Network Agent installed on a virtual machine.

  By default, this option is disabled.

• Optimize settings for VDI

  If this option is enabled, the following features are disabled in the Network Agent settings:

  • Retrieving information about software installed
  • Retrieving information about hardware
  • Retrieving information about vulnerabilities detected
  • Retrieving information about updates required

  By default, this option is disabled.

• Allow running the user registration utility after Network Agent installation

  If this option is enabled, the user registration as a device owner utility will run after Network Agent installation. By default, this option is disabled.

Additional components

In this section you can select additional components for concurrent installation with Network Agent.

Tags

The Tags section displays a list of keywords (tags) that can be added to client devices after Network Agent installation. You can add and remove tags from the list, as well as rename them.

If the check box is selected next to a tag, this tag is automatically added to managed devices during Network Agent installation.

If the check box is cleared next to a tag, the tag will not automatically be added to managed devices during Network Agent installation. You can manually add this tag to devices.

When removing a tag from the list, it is automatically removed from all devices to which it was added.

Revision history

In this section, you can view the history of the installation package revisions. You can compare revisions, view revisions, save revisions to a file, and add and edit revision descriptions.

Network Agent installation package settings available to a specific operating system are given in the table below.

Network Agent installation package settings

Virtual infrastructure

Kaspersky Security Center Cloud Console supports the use of virtual machines. To protect your virtual infrastructure, you need to install Network Agent on each virtual machine.

Tips on reducing the load on virtual machines

When installing Network Agent on a virtual machine, you are advised to consider disabling some Kaspersky Security Center Cloud Console features that seem to be of little use for virtual machines.

When installing Network Agent on a virtual machine or on a template intended for generation of virtual machines, we recommend the following actions:

• If you are running a remote installation, in the properties window of the Network Agent installation package, in the Advanced section, select the Optimize settings for VDI option.
• If you are running an interactive installation through a wizard, in the wizard window, select the Optimize the Network Agent settings for the virtual infrastructure option.

Selecting those options alters the settings of Network Agent so that the following features remain disabled by default (before a policy is applied):

• Retrieving information about software installed
• Retrieving information about hardware
• Retrieving information about vulnerabilities detected
• Retrieving information about updates required

Usually, those features are not necessary on virtual machines because they use uniform software and virtual hardware.

Disabling the features is invertible. If any of the disabled features is required, you can enable it through the policy of Network Agent, or through the local settings of Network Agent. The local settings of Network Agent are available through the context menu of the relevant device in Administration Console.

Support of dynamic virtual machines

Kaspersky Security Center Cloud Console supports dynamic virtual machines. If a virtual infrastructure has been deployed on the organization's network, dynamic (temporary) virtual machines can be used in certain cases. The dynamic VMs are created under unique names based on a template that has been prepared by the administrator. The user works on a VM for a while and then, after being turned off, this virtual machine will be removed from the virtual infrastructure. The virtual machine with installed Network Agent is also added to the Administration Server database. After you turn off this virtual machine, the corresponding entry must also be removed from the database of Administration Server.

To make functional the feature of automatic removal of entries on virtual machines, when installing Network Agent on a template for dynamic virtual machines, select the Enable dynamic mode for VDI option:

• For remote installation—In the properties window of the installation package of Network Agent (Advanced section)
• For interactive installation—In the Network Agent installation wizard

Avoid selecting the Enable dynamic mode for VDI option when installing Network Agent on physical devices.

If you want events from dynamic virtual machines to be stored on the Administration Server for a while after you remove those virtual machines, then, in the Administration Server properties window, in the Events repository section, select the Store events after devices are deleted option and specify the maximum storage term for events (in days).

Support of virtual machines copying

Kaspersky Security Center Cloud Console supports copying a virtual machine with installed Network Agent or creating one from a template with installed Network Agent.

Network Agent can automatically detect copying of virtual machines in the following cases:

• The Enable dynamic mode for VDI option was selected when Network Agent was installed—After each restart of the operating system, this virtual machine will be recognized as a new device, regardless of whether it has been copied or not.
• One of the following hypervisors is in use: VMware, HyperV, or Xen: Network Agent detects the copying of the virtual machine by the changed IDs of the virtual hardware.

Analysis of changes in virtual hardware is not absolutely reliable. Before applying this method widely, you must test it on a small pool of virtual machines for the version of the hypervisor currently used in your organization.

Usage of Network Agent for Windows, Linux, and macOS: Comparison

Network Agent for macOS and Linux has several functional limitations compared to Network Agent for Windows. The Network Agent policy and installation package settings also differ depending on the operating system. The table below compares Network Agent features and usage scenarios available for Windows, macOS, and Linux operating systems.

Network Agent feature comparison

The following sections are displayed in the distribution point properties, but the corresponding features are not supported by Network Agent for macOS:

• Source of updates
• KSN proxy server
• Windows domains
• Active Directory
• IP ranges
• Advanced
• Statistics

Specifying settings for remote installation on Unix devices

Expand all | Collapse all

When you install an application on a Unix device by using a remote installation task, you can specify Unix-specific settings for the task. These settings are available in the task properties after the task is created.

To specify Unix-specific settings for a remote installation task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click the name of the remote installation task for which you want to specify the Unix-specific settings.

   The task properties window opens.

3. Go to Application settings → Unix-specific settings.
4. Specify the following settings:
   • Set a password for the root account (only for deployment through SSH)

     If the sudo command cannot be used on the target device without specifying the password, select this option, and then specify the password for the root account. Kaspersky Security Center Cloud Console transmits the password in an encrypted form to the target device, decrypts the password, and then starts the installation procedure on behalf of the root account with the specified password.

     Kaspersky Security Center Cloud Console does not use the account or the specified password to create an SSH connection.

   • Specify the path to a temporary folder with Execute permissions on the target device (only for deployment through SSH)

     If the /tmp directory on the target device does not have the execute permission, select this option, and then specify the path to the directory with the execute permission. Kaspersky Security Center Cloud Console uses the specified directory as a temporary directory to access via SSH. The application places the installation package in the directory and runs the installation procedure.

5. Click the Save button.

The specified task settings are saved.

Replacing third-party security applications

Installation of Kaspersky security applications through Kaspersky Security Center Cloud Console may require removal of third-party software incompatible with the application being installed. Kaspersky Security Center Cloud Console provides several ways of removing the third-party applications.

Removing incompatible applications when configuring remote installation of an application

You can enable the Uninstall incompatible applications automatically option when you configure remote installation of a security application. You can find this option in the Protection deployment wizard. When this option is enabled, Kaspersky Security Center Cloud Console removes incompatible applications before installing a security application on a managed device.

Removing incompatible applications through a dedicated task

To remove incompatible applications through a task, use the Uninstall application remotely task. This task should be run on devices before the security application installation task. For example, in the installation task you can select On completing another task as the schedule type where the other task is Uninstall application remotely.

This method of uninstallation is useful when the security application installer cannot properly remove an incompatible application.

Options for manual installation of applications

You can install Network Agent on devices locally without involving Kaspersky Security Center Cloud Console. To do this, create a stand-alone installation package for Network Agent as described in the following topic: Creating stand-alone installation packages. Transfer the package to your client device and install it. Once the installation of the Network Agent is completed, you can use the device as a distribution point.

Forced deployment through the remote installation task of Kaspersky Security Center Cloud Console

To perform the initial deployment of Network Agent or other applications, you can force installation of selected installation packages by using the remote installation task of Kaspersky Security Center Cloud Console—provided that each device has a user account(s) with local administrator rights.

In case of initial deployment, Network Agent is not installed. Therefore, in the settings of the remote installation task, you cannot select distribution of files required for application installation by using Network Agent. You can only choose to distribute files by using operating system resources through distribution points.

You must specify an account that has access to the admin$ share in the settings of the remote installation task.

You can specify target devices either explicitly (with a list), by selecting the Kaspersky Security Center Cloud Console administration group to which they belong; or by creating a selection of devices based upon a specific criterion. The installation start time is defined by the task schedule. If the Run missed tasks setting is enabled in the task properties, the task can be run either immediately after target devices are turned on or when they are moved to the target administration group.

Forced installation consists of delivering installation packages to target devices, subsequent copying of files to the admin$ resource on each of the target devices, and remote registration of supporting services on those devices. Delivery of installation packages to target devices is performed through a Kaspersky Security Center Cloud Console feature that ensures network interaction. The following conditions must be met in this case:

• Target devices are accessible from the distribution point side.
• Name resolution for target devices functions properly on the network.
• The administrative shares (admin$) remain enabled on target devices.
• The following system services are running on target devices:
  • Server (LanmanServer)

    By default, this service is running.

  • DCOM Server Process Launcher (DcomLaunch)
  • RPC Endpoint Mapper (RpcEptMapper)
  • Remote Procedure Call (RpcSs)
• Port TCP 445 is open on target devices to enable remote access through Windows Management Instrumentation.

  TCP 139, UDP 137, and UDP 138 are used by older protocols and are no longer necessary for current applications.

  Dynamic outbound access ports must be allowed on the firewall for connections from the distribution points to target devices.

• The Active Directory domain policy security settings are allowed to provide the operation of the NTLM protocol during the deployment of Network Agent.
• On target devices running Microsoft Windows XP, Simple File Sharing mode is disabled.
• On target devices, the access sharing and security model are set as Classic – local users authenticate as themselves. It can in no way be Guest only – local users authenticate as Guest.
• Target devices are members of the domain, or uniform accounts with administrator rights are created on target devices in advance.

To successfully deploy Network Agent or other applications to a device that is not joined to a Windows Server 2003 or later Active Directory domain, you must disable remote UAC on that device. Remote UAC is one of the reasons that prevent local administrative accounts from accessing admin$, which is necessary for forced deployment of Network Agent or other applications. Disabling remote UAC does not affect local UAC.

During installation on new devices that have not yet been allocated to any of the Kaspersky Security Center Cloud Console administration groups, you can open the remote installation task properties and specify the administration group to which devices will be moved after Network Agent installation.

When creating a group task, keep in mind that each group task affects all devices in all nested groups within a selected group. Therefore, you must avoid duplicating installation tasks in subgroups.

A simplified way to create tasks for forced installation of applications is automatic installation. To do this, you must open the administration group properties, open the list of installation packages, and then select the ones that must be installed on devices in this group. As a result, the selected installation packages will be automatically installed on all devices in this group and all of its subgroups. The time interval over which the packages will be installed depends on the network throughput and the total number of networked devices.

Devices acting as distribution points must meet the requirements for distribution points. You have to make sure that distribution points are present in each of the isolated subnets hosting target devices.

The free disk space in the partition with the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must exceed, by many times, the total size of the distribution packages of installed applications.

Protection deployment wizard

To install Kaspersky applications, you can use the Protection deployment wizard. The Protection deployment wizard enables remote installation of applications either through specially created installation packages or directly from a distribution package.

The Protection deployment wizard performs the following actions:

• Downloads an installation package for application installation (if it was not created earlier). The installation package is located at Discovery & deployment → Deployment & assignment → Installation packages. You can use this installation package for the application installation in the future.
• Creates and runs a remote installation task for specific devices or for an administration group. The newly created remote installation task is stored in the Tasks section. You can later start this task manually. The task type is Install application remotely.

Step 1. Starting Protection deployment wizard

To start the Protection deployment wizard manually,

In the main menu, go to Discovery & deployment → Deployment & assignment → Protection deployment wizard.

The Protection deployment wizard starts. Proceed through the wizard by using the Next button.

Step 1. Selecting the installation package

Select the way you want to install the selected installation package:

• Remote installation by Kaspersky Security Center
• Remote installation by Microsoft Azure API

After that, select the installation package of the application that you want to install.

If the installation package of the required application is not listed, click the Add button and then select the application from the list.

Step 2. Selecting Network Agent version

If you selected the installation package of an application other than Network Agent, you also have to install Network Agent, which connects the application with Kaspersky Security Center Administration Server.

Select the latest version of Network Agent.

Step 3. Selecting devices

Expand all | Collapse all

Specify a list of devices on which the application will be installed:

• Install on managed devices

  If this option is selected, the remote installation task is created for a group of devices.

• Select devices for installation

  The task is assigned to devices included in a device selection. You can specify one of the existing selections.

  For example, you may want to use this option to run a task on devices with a specific operating system version.

Step 4. Specifying the remote installation task settings

Expand all | Collapse all

On the "Remote installation" task settings page, specify the settings for remote installation of the application.

In the Force installation package download settings group, specify how files that are required for the application installation are distributed to client devices:

• Using Network Agent

  If this option is enabled, installation packages are delivered to client devices by Network Agent installed on those client devices.

  If this option is disabled, installation packages are delivered using the operating system tools of client devices.

  We recommend that you enable this option if the task has been assigned to devices with Network Agents installed.

  By default, this option is enabled.

• Using operating system resources through distribution points

  If this option is enabled, installation packages are transmitted to client devices using operating system tools through distribution points. You can select this option if there is at least one distribution point on the network.

  If the Using Network Agent option is enabled, the files are delivered using operating system tools only if Network Agent tools are unavailable.

  By default, this option is enabled for remote installation tasks that have been created on a virtual Administration Server.

Define the additional setting:

Do not re-install application if it is already installed

Password to uninstall the current Kaspersky application

Step 5. Restart management

Expand all | Collapse all

Specify the action to be performed if the operating system must be restarted when you install the application:

• Do not restart the device

  Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

• Restart the device

  Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

• Prompt user for action

  The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

  By default, this option is selected.

  • Repeat prompt every (min)

    If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

    By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

    If this option is disabled, the prompt is displayed only once.

  • Restart after (min)

    After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

    By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

• Force closure of applications in blocked sessions

  Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

  If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

  If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

  By default, this option is disabled.

Step 6. Removing incompatible applications before installation

This step is only present if the application that you deploy is known to be incompatible with some other applications.

Select the option if you want Kaspersky Security Center Cloud Console to automatically remove applications that are incompatible with the application you deploy.

The list of incompatible applications is also displayed.

If you do not select this option, the application will only be installed on devices that have no incompatible applications.

Step 7. Moving devices to Managed devices

Expand all | Collapse all

Specify whether devices must be moved to an administration group after Network Agent installation.

• Do not move devices

  The devices remain in the groups in which they are currently located. The devices that have not been placed in any group remain unassigned.

• Move unassigned devices to group

  The devices are moved to the administration group that you select.

The Do not move devices option is selected by default. For security reasons, you might want to move the devices manually.

Step 8. Selecting accounts to access devices

Expand all | Collapse all

If necessary, add the accounts that will be used to start the remote installation task:

• No account required (Network Agent installed)

  If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running.

  If Network Agent has not been installed on client devices, this option is unavailable.

• Account required (Network Agent is not used)

  Select this option if Network Agent is not installed on the devices for which you assign the remote installation task. In this case, you can specify a user account or an SSH certificate to install the application.

  • Local Account. If this option is selected, specify the user account under which the application installer will be run. Click the Add button, select Local Account, and then specify the user account credentials.

    You can specify multiple user accounts if, for example, none of them have all the required rights on all devices for which you assign the task. In this case, all added accounts are used for running the task, in consecutive order, top-down.

  • SSH certificate. If you want to install an application on a Linux-based client device, you can specify an SSH certificate instead of a user account. Click the Add button, select SSH certificate, and then specify the private and public keys of the certificate.

    To generate a private key, you can use the ssh-keygen utility. Note that Kaspersky Security Center Cloud Console supports the PEM format of private keys, but the ssh-keygen utility generates SSH keys in the OPENSSH format by default. The OPENSSH format is not supported by Kaspersky Security Center Cloud Console. To create a private key in the supported PEM format, add the -m PEM option in the ssh-keygen command. For example:

    ssh-keygen -m PEM -t rsa -b 4096 -C "<user email>"

Step 9. Starting installation

This page is the final step of the wizard. At this step, the Remote installation task has been successfully created and configured.

By default, the Run the task after the wizard finishes option is not selected. If you select this option, the Remote installation task will start immediately after you complete the wizard. If you do not select this option, the Remote installation task will not start. You can later start this task manually.

Click OK to complete the final step of the Protection deployment wizard.

Network settings for interaction with external services

Kaspersky Security Center Cloud Console uses the following network settings for interacting with external services.

Network settings

Preparing a device running Astra Linux in the closed software environment mode for installation of Network Agent

Prior to the installation of Network Agent on a device running Astra Linux in the closed software environment mode, you must perform two preparation procedures—the one in the instructions below and general preparation steps for any Linux device.

Before you begin:

• Make sure that the device on which you want to install Network Agent for Linux is running one of the supported Linux distributions.
• Download the necessary Network Agent installation file from the Kaspersky website.

Run the commands provided in this instruction under an account with root privileges.

To prepare a device running Astra Linux in the closed software environment mode for installation of Network Agent:

1. Open the /etc/digsig/digsig_initramfs.conf file, and then specify the following setting:

   DIGSIG_ELF_MODE=1

2. In the command line, run the following command to install the compatibility package:

   apt install astra-digsig-oldkeys

3. Create a directory for the application key:

   mkdir -p /etc/digsig/keys/legacy/kaspersky/

4. Place the application key /opt/kaspersky/ksc64/share/kaspersky_astra_pub_key.gpg in the directory created in the previous step:

   cp kaspersky_astra_pub_key.gpg /etc/digsig/keys/legacy/kaspersky/

   If the Kaspersky Security Center Cloud Console distribution kit does not include the kaspersky_astra_pub_key.gpg application key, you can download it by clicking the link: https://media.kaspersky.com/utilities/CorporateUtilities/kaspersky_astra_pub_key.gpg.

5. Update the RAM disks:

   update-initramfs -u -k all

   Reboot the system.

6. Perform the preparation steps common for any Linux device.

The device is prepared. You can now proceed to the installation of Network Agent.

Preparing a Linux device and installing Network Agent on a Linux device remotely

Network Agent installation comprises two steps:

• A Linux device preparation
• Network Agent remote installation

A Linux device preparation

To prepare a device running Linux for remote installation of Network Agent:

1. Make sure that the following software is installed on the target Linux device:
   • Sudo (for Ubuntu 10.04, Sudo version is 1.7.2p1 or later)
   • Perl language interpreter version 5.10 or later
2. Test the device configuration:
   1. Check whether you can connect to the device through an SSH client (such as PuTTY).

      If you cannot connect to the device, open the /etc/ssh/sshd_config file and make sure that the following settings have the respective values listed below:

      PasswordAuthentication no

      ChallengeResponseAuthentication yes

      Do not modify the /etc/ssh/sshd_config file if you can connect to the device with no issues; otherwise, you may encounter SSH authentication failure when running a remote installation task.

      Save the file (if necessary) and restart the SSH service by using the sudo service ssh restart command.

   2. Disable the sudo password for the user account under which the device is to be connected.
   3. Use the visudo command in sudo to open the sudoers configuration file.

      In the file you have opened, add the following line to the end of the file: <username> ALL = (ALL) NOPASSWD: ALL. In this case, <username> is the user account which is to be used for the device connection using SSH. If you are using the Astra Linux operating system, in the /etc/sudoers file, add the last line with the following text: %astra-admin ALL=(ALL:ALL) NOPASSWD: ALL

   4. Save the sudoers file and then close it.
   5. Connect to the device again through SSH and make sure that the Sudo service does not prompt you to enter a password; you can do this using the sudo whoami command.
3. Open the /etc/systemd/logind.conf file, and then do one of the following:
   • Specify 'no' as a value for the KillUserProcesses setting: KillUserProcesses=no.
   • For the KillExcludeUsers setting, type the user name of the account under which the remote installation is to be performed, for example, KillExcludeUsers=root.

   If the target device is running Astra Linux, add export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin string in the /home/<username>/.bashrc file, where <username> is the user account which is to be used for the device connection using SSH.

   If you want to install Network Agent on devices that use the operating system RED OS 7.3.4 or later or MSVSPHERE 9.2 or later, install the libxcrypt-compat package for the correct function of Network Agent.

   To apply the changed setting, restart the Linux device or execute the following command:

   $ sudo systemctl restart systemd-logind.service

4. If you want to install Network Agent on devices with the SUSE Linux Enterprise Server 15 operating system, install the insserv-compat package first to configure Network Agent.
5. If you want to install Network Agent on devices with the Astra Linux operating system running in the closed software environment mode, perform additional steps to prepare Astra Linux devices.

Network Agent remote installation

To install Network Agent on Linux devices remotely:

1. Download and create an installation package:
   1. Before installing the package on the device, make sure that it already has all the dependencies (programs and libraries) installed for this package.

      You can view the dependencies for each package on your own, using utilities that are specific for the Linux distribution on which the package is to be installed. For more details about utilities, refer to your operating system documentation.

   2. Download the Network Agent installation package by using the application interface or from the Kaspersky website.
   3. To create a remote installation package, use the following files:
      • klnagent.kpd
      • akinstall.sh
      • .deb or .rpm package of Network Agent
2. Create a remote installation task with the following settings:
   • On the Settings page of the New task wizard, select the Using operating system resources through Administration Server check box. Clear all other check boxes.
   • On the Selecting an account to run the task page specify the settings of the user account that is used for device connection through SSH.
3. Run the remote installation task. Use the option for the su command to preserve the environment: -m, -p, --preserve-environment.

Installing applications by using a remote installation task

Kaspersky Security Center Cloud Console allows you to install applications on devices remotely, by using remote installation tasks. These tasks are created and assigned to devices through a dedicated wizard. To assign a task more quickly and easily, you can specify devices (up to 1000 devices) in the wizard window in one of the following ways:

• Select networked devices detected by Administration Server. In this case, the task is assigned to specific devices. The specific devices can include devices in administration groups, as well as unassigned devices.
• Specify device addresses manually or import addresses from a list. In this case, you can specify DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
• Assign task to a device selection. In this case, the task is assigned to devices included in a selection created earlier. You can specify the default selection or a custom one that you created.
• Assign task to an administration group. In this case, the task is assigned to devices included in an administration group created earlier.

To avoid issues that may occur during installation of the application on a client device without Network Agent installed, you must proceed as described in forced deployment through the remote installation task of Kaspersky Security Center Cloud Console.

Installing an application remotely

Expand all | Collapse all

This article contains information on how to install an application remotely on devices in an administration group, devices with specific addresses, or a selection of devices.

To install an application on specific devices:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts.

3. In the Task type field, select Install application remotely.
4. Select one of the following options:
   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

     If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

   • Specify device addresses manually or import addresses from a list

     You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

   The Install application remotely task is created for the specified devices. If you selected the Assign task to an administration group option, the task is a group one.

5. At the Task scope step, specify an administration group, devices with specific addresses, or a device selection.

   The available settings depend on the option selected at the previous step.

6. At the Installation packages step, specify the following settings:
   • Select how you want to install the selected application:
     • Remote installation by Kaspersky Security Center
     • Remote installation by Microsoft Azure API

       For more information on how to install applications on Microsoft Azure virtual machines, refer to Remote installation of applications to Azure virtual machines.

   • In the Select installation package field, select the installation package of an application that you want to install.
   • In the Force installation package download settings group, specify how files that are required for the application installation are distributed to client devices:
     • Using Network Agent

       If this option is enabled, installation packages are delivered to client devices by Network Agent installed on those client devices.

       If this option is disabled, installation packages are delivered using the operating system tools of client devices.

       We recommend that you enable this option if the task has been assigned to devices with Network Agents installed.

       By default, this option is enabled.

     • Using operating system resources through distribution points

       If this option is enabled, installation packages are transmitted to client devices using operating system tools through distribution points. You can select this option if there is at least one distribution point on the network.

       If the Using Network Agent option is enabled, the files are delivered using operating system tools only if Network Agent tools are unavailable.

       By default, this option is enabled for remote installation tasks that have been created on a virtual Administration Server.

   • In the Maximum number of concurrent downloads field, specify the maximum allowed number of client devices to which Administration Server can simultaneously transmit the files.
   • In the Maximum number of installation attempts field, specify the maximum allowed number of installer runs.

     If the number of attempts specified in the parameter is exceeded, Kaspersky Security Center Cloud Console does not start the installer on the device anymore. To restart the Install application remotely task, increase the value of the Maximum number of installation attempts parameter, and then restart the task. Alternatively, you can create a new Install application remotely task.

   • If you migrate from one Kaspersky application to another and your current application is password-protected, enter the password in the Password to uninstall the current Kaspersky application field. Note that during the migration, your current Kaspersky application will be uninstalled.

     The Password to uninstall the current Kaspersky application field is only available if you have selected the Using Network Agent option in the Force installation package download settings group.

     You can use the uninstall password only for the Kaspersky Security for Windows Server to Kaspersky Endpoint Security for Windows migration scenario when installing Kaspersky Endpoint Security for Windows by using the Install application remotely task. Using the uninstall password when installing other applications may cause installation errors.

     To complete the migration scenario successfully, make sure that the following prerequisites are met:

     • You are using Kaspersky Security Center Network Agent 14.2 for Windows or later.
     • You are installing the application on devices running Windows.
   • Define the additional options:
     • Do not re-install application if it is already installed

       If this option is enabled, the selected application will not be re-installed if it has already been installed on this client device.

       If this option is disabled, the application will be installed anyway.

       By default, this option is enabled.

     • Verify operating system type before downloading

       Before transmitting the files to client devices, Kaspersky Security Center Cloud Console checks if the Installation utility settings are applicable to the operating system of the client device. If the settings are not applicable, Kaspersky Security Center Cloud Console does not transmit the files and does not attempt to install the application. For example, to install some application to devices of an administration group that includes devices running various operating systems, you can assign the installation task to the administration group, and then enable this option to skip devices that run an operating system other than the required one.

     • Prompt users to close running applications

       Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

       If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

       If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

       By default, this option is disabled.

   • Select on which devices you want to install the application:
     • Install on all devices

       The application will be installed even on devices managed by other Administration Servers.

       This option is selected by default. You do not have to change this setting if you have only one Administration Server in your network.

     • Install only on devices managed through this Administration Server

       The application will be installed only on devices managed by this Administration Server. Select this option if you have more than one Administration Server in your network and want to avoid conflicts between them.

   • Specify whether devices must be moved to an administration group after installation:
     • Do not move devices

       The devices remain in the groups in which they are currently located. The devices that have not been placed in any group remain unassigned.

     • Move unassigned devices to the selected group (only a single group can be selected)

       The devices are moved to the administration group that you select.

     The Do not move devices option is selected by default. For security reasons, you might want to move the devices manually.

7. At this step of the wizard, specify whether the devices must be restarted during installation of applications:
   • Do not restart the device

     If this option is selected, the device will not be restarted after the security application installation.

   • Restart the device

     If this option is selected, the device will be restarted after the security application installation.

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)

       If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

       By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

       If this option is disabled, the prompt is displayed only once.

     • Restart after (min)

       After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

       By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

8. If necessary, at the Select accounts to access devices step, add the accounts that will be used to start the Install application remotely task:
   • No account required (Network Agent installed)

     If this option is selected, you do not have to specify the account under which the application installer will be run. The task will run under the account under which the Administration Server service is running.

     If Network Agent has not been installed on client devices, this option is unavailable.

   • Account required (Network Agent is not used)

     Select this option if Network Agent is not installed on the devices for which you assign the remote installation task. In this case, you can specify a user account or an SSH certificate to install the application.

     • Local Account. If this option is selected, specify the user account under which the application installer will be run. Click the Add button, select Local Account, and then specify the user account credentials.

       You can specify multiple user accounts if, for example, none of them have all the required rights on all devices for which you assign the task. In this case, all added accounts are used for running the task, in consecutive order, top-down.

     • SSH certificate. If you want to install an application on a Linux-based client device, you can specify an SSH certificate instead of a user account. Click the Add button, select SSH certificate, and then specify the private and public keys of the certificate.

       To generate a private key, you can use the ssh-keygen utility. Note that Kaspersky Security Center Cloud Console supports the PEM format of private keys, but the ssh-keygen utility generates SSH keys in the OPENSSH format by default. The OPENSSH format is not supported by Kaspersky Security Center Cloud Console. To create a private key in the supported PEM format, add the -m PEM option in the ssh-keygen command. For example:

       ssh-keygen -m PEM -t rsa -b 4096 -C "<user email>"

9. At the Finish task creation step, click the Finish button to create the task and close the wizard.

   If you enabled the Open task details when creation is complete option, the task settings window opens. In this window, you can check the task parameters, modify them, or configure a task start schedule, if necessary.

10. In the task list, select the task you created, and then click Start.

    Alternatively, wait for the task to launch according to the schedule that you specified in the task settings.

When the remote installation task is completed, the selected application is installed on the specified devices.

Installing applications on secondary Administration Servers

To install an application on secondary Administration Servers:

1. Establish a connection with the Administration Server that controls the relevant secondary Administration Servers.
2. Make sure that the installation package corresponding to the application being installed is available on each of the selected secondary Administration Servers. If you cannot find the installation package on any of the secondary Servers, distribute it. For this purpose, create a task with the Distribute installation package task type.
3. Create a task for a remote application installation on secondary Administration Servers. Select the Install application on secondary Administration Server remotely task type.

   The New task wizard creates a task for remote installation of the application selected in the wizard on specific secondary Administration Servers.

4. Run the task manually or wait for it to launch according to the schedule that you specified in the task settings.

When the remote installation task is complete, the selected application is installed on the secondary Administration Servers.

Starting and stopping Kaspersky applications

You can use the Start or stop application task for starting and stopping Kaspersky applications on managed devices.

To create the Start or stop application task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Proceed through the wizard by using the Next button.

3. In the Application drop-down list, select the application for which you want to create the task.
4. In the Task type list, select the Application activation task.
5. In the Task name field, specify the name of the new task.

   The task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

6. Select the devices to which the task will be assigned.
7. In the Applications window, do the following:
   • Select the check boxes next to the names of applications for which you want to create the task.
   • Select the Start application or the Stop application option.
8. If you want to modify the default task settings, enable the Open task details when creation is complete option at the Finish task creation step. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs, and then save the settings.

The task is created and configured.

If you want to run the task, select it in the task list, and then click the Start button.