Kaspersky Security Center 10

Administrator's Guide

APPLICATION VERSION: 10 SERVICE PACK 1

Dear User,
Thank you for choosing our product. We hope that this document will help you in your work and will provide answers
regarding this software product.
Attention! This document is the property of Kaspersky Lab: All rights to this document are protected by the copyright laws
of the Russian Federation and by international treaties. Illegal reproduction or distribution of this document or parts
hereof will result in civil, administrative, or criminal liability under applicable law.
Any type of reproduction or distribution of any materials, including translations, is allowed only with the written permission
of Kaspersky Lab.
This document, and graphic images related to it, may only be used for informational, non-commercial, and personal
purposes.
This document may be amended without additional notification. The latest version of this document can be found on the
Kaspersky Lab website, at http://www.kaspersky.com/docs.
Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any materials used herein the rights
to which are owned by third parties, or for any potential damages associated with the use of such documents.

Document revision date: 2/2/2015
© 2014 Kaspersky Lab ZAO. All Rights Reserved.

http://www.kaspersky.com
http://support.kaspersky.com

2

TABLE OF CONTENTS
ABOUT THIS DOCUMENT ..................................................................................................................................... 9
In this document ................................................................................................................................................ 9
Document conventions .................................................................................................................................... 11
SOURCES OF INFORMATION ABOUT THE APPLICATION ................................................................................. 12
Sources of information for independent research .............................................................................................. 12
Discussing Kaspersky Lab applications on the forum ........................................................................................ 13
KASPERSKY SECURITY CENTER ...................................................................................................................... 14
What's new ..................................................................................................................................................... 14
Distribution kit ................................................................................................................................................. 16
Hardware and software requirements............................................................................................................... 16
APPLICATION INTERFACE ................................................................................................................................. 19
Main application window .................................................................................................................................. 19
Console tree ................................................................................................................................................... 21
Workspace...................................................................................................................................................... 23
Set of management blocks ......................................................................................................................... 25
List of management objects........................................................................................................................ 25
Set of information blocks ............................................................................................................................ 27
Data filtering block ........................................................................................................................................... 28
Context menu.................................................................................................................................................. 30
Configuring the interface.................................................................................................................................. 30
APPLICATION LICENSING .................................................................................................................................. 32
About the End User License Agreement........................................................................................................... 32
About the license............................................................................................................................................. 32
About key........................................................................................................................................................ 33
Kaspersky Security Center licensing options .................................................................................................... 33
About restrictions of the main functionality........................................................................................................ 34
About the activation code ................................................................................................................................ 35
About the key file............................................................................................................................................. 35
KASPERSKY SECURITY CENTER QUICK START WIZARD ................................................................................ 36
BASIC CONCEPTS .............................................................................................................................................. 37
Administration Server ...................................................................................................................................... 37
Administration Server hierarchy ....................................................................................................................... 38
Virtual Administration Server............................................................................................................................ 38
Mobile device server ....................................................................................................................................... 39
Web server ..................................................................................................................................................... 39
Network Agent Administration group ................................................................................................................ 39
Administrator's workstation .............................................................................................................................. 40
Application administration plug-in..................................................................................................................... 40
Policies, application settings, and tasks............................................................................................................ 41
How local application settings relate to policies ................................................................................................ 42
MANAGING ADMINISTRATION SERVERS .......................................................................................................... 43
Connecting to an Administration Server and switching between Administration Servers ..................................... 43
Access rights to Administration Server and its objects ...................................................................................... 44
Conditions of connection to an Administration Server via the Internet ................................................................ 45
Secure connection to Administration Server ..................................................................................................... 45
Administration Server certificate ................................................................................................................. 46
Administration Server authentication during client computer connection....................................................... 46
Administration Server authentication during Administration Console connection ........................................... 46
Disconnecting from an Administration Server ................................................................................................... 46
Adding an Administration Server to the console tree ......................................................................................... 47

3

............................................................................................................................................................................................ 64 Exporting a task ............................................... 61 Managing tasks ........................... 66 Viewing and changing local application settings ............................................... 66 Configuring filtering of information about task run results ...... 57 Deleting a policy ................................. 65 Pausing and resuming a task manually ... 62 Creating an Administration Server task ................................................................................................................................................................................................................................................ 58 Converting policies................................................................................................................................................................................... 49 Configuring Web Server ...................................................................................................................................................................................... 53 Automatic creation of a structure of administration groups .................................................................................................................................................................... 58 Managing policy profiles ........................................................................... 59 Modifying a policy profile .......................................................................... Klmover utility..................................................................................................................... 66 Monitoring task execution .................... 57 Copying a policy ........................... 56 Activating a policy ................................................................................................................................................................................................................................. 57 Applying an out-of-office policy ..... 62 Creating a task for a set of computers............................................................................................................................................................................................ 64 Limiting task run time .......................................................... 63 Displaying an inherited group task in the workspace of a nested group ...... 51 Moving administration groups .......................................................................................................................................................... 49 Interaction between Administration Server and KSN Proxy service ................................................. 68 Connecting a client computer to Administration Server manually..................................................................... 50 MANAGING ADMINISTRATION GROUPS.......................................................................................................................................................... 48 Configuring event processing settings....................................................................................................................................... 49 Configuring cooperation with Cisco Network Admission Control (NAC) .............. 58 About policy profiles ............ 69 4 ................................................................................................ 66 Viewing task run results stored on Administration Server ....................................................................................................................................................................................................................................................................................................................................................................................................... 47 Viewing and modifying the settings of an Administration Server .................................................................................................................................................................................................................................................................................................................................................... 48 Control of virus outbreaks.............................. 47 Changing an Administration Server service account............................................................................... 64 Converting tasks ........................................... 61 Creating a group task ...................................................................................................................................................................................................................................ADMINISTRATOR'S GUIDE Removing an Administration Server from the console tree ............................ 51 Creating administration groups ........................................... 65 Starting and stopping a task manually.............................................................................................. 67 MANAGING CLIENT COMPUTERS...................................................................................................................................................................................................................................................... 57 Exporting a policy .................................................................................................................................................. 63 Starting client computers automatically before launching a task ........................................................................................................................................................................................................................... 64 Importing a task ............................. 58 Creating a policy profile .................................................................................................................................................................. 52 Deleting administration groups................................ Utility tool klsrvswch ................................................................................................................. 68 Connecting client computers to Administration Server .......................................................... 49 Working with internal users .................................................................. 62 Creating a local task .......... 56 Activating a policy automatically at the Virus outbreak event............................................................................................................................... 55 Creating policies ........ 55 Managing policies .............................................................................................................................................. 60 Deleting a policy profile ................................................................... 56 Displaying inherited policy in a subgroup .................................................................... 57 Importing a policy....................... 54 MANAGING APPLICATIONS REMOTELY ............................................................................................................................... 53 Automatic installation of applications to computers in an administration group ............................................................................................................................................................ 63 Turning off the computer after a task is complete ........................................ 48 Adjusting the general settings of Administration Server ..................................................................................................................................................................... 48 Limiting traffic ..........................................................

..... 85 Creating a report delivery task ........................................................................................................................................................................................................................................... 88 Exporting events to an SIEM system .................................................................................................. AND NOTIFICATIONS .............................................................. 80 Configuring rights.............. Kaspersky Security Center remote diagnostics utility ..................................................................................... 88 Exporting event selection to text file ....................................................... 78 Starting................................................................. 73 Adding computers to an administration group ................................................ 78 Downloading applications' settings . 73 Changing Administration Server for client computers ........................................................................................................................................................................................................................................................................................................................................................................... 91 5 .......... 72 Identifying client computers on Administration Server .................................................................................................................................................................................................................... 90 Exporting settings of a computer selection to file .......................................................................................................................................................................................................... 74 Sending a message to the users of client computers ........................................................................................................................................................ 89 Configuring a computer selection................................................. TABLE OF CONTENTS Tunneling the connection between a client computer and Administration Server ........................................................ 89 Viewing computer selection ........................................................... downloading the trace file ..................................... 84 Working with reports.......................................... 79 MANAGING USER ACCOUNTS ....................................................................................................................................................................... 74 Remote turning on...................................... 75 Remote diagnostics of client computers................................ 78 Downloading event logs ......................................................... 76 Connecting the remote diagnostics utility to a client computer ............................................... 82 Installing a certificate for a user....... 87 Customizing an event selection ............................................................................................................................................................................................................................ 80 Handling user accounts ................................................................................................... 75 Controlling changes in the status of virtual machines .................... 84 Creating a report template ................................................ 91 Task selections ................ 71 Audit of actions on a remote client computer ............................... 88 Computer selections...................................................................................................................... 86 Configuring notification settings .................................................................................................................... 91 Policy selections...................... 87 Creating an event selection ..................................................................... 76 Enabling and disabling tracing............................................................................................................................................ 84 Creating and viewing a report ....................................................................................................................................................................................................................................................................................... 80 Adding a user account ................................................................................................................................................................................................. 81 Delivering messages to users ............................ 78 Starting diagnostics and downloading its results.......................................... 85 Working with the statistical information ........................................................................................................................................................................ 82 Viewing the list of a user's mobile devices ........................ 90 Create a computer selection by using imported settings ................. User roles............................................................................................ 72 Manual check of connection between a client computer and Administration Server....................................... 83 WORKING WITH REPORTS.................................................................................................................................................................. 81 Assigning a role to a user or a user group ............................................................................ 82 Viewing the list of certificates handed to a user ..... 81 Adding a user role .................................................................................................................................................................................................................... 90 Removing computers from administration groups in a selection .......... 70 Configuring the restart of a client computer ........................................................................................................................................... 87 Viewing computer selection .............................................. 71 Checking the connection between a client computer and Administration Server............................................... 89 Creating a computer selection ........................................................................................................................................................................................................ 85 Saving a report ............................................. 70 Remote connection to the desktop of a client computer ............................................................................................................... 86 Event selections .............. turning off and restarting client computers ............................................................................................................................... Klnagchk utility ............................... 72 Automatic check of connection between a client computer and Administration Server ....................... STATISTICS................................................... 88 Deleting events from selection .......................................................................................................................................................................... stopping and restarting applications ....................................................

...................... Viewing and modifying group settings ..................................... 103 Synchronizing updates from Windows Update with Administration Server .............................................................................................................................................................................................................................................................. 102 Fixing vulnerabilities in applications ............................................................. 94 Viewing and changing the IP subnet settings ......... 113 Using Google Cloud Messaging ...... 112 Handling commands for mobile devices .............................................................................................................................................................. 108 Adding drivers for Windows Preinstallation Environment (WinPE) ............................................................................................................................................ 111 MANAGING MOBILE DEVICES ..................... 100 Creating groups of licensed applications ......... 95 Enabling VDI dynamic mode in the properties of an installation package for Network Agent .................................................................... 101 Viewing information about vulnerabilities in applications ..................................................................................................................................................................... 94 Working with the Active Directory groups............................................................................................................................................................................................................................................................................ 104 Installing updates on client computers manually ......................... 92 Network discovery .....................................................................................................................................................ADMINISTRATOR'S GUIDE UNASSIGNED COMPUTERS ......... 103 Automatic installation of updates on client computers ................................................................................................ 93 Viewing and modifying Active Directory group properties ........ 96 MANAGING APPLICATIONS ON CLIENT COMPUTERS ................................................................................... 99 Viewing the applications registry....................................................................................................................................... 115 Handling certificates ............... 109 Configuring sysprep............................. 117 6 ..................................................................................................... 94 Working with IP subnets ........ 116 Configuring certificate handing rules .................................................................................................................................................. 116 Integration with the public keys infrastructure ................................. 96 Moving computers making part of VDI to an administration group ........................................................... 102 Viewing information about available updates ................................. 94 Creating an IP subnet ............................................................................................................................................................................................................................ 112 Managing mobile devices using an MDM policy................................................................................................................................................................................................. 102 Software updates .....................................................................exe utility .................................................................................................................................... 98 Configuring applications launch management on client computers ...................................................................... 100 Viewing information about executable files ..................................................................... 92 Viewing and modifying the settings for Windows network polling ................................................................................................................................................................. 97 Creating application categories........................................................................................................................................................................................................................................................ 107 Creating images of operating systems............................................................................................................... 97 Groups of applications ........................................................................................................ 93 Viewing and modifying the settings for IP subnet polling ............................................................................................... 96 Searching for computers making part of VDI ..... 104 Configuring application updates in a Network Agent policy ........................ 114 Sending commands ............................................................................... 99 Viewing the results of statistical analysis of startup rules applied to executable files ........ 100 Managing keys for groups of licensed applications .... 108 Adding drivers to an installation package with an operating system image.................................................................................................................................................................................................. 95 Using VDI dynamic mode on client computers ............................ 110 Installing applications to client computers .......................................................................................................................................................................................................................................................................................... 109 Deploying operating systems on new networked computers .............................................................................................. 101 Searching for vulnerabilities in applications ............................................................................................................................................ 116 Installing a certificate........................................ Viewing and changing the domain settings .............................................. 93 Working with Windows domains............................................................... 117 Enabling support of Kerberos Constrained Delegation.................... 110 Creating installation packages of applications................................................................................................................................................................................................................ 105 REMOTE INSTALLATION OF OPERATING SYSTEMS AND APPLICATIONS ............... 113 Commands for mobile device management ................................................................. 95 Creating rules for moving computers to administration groups automatically ........................ 101 Application vulnerabilities ........................................................................... 110 Deploying operating systems on client computers ............ 115 Viewing the statuses of commands in the command log ................

125 Managing KES devices ........................ 139 INVENTORY OF EQUIPMENT DETECTED ON THE NETWORK ............................................................................................................................................................................................................. 137 Creating a list of allowed network addresses ............................................................................................................................................................................................................ 118 Adding a management profile .................................................................................................................................................................................................................................................................................... 120 Managing iOS MDM mobile devices................................................................................................................................................................................................................................................................. 146 Installing program modules for Servers and Network Agents automatically ...................................................................................................................................................... 129 Creating an account for Self Service Portal ............ 136 Creating network elements .......................................................................................... 119 Viewing information about an EAS device .............................................. 138 Configuring the authorization page interface................................................................................................................................................................... 128 About Self Service Portal ................................................................................................................................................................................... 137 Creating a white list ........................ 136 Creating network access restriction rules ......................................................................................................................................................................................................... NAC) 135 Switching to the NAC settings in the Network Agent properties ............. 120 Adding a configuration profile .................................................................. 123 Installing an application on a device............................................................................... 145 Distributing updates to client computers automatically ........................................................................................................................................................................................................................................................................................................................................................................................................................... 144 Viewing downloaded updates ...................... 142 Configuring the task of downloading updates to the repository ......... 125 Viewing information about an iOS MDM device ...................... 126 Creating a mobile app package for KES devices ............................................................................... 131 Viewing the list of encrypted devices ................................................................................................................................................................................. 145 Distributing updates to slave Administration Servers automatically ................................................................................................................................................................. TABLE OF CONTENTS Managing Exchange ActiveSync mobile devices ....................................... 129 ENCRYPTION AND DATA PROTECTION FOLDER ................ 132 Exporting the list of encryption events to a text file ................................................................................................................................................ 122 Installing a provisioning profile to a device .......................................................................................................... 143 Configuring test policies and auxiliary tasks............. 138 Creating accounts to use on the authorization portal ........................................................................................................... 126 Disconnecting a KES device from management ........................................................ 121 Removing a configuration profile from a device .......................................................................................... 119 Disconnecting an EAS device from management ......................................................................................................................................................................................... 132 MANAGING DEVICES ACCESS TO AN ORGANIZATION'S NETWORK (NETWORK ACCESS CONTROL.......................................... 145 Automatic distribution of updates .............................................................................................................................................................................. 123 Adding a managed application............. 126 Viewing information about a KES device ........................................................ 146 7 ................................................................................... 143 Verifying downloaded updates ............................................................................. 125 Disconnecting an iOS MDM device from management .................................................................................................... 131 Viewing the list of encryption events.......................................................................................... 118 Deleting a management profile . 128 Adding a device ............................................................................. 140 Configuring criteria used to define enterprise devices ........................................................................... 141 UPDATING DATABASES AND SOFTWARE MODULES ............................. 142 Creating the task of downloading updates to the repository. 124 Removing an application from a device........................ 146 Creating and configuring the list of Update Agents .............................................................................................................................................................................. 122 Removing a provisioning profile from a device ............ 138 Configuring NAC in a Network Agent policy ........... 140 Adding information about new devices ............................... 136 Selecting an operation mode for the NAC agent ......................................... 120 Installing a configuration profile to a device ........................ 121 Adding provisioning profile ............................................................................ 132 Creating and viewing encryption reports................................................................................................................................................................................................................................................. 127 SELF SERVICE PORTAL ...........................................................................................................................................................................

................................................................................................................................................................. 152 Enabling remote management for files in the repositories ........................................................................................................................................................................ 148 Viewing information about keys in use............................................................................................................ 148 Adding a key to the Administration Server repository .............................................................................. 154 KASPERSKY SECURITY NETWORK (KSN)........................................................................................................................................... 152 Removing files from repositories ................................................................................................................................................................................................................................................................................................................................................................................................... 158 Technical support by phone ... 170 8 .................................................................... 158 About technical support ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................. 154 Deleting files from the Unprocessed files folder .......................... 155 Setting up the access to KSN ....... 153 Restoring files from repositories ....... 160 KASPERSKY LAB ZAO .................................................................. 149 Deploying a key to client computers ................................. 155 About data provision................................................................................................................................................................. 156 Enabling and disabling KSN ................................................................................................................ 152 Viewing properties of a file placed in repository ........................................................................... 157 CONTACTING TECHNICAL SUPPORT SERVICE .......................................................................... 147 WORKING WITH APPLICATION KEYS ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 158 GLOSSARY ............................................................................................................................................................................. 154 Saving an unprocessed file to disk.................................................................................................................................................................................................................................................................................... 148 Deleting an Administration Server key ........................................................ 168 TRADEMARK NOTICE .................. 153 Scanning files in Quarantine..... 147 Rolling back installed updates ............................................................... 154 Postponed file disinfection.............................................. 151 Installation packages .................................................................................. 156 Viewing the KSN proxy server statistics ................................................................... 150 DATA STORAGES ............................................................................................ 165 INFORMATION ABOUT THIRD-PARTY CODE .......... 149 Automatic distribution of a key .......................................................................................................... 158 Technical Support via Kaspersky CompanyAccount ............................................................................................................................... 153 Unprocessed files .............................................................................................. 149 Creating and viewing a key usage report ............... 151 Quarantine and Backup .............................................................................................................................................................................................................................................................. 151 Exporting a list of repository objects to a text file.................................................................................... 166 ABOUT NAC/ARP ENFORCEMENT TECHNOLOGY ...................................................... 153 Saving a file from repositories to disk...... 167 ENHANCED PROTECTION WITH KASPERSKY SECURITY NETWORK ........ADMINISTRATOR'S GUIDE Downloading updates by Update Agents....................................................................................................................................................................................... 155 About KSN ......... 169 INDEX..

......... the ways of activating the application.............................................. policy profiles..... Application interface (see page 19) This section describes the main features of the Kaspersky Security Center interface. tasks................................................ and local settings of applications...... and a glossary................... 9 ......... settings..... Managing Administration Servers (see page 43) This section provides information about how to handle Administration Servers and how to configure them.ABOUT THIS DOCUMENT Kaspersky Security Center Administrator's Guide contains an introduction..... and a glossary... Managing client computers (see page 68) This section provides information about how to handle client computers..... sections that describe how to manage main tasks. 11 IN THIS DOCUMENT Kaspersky Security Center Administrator's Guide contains an introduction..... Kaspersky Security Center (see page 14) The section contains information on the purpose of Kaspersky Security Center.. Managing administration groups (see page 51) This section provides information about how to handle administration groups... and maintenance. IN THIS SECTION: In this document ........ Sources of information about the application (see page 12) This section describes sources of information about the application and lists websites that you can use to discuss the application's operation..... Quick Start Wizard (see page 36) This section provides information about the functionality of the Kaspersky Security Center Quick Start Wizard. using policies.. Application licensing This section provides information about general concepts related to the application activation. sections that describe the application interface...9 Document conventions ....... settings.. sections that describe the application interface....................... This guide provides instructions on how to configure and use Kaspersky Security Center........................ This Guide also lists sources of information about the application and ways to get technical support. and how to renew your license.............. sections that describe how to manage main tasks.............. and its main features and components........................ This section describes the purpose of the End User License Agreement........ Managing applications remotely (see page 55) This section provides information about how to perform remote management of Kaspersky Lab applications installed on client computers.... Basic concepts (see page 37) This section explains basic concepts related to Kaspersky Security Center.......... and maintenance..

Inventory of equipment detected on the network (see page 140) This section provides information about inventory of hardware connected to the organization's network. statistics. The section provides Self Service Portal login instructions for users as well as instructions on creating Self Service Portal accounts and adding mobile devices on Self Service Portal. Data repositories (see page 151) This section provides information about data stored on the Administration Server and used for tracking the condition of client computers and servicing them. and selections of events and client computers in Kaspersky Security Center. statistics. Contacting Technical Support Service This section provides information about how to obtain technical support and what conditions should be met to receive help from the Technical Support Service. Managing applications on client computers (see page 97) This section describes how to manage groups of applications and how to update software and fix vulnerabilities that Kaspersky Security Center detects on client computers. Working with application keys (see page 148) This section describes the features of Kaspersky Security Center related to handling keys of managed Kaspersky Lab applications.ADMINISTRATOR'S GUIDE Working with reports. Updating databases and software modules (see page 142) This section describes how to download and distribute updates of databases and software modules using Kaspersky Security Center. Unassigned computers (see page 92) This section provides information about how to manage computers on an enterprise network if they are not included in an administration group. Remote installation of operating systems and applications (see page 107) This section provides information about how to create images of operating systems and deploy them on client computers over the network. 10 . Self Service Portal (see page 128) This section contains information about Self Service Portal. NAC) (see page 135) This section provides information about how to control devices' access to an organization's network with access restriction rules and the white list of devices. and notifications (see page 84) This section provides information about how to handle reports. Glossary This section lists terms used in the guide. Managing devices access to an organization's network (Network Access Control. as well as how to perform remote installation of applications by Kaspersky Lab and other software vendors. Data encryption and protection (see page 131) This section provides information about how to manage encryption of data stored on hard drives of various devices and removable media. as well as how to configure Administration Server notifications. Managing mobile devices (see page 112) This section describes how to manage mobile devices connected to Administration Server.

Names of keyboard keys appear in bold and are capitalized.  data that the user should enter from the keyboard. Example: Examples are given on a yellow background under the heading "Example". We recommend that you use. Document conventions SAMPLE TEXT DOCUMENT CONVENTIONS DESCRIPTION Warnings are highlighted with red color and boxed.. occurs. Information about third-party code (see page 166) This section provides information about third-party code used in Kaspersky Security Center.. format. The following elements are italicized in the text: The Databases are out of date event  New terms. 11 . and buttons. Instead of a variable. Names of keys that are connected by a + (plus) sign indicate the use of a key combination. Table 1. <User name> Variables are enclosed in angle brackets. Update means. menu items. To configure task schedule: Introductory phrases of instructions are italicized and accompanied by the arrow sign. Names of application interface elements. Warnings contain information Note that. about actions that may lead to some unwanted outcome. Press ALT+F4. are set off in bold.. DOCUMENT CONVENTIONS Document conventions are used herein (see the table below). .. Trademark notice (see page 169) This section contains registered trademark notices. Notes are boxed. Click the Enable button. ABOUT THIS DOCUMENT Kaspersky Lab ZAO (see page 165) This section provides information about Kaspersky Lab. Those keys should be pressed simultaneously. Index This section helps you find necessary data quickly. with angle brackets omitted.... Notes contain additional and reference information. Specify the date in dd:mm:yy  text of messages displayed on the screen by the application. the corresponding value should be inserted.  Names of application statuses and events.. Press ENTER. Enter help in the command line The following types of text content are set off with a special font: The following message then appears:  text in the command line. such as entry fields.

.......................... Documentation Application documentation consists of the files of application guides................kaspersky. we recommend that you contact Technical Support at Kaspersky Lab.. and answers to frequently asked questions on how to purchase..... The Kaspersky Security Center page contains a link to eStore..com/security-center).. 12 Discussing Kaspersky Lab applications on the forum .. Full help provides information about how to configure and use Kaspersky Security Center...com/ksc10)............................. recommendations. There you can purchase or renew the application.... An Internet connection is required to use online information sources.. 12 ......... depending on the issue's level of importance and urgency...... If you cannot find the solution to an issue on your own.  Online help. its functions and features..... You can select the most suitable information source. IN THIS SECTION: Sources of information for independent research ........... you can view general information about the application. and use the application. Knowledge Base articles can answer questions relating to not only to Kaspersky Security Center but also to other Kaspersky Lab applications.... On the Kaspersky Security Center page (http://support....... you can read articles that provide useful information................ Kaspersky Security Center page on the Kaspersky Lab website On the Kaspersky Security Center page (http://www.......... Page of Kaspersky Security Center in the Knowledge Base Knowledge Base is a section on the Technical Support website.. Context help provides information about Kaspersky Security Center windows: A description of Kaspersky Security Center settings is followed by links to descriptions of the tasks that use these settings.....SOURCES OF INFORMATION ABOUT THE APPLICATION This section lists the sources of information about the application....... 13 SOURCES OF INFORMATION FOR INDEPENDENT RESEARCH You can use the following sources to find information about Kaspersky Security Center:  Kaspersky Security Center page on the Kaspersky Lab website  Kaspersky Security Center page on the Technical Support Service website............ Knowledge Base articles can also include Technical Support news....... Online help The online help of the application comprises help files.kaspersky......... install...............  Documentation......

The Getting Started guide provides information needed to start using the application quickly (a description of the interface and main tasks that can be performed using Kaspersky Security Center). The administrator's guide provides information on how to configure and use Kaspersky Security Center. The implementation guide provides instructions on:  Plan Kaspersky Security Center installation (taking into account the operating principles of Kaspersky Security Center. common deployment scenarios.  Prepare Kaspersky Security Center for installation. system requirements. The help guide describes the functions and settings of Kaspersky Security Center. installing and activating the application. system requirements.  Preparing Kaspersky Security Center for operation.  Configuring and using Kaspersky Security Center.com).  Restoring or removing Kaspersky Security Center. create new topics. The deployment guide describes how you can perform the following tasks:  Plan Kaspersky Security Center installation (taking into account the operating principles of Kaspersky Security Center. leave your comments. DISCUSSING KASPERSKY LAB APPLICATIONS ON THE FORUM If your question does not require an immediate answer.kaspersky. common deployment scenarios.  Configure Kaspersky Security Center after installation. and specifics of Kaspersky Security Center integration with other applications). The user guide describes the common tasks that users can perform using the application depending on the available Kaspersky Security Center rights. installing and activating the application. SOURC ES OF INFORMA TION AB OUT THE APPLICATION The administrator guide provides instructions on:  Prepare Kaspersky Security Center for installation. installing and activating the application. The installation guide describes how you can perform the following tasks:  Prepare Kaspersky Security Center for installation. The help guide sections are arranged alphabetically and grouped by topic. In this forum you can view existing topics.  Configure Kaspersky Security Center after installation. and specifics of Kaspersky Security Center integration with other applications). you can discuss it with the Kaspersky Lab experts and other users in our forum (http://forum. 13 .

.... Using Kaspersky Security Center............... as well as performing remote installation of applications by Kaspersky Lab and other software vendors.................... 16 WHAT'S NEW Changes introduced in Kaspersky Security Center 10 compared to the previous version:  Management of user roles has been added as a new feature..... you can:  Create a hierarchy of Administration Servers to manage the organization's network. IN THIS SECTION: What's new......... and renew licenses..................... NAC agents are used to manage access of devices to an organization's network..............................  Manage encryption of information stored on the hard drives of devices and removable media and users' access to encrypted data...........  It is now possible to schedule the network scan.  Manage mobile devices that support Kaspersky Security for Android™.......................... 14 Distribution kit ......................  Receive notifications about critical events in the operation of Kaspersky Lab applications................................ as well as objects for which processing by anti-virus applications has been postponed.....  Perform inventory of hardware connected to the organization's network...... The application provides the administrator access to detailed information about the organization's network security level..... it allows configuring all the components of protection built using Kaspersky Lab applications. Exchange ActiveSync®.............. 16 Hardware and software requirements ..... monitor their use.........................  Perform remote administration of applications by Kaspersky Lab and other vendors installed on client computers.. Kaspersky Security Center is an application aimed at corporate network administrators and employees responsible for anti-virus protection in organizations...KASPERSKY SECURITY CENTER The section contains information on the purpose of Kaspersky Security Center..................... (see the section "Setting up access to KSN" on page 156) 14 .. as well as networks at remote offices or client organizations............... or iOS Mobile Device Management (iOS MDM) protocols... and its main features and components... Install updates.........  Private KSN can now be configured............................. User roles" on page 81)  It is now possible to add internal users for managing virtual Administration Servers.  Control access of devices to an organization's network using access restriction rules and a white list of devices........ Kaspersky Security Center is designed for centralized execution of basic administration and maintenance tasks in an organization's network......................................... The client organization is an organization........ whose anti-virus protection is ensured by service provider.  Create a hierarchy of administration groups to manage a selection of client computers as a whole......  Centrally manage files moved to Quarantine or Backup by anti-virus applications............. (see the section "Configuring rights..................  Manage an anti-virus protection system built based on Kaspersky Lab applications.... find and fix vulnerabilities..........  Perform centralized deployment of keys for Kaspersky Lab applications to client devices..  Receive statistics and reports about the operation of applications and devices............  Create images of operating systems and deploy them on client computers over the network...

 The option of sending SMS messages to mobile devices users has been implemented (see page 80).  It is now possible to manage mobile devices with remote commands.  It is now possible to view information about the distribution of vulnerabilities across managed computers. display of several categories for a single executable file (see page 97).  The selection of update agents is included in the set of selections generated by default.  Exchange ActiveSync Mobile Devices Server has been implemented (see page 118).  The option of excluding selected subdivisions from search in Active Directory® has been added.  The option of centralized remote installation of updates for operating systems and applications has been implemented (see page 102).  The feature of management of a centralized list of users has been added (see page 80). KASPERSKY SECUR ITY CENTER  Self Service Portal has been launched.  The feature of operating system image capturing and deployment has been added (see page 107). by applying rules and a white list of devices (see page 135).  It is now possible to delete updates that have been downloaded. 15 .  It is now possible to set up Google Cloud Messaging to exchange push notifications between KES devices and Administration Server. the operational scope of the remote desktop has been expanded.  The option of centralized remote installation of third-party applications has been implemented (see page 111). the operational scope of the applications registry has been expanded (see page 97).  The feature of equipment registry management has been added (see page 140).  Windows Server® Update Services feature has been integrated into Administration Server (see page 102).  Administration Server updates can be managed from the application interface.  Support of the data encryption management feature has been added for Kaspersky Endpoint Security 10 for Windows® (see page 131).  The option of publishing selected standalone packages on a web server integrated into Administration Server has been implemented (see page 110).  The feature of centralized remote installation of applications to managed mobile devices has been implemented.  The option of Network Access Control has been implemented for devices attempting to access the organization's network.  It is now possible to change the path to the folder for saving downloaded updates and patches or updates and patches waiting to be downloaded.  The feature of centralized installation of certificates on managed mobile devices has been implemented.  The option of scheduling the startup of a task on a specific day of the month has been added.  Application Control features have been expanded.  The option of shared access to the desktop of a client computer has been added. letting users take over some of the mobile device management operations.  It is now possible to deliver vulnerability fixes to client computers without installing the updates. (see the section "Self Service Portal" on page 128)  The feature of events export to SIEM systems has been implemented (see the section "Exporting events to an SIEM system" on page 88). creation of categories based on a set of executable files on reference computers.  The option of filtering centralized lists of files in Quarantine and Backup and files with postponed processing has been implemented. the following features have been added: static analysis of Application Control rules.  iOS MDM Mobile Devices Server has been implemented (see page 120).  An information pane showing the status of update agents has been added.  It is now possible to route traffic from mobile KES devices outside the corporate network through a connection gateway in a demilitarized zone (DMZ).  It is now possible to select an update agent for client computers based on a network analysis.  The feature of licensing restrictions control has been added.

 The option of specifying groups as search criteria for computer selections has been added.  A graphic utility has been implemented for Administration Server management. Information that is required for application activation is sent to you by email after payment. Microsoft Windows Small Business Server 2003. Microsoft Windows 7 Professional / Enterprise / Ultimate. For more details on purchase methods and the distribution kit. DISTRIBUTION KIT You can purchase the application through online stores of Kaspersky Lab (for example. Microsoft Windows Small Business Server 2011. Microsoft Windows 7 Professional / Enterprise / Ultimate x64. Microsoft Windows Server 2008 deployed in the Server Core mode.  The use of negation in search criteria for computer selections has been implemented. contact the Sales Department.  The option of specifying a type of distributed objects in the update agent settings: installation packages.kaspersky.  The option of specifying criteria with the OR operator in rules of moving of computers to administration groups has been added. If you purchase Kaspersky Security Center in an online store. updates. or both types (see page 146). Microsoft Windows Vista Business / Enterprise / Ultimate x64 Service Pack 1 or later. Microsoft Windows Small Business Server 2008. Microsoft Windows Server 2008. Microsoft Windows Server 2003 or later.ADMINISTRATOR'S GUIDE  Automatic setup of task startup delay has been implemented. Microsoft Windows Server 2008 x64 Service Pack 1 or later. also. Microsoft Windows XP Professional x64 or later. Microsoft Windows Server 2008 x64 deployed in the Server Core mode. Microsoft Windows 8 x64 (all editions). Microsoft Windows 8 (all editions). the eStore section) or partner companies. Microsoft Windows Server 2008 R2. you copy the application from the store's website. Software requirements for Administration Server and Kaspersky Security Center Web Console COMPONENT REQUIREMENTS Operating system Microsoft® Windows XP Professional with Update Package 2 or later installed.com.  Separate display of the license expiration date and the key validity term end date has been added to the properties of the key and to the keys usage report. http://www. HARDWARE AND SOFTWARE REQUIREMENTS Kaspersky Security Center has the following hardware and software requirements Table 2.  The option of specifying an existing empty database as Administration Server database during installation has been implemented. a user report has been added.  Display of information about the full volume of data stored in the Administration Server database and the volume of events stored in the database has been added.  The option of searching for computers by user names or session names has been added. 16 . Microsoft Windows Server 2003 x64 or later. Microsoft Windows Vista® Business / Enterprise / Ultimate Service Pack 1 or later.

Microsoft SQL Server Express 2008.85. 5. 64-bit 1. Browser Microsoft Internet Explorer® 7.0.0 or later when working with Microsoft Windows XP. GB AVAILABLE DISK SPACE. Microsoft SQL Server Express 2008 R2 Service Pack 2.0. GB Microsoft Windows.8 or later Microsoft Windows DAC 6. Web server Apache HTTP Server version 2. GHZ RAM SIZE.4 or higher 512 1 When using the System Administration.0 or later when using Microsoft Windows 7. Data Access Components Microsoft Data Access Components (MDAC) 2. iOS Mobile Device Management mobile device server Table 6. Microsoft SQL System Server Express 2008 R2. Microsoft Windows Server 2003.90.0 or later (version 2. Microsoft SQL Server 2005. Hardware requirements to Administration Console OPERATING SYSTEM CPU FREQUENCY. Microsoft SQL Server Express 2012.2. Microsoft Internet Explorer 10. Table 5. Software requirements to Administration Console COMPONENT REQUIREMENTS Operating system Microsoft Windows (supported version of the operating system is determined by the requirements of Administration Server). Microsoft SQL Server 2012.23 recommended). 32-bit 1 or higher 512 1 Microsoft Windows. Hardware requirements for Administration Server and Kaspersky Security Center Web Console OPERATING SYSTEM CPU FREQUENCY.70.091. Microsoft Windows Server 2008. Microsoft Windows Server 2012 deployed in the Server Core mode. 5.0. or Microsoft Windows Vista. GB Microsoft Windows. 5. 17 .0 or later. Management Console Microsoft Management Console 2. Microsoft SQL Server 2008. Table 3.60 Service Pack 1. 32-bit 1 or higher 4 10 Microsoft Windows.0 or later when using Microsoft Windows 8. 5. Microsoft Windows Server 2008 R2.0.4 or higher 4 10 Administration Console Table 4. Database Management Microsoft SQL Server® Express 2005. 64-bit 1. Microsoft Windows Server 2012 (all editions). MySQL Enterprise versions 5.2. MB AVAILABLE DISK SPACE. GHZ RAM SIZE.0.77. 5.82 Service Pack 1.0. KASPERSKY SECUR ITY CENTER COMPONENT REQUIREMENTS Microsoft Windows Server 2008 R2 deployed in the Server Core mode.087 Service Pack 1.67. Microsoft SQL Server 2008 R2. at least 100 GB free disk space shall be available. 5.0. Microsoft Internet Explorer 8. MySQL Enterprise versions 5.0. Software requirements to the iOS MDM mobile device server COMPONENT REQUIREMENTS Operating system Microsoft Windows (supported version of the operating system is determined by the requirements of Administration Server). 5.

FREE DISK SPACE AVAILABLE FREE DISK SPACE FREQUENCY. Microsoft Exchange Server 2010. Mac OS The version of the operating system supported is defined by the requirements of applications that can be managed using Kaspersky Security Center. Linux®. 32-bit 1 or higher 0. and Microsoft Exchange Server 2013 supported. Hardware requirements to the iOS MDM mobile device server OPERATING SYSTEM CPU FREQUENCY. Hardware requirements to Network Agent and Update Agent OPERATING SYSTEM CPU RAM SIZE. GB FOR THE ADMINISTRATION AVAILABLE FOR UPDATE GHZ AGENT. GHZ RAM SIZE. GB Microsoft Windows.4 or higher 1 1 4 Mac OS 1 1 1 4 For concurrent installation of Network Agent and Kaspersky Endpoint Security. Co-operation with Microsoft Exchange Server 2007. in the System requirements section. 32-bit 1 or higher 1 1 4 Linux. 64-bit 1. 32-bit 1 or higher 2 2 Microsoft Windows. 64-bit 1. free disk space must be at least 2 GB. GB Microsoft Windows. on the page of Kaspersky Security Center 10. Network Agent or Update Agent Table 8. 64-bit 1. GB AVAILABLE DISK SPACE. Software requirements to Network Agent and Update Agent COMPONENT REQUIREMENTS Operating system Microsoft Windows.4 or higher 0.4 or higher 2 2 Exchange ActiveSync mobile device server All software and hardware requirements for Exchange ActiveSync Mobile device server are included in requirements for the Microsoft Exchange Server.5 1 4 Microsoft Windows.5 1 4 Linux. 18 . You can retrieve details of the latest version of the hardware and software requirements from Technical Support website.ADMINISTRATOR'S GUIDE Table 7. Table 9. GB AGENT.

.. The management interface is provided by the Administration Console component.......... Administration Console allows remote connection to Administration Server over the Internet.. The menu bar allows you to use the windows and provides access to the Help system.......................... creation..... 28 Context menu ....................... For local work with client computers.............................................. and centralized management of Kaspersky Lab applications installed on client devices are performed from the administrator's workstation.. The set of toolbar buttons provides direct access to some of the menu items........... The Action menu duplicates the context menu commands for the current console tree object..................................................................... you must allow remote connection to the desktop on the client computer.................................................................... 19 .............APPLICATION INTERFACE This section describes the main features of the Kaspersky Security Center interface.................................... an overview panel.................................... so the Kaspersky Security Center interface is standard for MMC.. 30 Configuring the interface ......................................................... It is a specialized stand-alone snap-in that is integrated with Microsoft Management Console (MMC)................................................... 30 MAIN APPLICATION WINDOW The main application window (see figure below) comprises a menu........................ The set of buttons on the toolbar may change depending on the current node or folder selected in the console tree......................... 21 Workspace ...................... a toolbar................................ IN THIS SECTION: Main application window ............................................................. Viewing.............................................................. 23 Data filtering block ................................................ and a workspace...................... 19 Console tree ......................................................................................... The console tree displays the namespace of Kaspersky Security Center in a tree view (see the section "Console tree" on page 21).............. To use this functionality................... the application supports remote connection to a computer through Administration Console by using the standard Microsoft Windows Remote Desktop Connection application........................................ modification and configuration of administration groups...

Kaspersky Security Center main application window 20 .ADMINISTRATOR'S GUIDE The appearance of the workspace of the main application window depends on which node (folder) of the console tree it is associated with. and what functions it performs. Figure 1.

 Tasks for specific computers. APPLICA TION INTER FACE CONSOLE TREE The console tree (see figure below) is designed to display the hierarchy of Administration Servers in the corporate network. The Administration Server – <Computer name> container includes the following folders:  Managed computers  User accounts  Reports and notifications  Administration Server tasks. The name space of Kaspersky Security Center can contain several nodes including the names of servers corresponding to the installed Administration Servers included in the hierarchy. Figure 2. and other objects of the application.  Managing applications. such as the Repositories or Reports and notifications folders. Console tree The Administration Server – <Computer name> node is a container that shows the structural organization of the selected Administration Server.  Remote installation 21 . the structure of their administration groups.

Information about the structure of the network and computers on this network is received by the Administration Server through regular polling of the Windows network. Contains a list of keys on client computers. Intended for searching client computers by specified criteria. Polling results are displayed in the info areas of corresponding folders: Domains. Contains a list of files assigned for later scanning by anti-virus applications.  Installation packages.  Hardware.  Software updates. display. Contains the list of vulnerabilities in the applications on client computers on which Network Agent is installed. The Data encryption and protection folder is intended for managing the process of user data encryption on drives and removable media. IP subnets.ADMINISTRATOR'S GUIDE  Managing mobile devices.  Applications registry. configuration and modification of the structure of administration groups. Contains a list of objects moved to Quarantine by anti-virus software on client computers. Contains the list of applications installed on client computers on which Network Agent is installed. Contains a list of hardware connected to the organization's network. which can be distributed to client computers. The Mobile devices folder is designed to manage Exchange ActiveSync and iOS MDM mobile devices. group policies and group tasks.  Software vulnerabilities.  Executable files. The Applications management folder is intended for managing applications installed on computers on the network. The User accounts folder contains information about user accounts on the network. Contains the list of backup copies of objects in storage. IP subnets.  Quarantine. Intended for deploying images of operating systems on client computers. It includes the following folders:  Updates. Contains selections of events that present information about application events and the results of tasks run. The Unassigned computers folder displays the network where the Administration Server is installed. 22 . Contains a list of updates received by Administration Server that can be distributed to client computers. Contains a list of groups of licensed applications. Contains a list of installation packages that can be used for remote installation of applications on client computers.  Third-party licenses usage. The Administration Server tasks folder contains a set of tasks defined for Administration Server. Intended for handling user categories of applications. The Reports and notifications folder contains a set of templates for generation of reports about the protection system state on client computers in administration groups. It contains the following subfolders:  Application categories. Contains the list of executable files stored on client computers on which Network Agent is installed.  Kaspersky Lab licenses.  Data encryption and protection  Unassigned computers  Repositories The Managed computers folder is intended for storage. The Repositories folder is intended for operations with objects used to monitor the status of client computers and perform their maintenance. The Tasks for specific computers folder contains tasks defined for sets of computers in administration groups or in the Unassigned computers folder. and Active Directory within the corporate computer network. It comprises the following subfolders:  Deploy computer images.  Unprocessed files. The Remote installation folder is intended for managing remote installation of operating systems and applications. The Reports and notifications folder contains the following subfolders:  Computer selections. Such tasks are convenient for small groups of client computers that cannot be combined into a separate administration group. Contains list of updates downloaded by the Administration Server. and Active Directory.  Backup.  Events.

 set of information panes. APPLICA TION INTER FACE WORKSPACE Workspace is an area of the main application window of Kaspersky Security Center located on the right from the console tree (see figure below). Workspace The appearance of the workspace for various console tree objects depends on the type of data displayed. 23 .  list of management objects. It contains descriptions of console tree objects and their respective functions. The content of the workspace corresponds to the object selected from the console tree. Figure 3. Three appearances of the workspace exist:  set of management boxes.

........................................................................................... 25 List of management objects ....... Workspace divided into tabs IN THIS SECTION: Set of management blocks ........................................................................................................ADMINISTRATOR'S GUIDE If the console tree does not display some of the items within an object of the console tree................................ Figure 4.............................. 25 Set of information blocks .. 27 24 ............................................................................... the workspace is divided into tabs..... Each tab corresponds to an item of the console tree (see figure below)................................................................

Figure 5. 25 .  List of objects.  Block of selected object (optional). management tasks are divided into blocks. APPLICA TION INTER FACE SET OF MANAGEMENT BLOCKS In the workspace represented as a set of management blocks. Each management block contains a set of links each of which corresponds to a management task (see figure below). Workspace represented as a set of management blocks LIST OF MANAGEMENT OBJECTS Workspace represented as a list of management objects comprises four areas (seethe figure below).  Block of objects list management.

The set of table columns can be changed through a context menu. The block of data filtering allows you to create samples of objects from the list (see the section "Data filtering block" on page 28). 26 . The block of selected object contains detailed information about an object and a set of links intended for running main tasks of object management. The list of objects is displayed in a table view.ADMINISTRATOR'S GUIDE  Block of data filtering (optional). Figure 6. Information area represented by a list of management objects The block of objects list management contains the header of the list and a set of links each of which corresponds to a list management task.

Workspace represented as a set of information panes Information panes may be represented on several pages (see figure below). Figure 7. Workspace divided into pages 27 . APPLICA TION INTER FACE SET OF INFORMATION BLOCKS Information-type data are shown in the workspace as information panes without controls (see figure below). Figure 8.

Use the following regular expressions in the search field to run a full-text search:  Space. by the Name column  In the applications registry filtering block. by the Event and Description columns  In the user account filtering block. Example: To search for any numeral. enter the expression [0-9] in the search field. You will see all computers whose descriptions contain any of the listed words. 28 . Full-text search is available in the following filtering blocks:  In the event list filtering block. e. by the Name column if the Group applications by name check box is cleared. b. a filter. and buttons (see figure below). Replaces any single character. Search field The search field is used to search the list for the text entered in it. Use the following regular expressions in the search field to search for text:  *. Replaces any single character from a specified range or set.  [<range>]. Servers. c. enter the expression Slave Virtual in the search field. enter the expression W?rd in the search field.  ?. or Server room. To search for one of the characters—a. or users). Example: To search for a phrase that contains the word Slave or Virtual (or both these words). enter the expression Server* in the search field. Example: To search for the words Server. Replaces any sequence of characters. d. vulnerabilities. The filtering block can contain a search field.ADMINISTRATOR'S GUIDE DATA FILTERING BLOCK Data filtering block (hereinafter also referred to as filtering block) is used in workspaces and sections of dialog boxes that contain lists objects (such as computers. Example: To search for the words Word or Ward. applications. or f—enter the expression [abcdef] in the search field.

When a plus sign precedes a word. When you click a button. enter the expression Server* in the search field. Text enclosed in quotation marks must be present in the text. Text in the search field cannot begin with the ? symbol. The following filtering rules apply:  A list item with the specified value of an attribute is considered to be selected if the icon with the value of the attribute is displayed against a dark background in the filtering block (for example: – The selection will include the computers with the Critical status. Example: To search for the words Word or Ward. enter either one of the following expressions in the search field: Slave OR Virtual.  -. enter either one of the following expressions in the search field: +Slave+Virtual. or Server room. no search results will contain this word. all search results will contain this word. Example: To search for the words Server. Text in the search field cannot begin with the * symbol. Slave || Virtual. Example: To search for a phrase that contains the word combination Slave Server. enter the expression W?rd in the search field. it indicates that one word or the other can be found in the text. Replaces any single character. its background goes dark again. Example: To search for a phrase that contains the word Slave or the word Virtual. Slave && Virtual.  A list item with the specified value of an attribute is considered not selected if the icon with the value of the attribute is displayed against a light background in the filtering block (for example: – The selection will not include computers with the Critical status. Servers. APPLICA TION INTER FACE  +. Example: To search for a phrase that contains the word Slave and the word Virtual. AND or &&. When placed between two words. When a minus sign precedes a word. enter the +Slave-Virtual expression in the search field.  The selection includes all list items if the icons of all values of the attribute are placed on the lighter background (such as ) or on the darker background (such as ).  OR or ||. 29 . Filtering block buttons Buttons of the filtering block are shaped as multicolored icons on a darker background. enter the expression "Slave Server" in the search field. its background brightens. Slave AND Virtual. When you then click the button one more time. Example: To search for a phrase that must contain the word Slave and must not contain the word Virtual.  ?.  *. Replaces any sequence of characters.  "<some text>".

ADMINISTRATOR'S GUIDE

The values of attributes depend on the statuses of computers (or network devices) and the severity levels of events. A
list of statuses of computers, network devices and severity levels of events (and corresponding icons as well) is shown in
the Appendix.

Extended filtering block
When using a filtering block, you can create data selections and reset the filter, as well as enable the extended format of
the block including additional filtering settings (see figure below).
 Creating a selection:
 If you use only buttons to create a selection, the selection is created automatically after you click a button.
 If you use text search and selection settings (for example, in the extended filtering block) in addition to
buttons, the selection is created when you click the button in the top right corner of the filtering block.
 Resetting the filter:

You can reset the filter by clicking the button that appears on the left of the button after you use the
filtering block for the first time.

 Using the extended filtering block: You can expand the extended filtering block by clicking the Filter setup link.
Clicking the Filter setup link displays fields in which you can specify the filtering settings (see figure above) and
opens the Filtering settings window. In the Filtering settings window, use check boxes to specify the list
columns by which filtering should be performed. The selection of check boxes in the Filtering settings window
depends on the available list columns and may vary.

CONTEXT MENU
In the console tree of Kaspersky Security Center each object features its own context menu. In the console tree, the
standard commands of the Microsoft Management Console context menu are supplemented with commands used for
operations with the object. A list of objects and an additional set of context menu commands are included in the appendix.
In the workspace each item of an object selected in the tree also features a context menu containing the commands used to
handle the item. Basic types of items and corresponding additional sets of commands are included in the appendix.

CONFIGURING THE INTERFACE
Kaspersky Security Center allows you to configure the interface of Administration Console.
To change the specified interface settings:
1. In the console tree, click the Administration Server node.
2. In the View menu, select Configure interface.
3. In the Configure interface window that opens, configure the display of interface elements using the following
check boxes:
 Display Systems Management.
If this check box is selected, in the Remote installation folder the Deploy computer images nested
folder is displayed, while in the Repositories folder the Hardware nested folder is displayed.
By default, this check box is cleared.

 Display data encryption and protection.
If this check box is selected, data encryption management is available on devices connected to the
network. After you restart the application, the console tree displays the Data encryption and
protection folder.
By default, this check box is cleared.

30

APPLICA TION INTER FACE

 Display Advanced Anti-Malware.
If this check box is selected, the following subsections are displayed in the Endpoint control section of
the properties window of the Kaspersky Endpoint Security 10 for Windows policy:

 Application Startup Control;
 Vulnerability Monitor;
 Device Control;
 Web Control;
If this check box is cleared, the above-specified subsections are not displayed in the Endpoint control
section.
By default, this check box is cleared.

 Display Mobile Device Management.
If this check box is selected, the Mobile Device Management feature is available. After you restart the
application, the console tree displays the Mobile devices folder.
By default, this check box is cleared.

 Display slave Administration Servers.
If the check box is selected, the console tree displays the nodes of slave and virtual Administration
Servers within administration groups. The functionality connected with slave and virtual Administration
Servers – in particular, creation of tasks for remote installation of applications to slave Administration
Servers – is available at that.
By default, this check box is selected.

 Display security settings sections.
If this check box is selected, the Security section is displayed in the properties of Administration Server,
administration groups and other objects. This check box allows you to give custom permissions for
working with objects to users and groups of users.
By default, this check box is selected.

31

APPLICATION LICENSING
This section provides information about general concepts related to the application licensing.

IN THIS SECTION:
About the End User License Agreement .................................................................................................................... 32
About the license ...................................................................................................................................................... 32
About key ................................................................................................................................................................. 33
Kaspersky Security Center licensing options.............................................................................................................. 33
About restrictions of the main functionality ................................................................................................................. 34
About the activation code .......................................................................................................................................... 35
About the key file ...................................................................................................................................................... 35

ABOUT THE END USER LICENSE AGREEMENT
The End User License Agreement is a binding agreement between you and Kaspersky Lab ZAO, stipulating the terms on
which you may use the application.

We recommend that you read through the terms of the End User License Agreement carefully before you start using the
application.

You can view the terms of the End User License Agreement using the following methods:
 While installing Kaspersky Security Center.
 By reading the document license.txt. This document is included in the application distribution kit.
You accept the terms of the End User License Agreement by confirming that you agree with the End User License
Agreement when installing the application. If you do not accept the terms of the End User License Agreement, you
should abort the application installation and renounce the use of the application.

ABOUT THE LICENSE
A license is a time-limited right to use the application, granted under the End User License Agreement.
A valid license entitles you to use the following services:
 Use of the application in accordance with the terms of the End User License Agreement.
 Technical Support.
The scope of service and the application usage term depend on the type of license under which the application has been
activated.
The following license types are provided:
 Trial – a free license intended for trying out the application.
A trial license usually has a short term. As soon as the trial license expires, all Kaspersky Security Center
features are disabled. To continue using the application, you need to purchase the commercial license.
You can activate the application under the trial license only once.
 Commercial – a paid license granted upon purchase of the application.
When the commercial license expires, the application keeps running though with a limited functionality (for
example, updates of the Kaspersky Security Center databases are not available). To continue using Kaspersky
Security Center in fully functional mode, you have to renew your commercial license.
We recommend renewing the license before its expiration to ensure maximum protection against all security threats.

32

APPLICA TION LICENSING ABOUT KEY Key is a sequence of bits that you can apply to activate and then use the application in accordance with the terms of the End User License Agreement.  Management of device access to the corporate network (Network Access Control. The key is displayed in the application interface as a unique alphanumeric sequence after you add it to the application.  Viewing and manual editing of the list of hardware components detected by polling the network. Additional key – a key that verifies the use of the application but is not used at the moment.  Data encryption and protection management. as well as notifications about critical events.  Hardware components inventory. The application cannot use more than one active key. A trial license key cannot be added as the additional key. Kaspersky Security Center runs in basic functionality mode of Administration Console (see the section "About restrictions of the basic functionality" on page 34).  Viewing and editing of existing groups of license programs. A trial license key can be added as the active key only.  Centralized operations with files that were moved to Quarantine or Backup and files whose processing was postponed. Active key – a key used at the moment to work with the application. You can also download it from the Kaspersky Lab website (http://www. System Administration The following functions are available:  Remote installation of operating systems.  Creation of hierarchy of administration groups to manage a set of devices as a single entity. or after the commercial license expires. An additional key can be added only if an active key has already been added. KASPERSKY SECURITY CENTER LICENSING OPTIONS In Kaspersky Security Center. you must enter an activation code. Kaspersky Security Center with support of the Administration Console basic functionality is delivered as a part of Kaspersky Lab products for protection of corporate networks.kaspersky. scanning and fixing of vulnerabilities. you need to add another one if you want to use the application.  Statistics and reports on the application's operation. Keys are generated by Kaspersky Lab specialists.com). The additional key automatically becomes active when the license associated with the current active key expires.  Licensed applications group management. NAC). Basic functionality of Administration Console The following functions are available:  Creation of virtual Administration Servers that are used to administer a network of remote offices or client organizations.  Remote installation of software updates.  Centralized configuration of settings for applications that are installed on client computers.  Viewing the list of operation system images available for remote installation. the license can apply to different groups of functionality.  Remote installation of applications.  Control of the anti-virus security status of an organization. A key may be active or additional. The key may be blocked by Kaspersky Lab in case the terms of the License Agreement have been violated. If the key has been blocked. 33 . Until the application is activated. To add a key to the application.

 Remote connection to client computers through Windows Desktop Sharing. The following functions are available for iOS MDM mobile devices:  Creation and editing of configuration profiles. The management unit for the System Administration is a client computer in the "Managed computers" group. Edition of existing profiles and assignment of profiles to mailboxes are always available. Tasks that had been started before the license expired. Information about computers and connected devices is updated at that. Managing mobile devices You cannot create a new profile and assign it to a mobile device (iOS MDM) or to a mailbox (Exchange ActiveSync). Mobile Device Management The Mobile Device Management is used to Administer Exchange ActiveSync and iOS MDM mobile devices. and vulnerabilities database update tasks are always available.ADMINISTRATOR'S GUIDE  Remote permission of connection to client computers through a Microsoft Windows ® component named Remote Desktop Connection. Kaspersky Security Center provides the basic functionality of Administration Console. All tasks that had been started before the license expired will be completed. vulnerability scan. The following functions are available for Exchange ActiveSync mobile devices:  Creation and editing of mobile device management profiles. Mobile Devices Management allows executing commands provided by relevant protocols.  Management of user roles. no limitations are imposed on viewing. at least 100 GB free disk space must be available.plist). Also. A mobile device is considered to be managed after it is connected to the Mobile Devices Server. searching. application usage. The management unit for Mobile Devices Management is a mobile device. installation of configuration profiles on mobile devices. user password. Launch and editing of the synchronization. Network access control The NAC Agent and NAC switch to "Disabled" mode without an option to enable them. For a proper functioning of Systems Management. data encryption. Hardware inventory You cannot use collection of information about new devices with NAC and the Mobile devices server. ABOUT RESTRICTIONS OF THE MAIN FUNCTIONALITY Until the application is activated or after the commercial license expires. will be completed. connection of removable drives). For example. 34 . and sorting of entries on the list of vulnerabilities and updates. resetting of the mobile device password. In addition.  Locking of mobile devices. The limitations imposed on the application operation are described below. Remote installation of operating systems and applications Cannot run tasks of operating system image capturing and installation.  Configuration of mobile device settings (mail synchronization. assignment of profiles to users' mailboxes.  Installation of applications on mobile devices via App Store or using manifest files (. Managing applications You cannot run the update installation task and the update removal task. only critical updates found before the license expiration will be installed. but the latest updates will not be installed. if the critical update installation task had been started before the license expired. and deleting of all data from the mobile device.  Installation of certificates on mobile devices.

send a request to the Technical Support Service. the term of the license starts counting down from the moment you have first applied the activation code. ABOUT THE ACTIVATION CODE Activation code is a code that you receive on purchasing the commercial license for Kaspersky Security Center. contact the Kaspersky Lab Technical Support Service to recover the activation code. you do not have to connect to activation servers or to the Internet. If no connection with activation servers and Internet has been established. The type of limit is determined by the current license (see the section "Kaspersky Security Center licensing options" on page 33). The equipment list is available for viewing and editing manually.  Key file expiry date is a specific period starting from the day when the key file is created. To obtain the key file or recover the key in case it was lost. to receive technical support from the Kaspersky Lab. To activate the application using a key file. for example. If you have lost or accidentally deleted your activation code after the application activation. ABOUT THE KEY FILE Key file is a file with the following name: xxxxxxx. one year). Remote connection to client computers Remote connection to client computers is not available. The license expires no later than does the key file that was used to activate the application under this license. To activate the application using an activation code. you must connect to the Kaspersky Lab activation servers via the Internet. A key file contains information required for activation.key. Anti-virus security Anti-Virus uses databases that had been installed before the license expired. The application shall be activated using the provided key before this period expires. 35 . You receive no notifications of violated limitations imposed on the use of keys. APPLICA TION LICENSING You receive no notifications of changes in the configurations of devices.  License validity period is the term of the application usage stipulated by the License Agreement and starting from the day of the first activation of the application using the provided key file (for example. The activation code is a unique sequence of twenty digits and Latin letters in the format xxxxx-xxxxx-xxxxx-xxxxx. If you have purchased a license entitling to the use of Kaspersky Security Center on several devices. Managing groups of licensed applications You cannot add a new key. the application is activated using a key file (see the section "About the key file" on page 35). The key can be used. Key files are used to activate the application. The license term countdown starts from the date when you activate the application.  A Kaspersky Security Center key file can specify restrictions on the number of managed computers and mobile devices.  Key file creation date is the date when the key file was created on the activation server. The key file expiry period is automatically considered to be expired when the license for the application activated using this key file expires. The key file contains the following data:  Key is a unique alphanumeric sequence.

The Quick Start Wizard creates protection policies only for applications for which the Managed computers folder does not contain any........... the wizard starts the KSN Proxy service that ensures connection between KSN and client computers........ An offer to run the Quick Start Wizard is displayed after Administration Server installation.....  Then the Wizard adjusts the update settings and vulnerability fixing settings of applications installed on client computers. If you allowed the use of KSN... at the first connection to it...... the following changes are made to the application:  The Wizard adds keys or codes that can be automatically distributed to computers within administration groups. KSN allows retrieving information about applications installed on managed computers in case this information can be found in Kaspersky Lab's reputation databases........ Messenger service should keep running on Administration Server and all of the recipient computers).. This configuration is performed by using the Quick Start Wizard........ SEE ALSO: Interaction between Administration Server and KSN Proxy service .  Configures interaction with Kaspersky Security Network (KSN)......KASPERSKY SECURITY CENTER QUICK START WIZARD This section provides information about the functionality of the Kaspersky Security Center Quick Start Wizard.....  Protection policies for workstations and servers are created on the top level of hierarchy of managed computers..... and backup tasks are also created...  It generates settings for notification delivery by email informing of events logged in the operation of Administration Server and managed applications (to ensure a successful notification....... The Quick Start Wizard does not create tasks if ones with the same names have already been created for the top level in the hierarchy of managed computers...... 49 36 . While the Quick Start Wizard is running..... update tasks.. Kaspersky Security Center allows adjusting a minimum set of settings required to build a centralized management system for anti-virus protection... virus scan tasks. You can also start the Quick Start Wizard manually using the context menu of the Administration Server <Computer name> node.

.......... 39 Administrator's workstation .............................................................. IN THIS SECTION: Administration Server.......................................................................................................... 38 Mobile device server ..................................................  storage of information about events that have occurred on client devices.... Administration Server is installed on a computer as a service with the following set of attributes:  With the name "Kaspersky Security Center Administration Server"  Using automatic startup when the operating system starts...............  With the Local System account or the user account selected during the installation of the Administration Server..........................................  updating of application databases and software modules of Kaspersky Lab applications........ 42 ADMINISTRATION SERVER Kaspersky Security Center components allow remotely managing Kaspersky Lab applications installed on client computers...........................................................  management of policies and tasks on client computers.........................................................................................................................  sending notifications of the progress of tasks (for example................................................. and storage of information about keys.. Computers with the Administration Server component installed will be referred to as Administration Servers (hereinafter also referred to as Servers)............. 40 Policies...........................................................  deployment of keys to client devices... 37 Administration Server hierarchy............................................................................. 41 How local application settings relate to policies ........................................................BASIC CONCEPTS This section explains basic concepts related to Kaspersky Security Center.......... of viruses detected on a client computer)......  generation of reports on the operation of Kaspersky Lab applications......................................................................................  organization of storages for application distribution packages.................................................................... 39 Web server ..... Administration group........................ The Administration Server performs the following functions:  storage of the administration groups structure.................. 37 ................................................................................................... 38 Virtual Administration Server .................................................................................................................... application settings and tasks .......  remote installation of applications to client devices and removal of applications................................................ 40 Application administration plug-in .....  storage of information about the configuration of client computers................................................................... 39 Network Agent.........................................

It is unnecessary to establish connections between the master Administration Server and all network computers. You must control the state of connection of computers to Administration Servers. Thus. VIRTUAL ADMINISTRATION SERVER Virtual Administration Server (also referred to as virtual Server) is a component of Kaspersky Security Center intended for managing anti-virus protection of a client organization's network.  Virtual Administration Server uses the database of the master Administration Server in its operation: data backup tasks. Virtual Administration Server is a particular case of a slave Administration Server and has the following restrictions as compared with physical Administration Server:  Virtual Administration Server can be created only on master Administration Server. It is sufficient to install in each network node a slave Administration Server. Virtual Administration Servers (see the section "Virtual Administration Server" on page 38) are a particular case of slave Administration Servers. The service provider needs only installed Kaspersky Security Center and Kaspersky Security Center Web Console.  Virtual Server does not support creation of slave Administration Servers (including virtual Servers). and update download tasks are not supported on the virtual Server. Kaspersky Security Center restarts the master Administration Server and all virtual Administration Servers. virtual Administration Server has the following restrictions:  In the virtual Administration Server properties window the number of sections is restricted.  Distribute responsibilities among the anti-virus security administrators.  Decrease intranet traffic and simplify work with remote offices. Each computer included in the hierarchy of administration groups can be connected to one Administration Server only.ADMINISTRATOR'S GUIDE ADMINISTRATION SERVER HIERARCHY Administration Servers can be arranged in a master/slave hierarchy. At the first connection to the virtual Administration Server. To manage more client computers of several organizations. These tasks exist only on master Administration Server. Each Administration Server can have several slave Administration Servers (referred to as slave Servers) on different nesting levels of the hierarchy. that computer is automatically appointed Update Agent.  How service providers use Kaspersky Security Center.  A virtual Server can poll the network only through Update Agents. All capabilities for centralized management and monitoring of anti-virus security status in corporate networks remain available. data recovery tasks. in other regions. Use the features for computer search in administration groups of different Servers based on network attributes. The hierarchy of Administration Servers can be used to do the following:  Decrease the load on Administration Server (compared to a single installed Administration Server in an entire network). update check tasks. isolated and independent sections of computer networks can be controlled by different Administration Servers which are in turn managed by the master Server. The administration groups of the master Administration Server will then include the client computers of all slave Administration Servers. thus functioning as a gateway for connection between the client computers and the virtual Administration Server. distribute computers among administration groups of slave Servers and establish connections between the slave Servers and master Server over fast communication channels. Besides. The administrator of a virtual Administration Server has all privileges on this particular virtual Server. a service provider can add virtual Administration Servers to an Administration Server hierarchy.  To carry out remote installation of Kaspersky Lab applications on client computers managed by the virtual Administration Server. 38 . you should make sure that the Network Agent is installed on one of the client computers in order to ensure communication with the virtual Administration Server. for example.  To restart a malfunctioning virtual Server. The nesting level for slave Servers is unrestricted. which may be located.

<HTTP port> is an HTTP port of Web Server that has been defined by the administrator. you can cancel publication of the standalone package or publish it on Web Server again. simultaneously. the mobile devices server installed on this cluster is displayed in Administration Console as a single server. 39 . This mobile devices server is used for management of mobile devices that support the Apple Push Notification service (APNs). The default port number is 8060.  iOS MDM Mobile Devices Server. it is automatically published on Web Server. Installed to a client computer where a Microsoft Exchange server has been installed. When you create a standalone installation package. iOS MDM profiles. Web Server is designed for transfer of standalone installation packages. There are two types of mobile devices servers:  Mobile devices server supporting Exchange ActiveSync. Mobile devices servers of Kaspersky Security Center allow managing the following objects:  An individual mobile device. By clicking the link. he or she can be given information from that folder by means of Web Server. it is also automatically published on Web Server. If necessary. An HTTP port can be set in the Web Server section of the properties window of Administration Server. When the profile is published. The syntax of the information transfer link is as follows: http://<Web Server name>:<HTTP port>/public/<object> where: <Web Server name> is the name of the Kaspersky Security Center Web Server. After connecting to a cluster of servers. To provide users with information from a shared folder by means of Web Server.  Several mobile devices connected to a cluster of servers. The Mobile device server retrieves information about mobile devices and stores their profiles. and files from the shared folder over the network. If a user has no direct access to the shared folder. the user can download the required information to a local computer. please refer to the Kaspersky Security Center Implementation Guide). Network Agent should be installed on all client computers on which Kaspersky Security Center is used to manage Kaspersky Lab applications. WEB SERVER Kaspersky Security Center Web Server (hereinafter also referred to as Web Server) is a component of Kaspersky Security Center that is installed together with Administration Server. BASIC CONCEPTS MOBILE DEVICE SERVER A mobile devices server is a component of Kaspersky Security Center that provides access to mobile devices and allows managing them through Administration Console. The shared folder is designed as a storage area for information that is available to all users whose computers are managed via Administration Server. When you create an iOS MDM profile for a user's mobile device.  Several mobile devices. This mobile devices server is used for management of mobile devices that support Exchange ActiveSync protocol. it is automatically removed from Web Server after it is successfully installed to the user's mobile device (for more details on how to create and install an iOS MDM profile. such as by email. The administrator can send the new link to the user in any convenient way. <object> is the subfolder or file to which the user will receive access. allowing retrieving data from the Microsoft Exchange server and passing them to Administration Server. NETWORK AGENT ADMINISTRATION GROUP Interaction between the Administration Server and client computers is performed by a component of the Kaspersky Security Center application named Network Agent. A link for download of the standalone package is displayed in the list of standalone installation packages. the administrator must create a subfolder named "public" in the shared folder and paste the relevant information.

you can perform the following actions in the Administration Console:  Creating and editing application policies and settings. For example. Using the management plug-in. as well as the settings of application tasks  Obtaining information about application tasks. and ensuring real-time protection. its icon appears in the Start  Programs  Kaspersky Security Center menu and can be used to start the console. client computer or just computer). After Administration Console is installed. ADMINISTRATOR'S WORKSTATION Computers on which the Administration Console component is installed are referred to as administrator's workstations. An administration group (hereinafter also referred to as group) is a set of client computers combined on the basis of a certain trait for the purpose of managing the grouped computers as a single unit. or an administrator's workstation. All client computers within a group are configured to. scanning the computer on demand. based upon the anti-virus protection status. When integrated with Cisco® NAC. APPLICATION ADMINISTRATION PLUG-IN Management of Kaspersky Lab applications via the Administration Console is performed using a special component named management plug-in. From any administrator's workstation you can manage administration groups of several Administration Servers on the network at once. the same computer can function as an Administration Server client. or workstation on which Network Agent and managed Kaspersky Lab applications are installed will be referred to as the Administration Server client (also. or virtual one) of any level of hierarchy. There are no restrictions on the number of administrator's workstations. and client computers. Administration Server acts as a standard Posture Validation Server (PVS) policy server. A client computer can be included only in one administration group. You can create hierarchies for Servers and groups with any degree of nesting. in the Administration Server node. You can include an administrator's workstation in an administration group as a client computer. Such groups are called administration groups. as well as application operation statistics received from client computers 40 . groups. A single hierarchy level can include slave and virtual Administration Servers. Administrators can use those computers for centralized remote management of Kaspersky Lab applications installed on client computers. It is included in all Kaspersky Lab applications that can be managed by using Kaspersky Security Center. The management plug-in is installed on an administrator's workstation. The hierarchy of administration groups is displayed in the console tree.  Use the same application settings (which are defined in group policies). an Administration Server.  use a common mode of applications' operation thanks to creation of group tasks with a specified collection of settings.ADMINISTRATOR'S GUIDE Network Agent is installed on a computer as a service with the following set of attributes:  With the name "Kaspersky Security Center Network Agent"  Set to automatically start when the operating system starts  Using the Local system account Network Agent is installed on the computer together with a plug-in for interfacing with Cisco® NAC. This plug-in is used if the computer has Cisco® Trust Agent installed. The settings for joint operation with Cisco® NAC are specified in the properties window of the Administration Server. You can connect an administrator's workstation to an Administration Server (either physical. server. A computer. which an administrator may use to either allow or block access by a computer to the network. creating and installing a common installation package. The computers in a corporate network can be subdivided into groups arranged in a certain hierarchical structure. Within the administration groups of any Administration Server. updating the application databases and modules. application events.

In that case. for example. Tasks are organized by types according to their function. This means that you can. APPLICATION SETTINGS. Tasks for objects that are managed by a single Administration Server are created and configured in a centralized way. A policy is a collection of application settings that are defined for an administration group. An application can run in different ways for different groups of settings. A task defined for a group is performed not only on client computers included in that group. task settings can redefine the settings that are not locked by the policy. Several policies with different values can be defined for a single application. enforce stricter anti-virus protection settings during virus outbreaks. You can activate a disabled policy based on occurrence of a certain event. 41 . The applications installed on client computers are configured centrally by configuring policies. the drive name and masks of files to be scanned are configurable settings for the drive scan task. Each task is associated with a set of settings that are used during performance of the task. its value cannot be redefined (see the section "How local application settings relate to policies" on page 42). However. Application settings defined for an individual client computer through the local interface or remotely through Administration Console are referred to as local application settings.  Task for selection of computers is a task for an arbitrary set of computers included or not included in administration groups. Nested groups and slave Administration Servers inherit the tasks from groups that belong to higher hierarchy levels. Because application settings are defined by policies. but also on client computers included in its child groups and belonging to slave Servers on all lower hierarchy levels. Task results are saved locally and on the Administration Server. For example. The "lock" shows whether the setting is allowed for modification in the policies of lower hierarchy levels (for nested groups and slave Administration Servers). AND TASKS A named action performed by a Kaspersky Lab application is called a task.  Administration Server task is a task defined directly for an Administration Server. in task settings and local application settings. If you clear the Inherit settings from parent policy check box in the Inheritance of settings section of the General section in the properties window of an inherited policy. The set of application settings that are common to all types of application tasks form the application settings. there can be only one active policy for an application at a time. A task can be run automatically (according to a schedule) or manually. local tasks are added to the list of tasks created for that client computer. Application settings that are specific to each task type form the corresponding task settings. The policy does not define all application settings. The administrator can receive notifications about particular performed tasks and view detailed reports. If a parameter is "locked" in the policy. A detailed description of task types for each Kaspersky Lab application can be found in the respective application guides. The following types of tasks can be defined:  Group task is a task that defines settings for an application installed on computers within an administration group. Task settings also can redefine the settings that can be configured only for a specific instance of a task. the "lock" is lifted for that policy. When a client computer is synchronized with the Administration Server. A group task can be defined for a group even if a corresponding Kaspersky Lab application is installed only on certain client computers of that group. Each setting represented in a policy has a "lock"attribute: . Each group can have its own policy for an application. The application settings are defined by the policy settings and the task settings. the group task is performed only on the computers on which the application is installed. BASIC CONCEPTS POLICIES. Tasks created for a client computer locally are only performed for this computer.  Local task is a task for an individual computer. You can also create a policy for mobile users.

their status. The value of a setting that the application uses on a client computer (see figure below) is defined by the "lock" position for that setting in the policy:  If setting modification is "locked". application settings. the application uses a local value on each client computer instead of the value specified in the policy. the same value (defined in the policy) is used on all client computers. "unlocked" settings. the application applies settings that have been defined in two different ways:  By task settings and local application settings. the list of applications running on the client computer. the Administration Server stores information about the local changes allowed by the policy that have been performed on client computers. The setting can then be changed in the local application settings. and the existing tasks are updated. is saved on Administration Server and distributed to client computers during synchronization. Local application settings are changed after the policy is first applied in accordance with the policy settings. The values of settings specified by a policy can be redefined for individual computers in a group by using local application settings. if the setting is not locked against changes. if the setting is locked against changes. when a task is run on a client computer. Figure 9. Additionally. as well as information about group tasks. During synchronization.ADMINISTRATOR'S GUIDE Information about policies. You can only set the values of settings that the policy allows to be modified. and task settings for specific computers. that is. Policy and local application settings This means that. HOW LOCAL APPLICATION SETTINGS RELATE TO POLICIES You can use policies to set identical values of the application settings for all computers in a group. 42 .  If setting modification is "unlocked".  By the group policy.

........... it attempts to connect to an Administration Server............... To connect to the Administration Server via a port that differs from the default one................. 2....... 3.... If several Administration Servers have been added to the console tree...................... 47 Removing an Administration Server from the console tree........ 43 ............ the folders tree of that Server is displayed in the console tree........................................ the application requests the server to which it was connected during the previous session of Kaspersky Security Center...................... IN THIS SECTION: Connecting to an Administration Server and switching between Administration Servers . 48 CONNECTING TO AN ADMINISTRATION SERVER AND SWITCHING BETWEEN ADMINISTRATION SERVERS After Kaspersky Security Center is started...... In the console tree......... 45 Disconnecting from an Administration Server ............ in the Server address field specify the name of the Administration Server to which you want to connect....................................MANAGING ADMINISTRATION SERVERS This section provides information about how to handle Administration Servers and how to configure them................... 43 Access rights to Administration Server and its objects ............................ enter a value in the Server address field in <Administration Server name>:<Port> format........... 44 Conditions of connection to an Administration Server via the Internet ... 47 Viewing and modifying the settings of an Administration Server................................ 45 Secure connection to Administration Server........... When the application is started for the first time after installation............................................... it attempts to connect to the Administration Server that was specified during installation of Kaspersky Security Center.................... select the node with the name of the required Administration Server.......................................... If several Administration Servers are available on the network..... You can specify an IP address or the name of a computer on a Windows network as the name of the Administration Server......................... In the Connection settings window that opens................................................................ Utility tool klsrvswch ....... You can click the Advanced button in the bottom part of the window to configure the connection to the Administration Server (see the following figure)...................... you can switch between them.................................... To switch to another Administration Server: 1......................................................................................................................... select Connect to Administration Server............. 47 Changing an Administration Server service account................... 46 Adding an Administration Server to the console tree ................................. In the context menu of the node...... After a connection to an Administration Server is established...........

the groups are created on the Administration Server only. the KLOperators group is granted only Read and Execution rights. These groups are granted rights to connect to the Administration Server and to work with Administration Server objects. The rights granted to the KLAdmins group are locked. while users from the KLOperators group are called Kaspersky Security Center operators. You can view the KLAdmins and KLOperators groups and modify the access privileges of the users that belong to the KLAdmins and KLOperators groups by using the standard administrative tools of the operating system. the groups are created on the Administration Server and in the domain that includes the Administration Server. Figure 10. Connecting to Administration Server 4. Depending on which account is used for installation of Kaspersky Security Center.ADMINISTRATOR'S GUIDE Users who have no rights to read will be denied access to Administration Server. After the Administration Server is connected. the KLAdmins and KLOperators groups are created as follows:  If the application is installed under a user account included in a domain. 44 . ACCESS RIGHTS TO ADMINISTRATION SERVER AND ITS OBJECTS The KLAdmins and KLOperators groups are created automatically during Kaspersky Security Center installation.  If the application is installed under a system account. The KLAdmins group is granted all access rights. Click OK to complete the switch between Servers. the folders tree of the corresponding node in the console tree is updated. Users that belong to the KLAdmins group are called Kaspersky Security Center administrators.

the following requirements must be met:  The remote Administration Server must have an external IP address and the incoming ports 13000 and 14000 must remain open. and protect data against modification during transfer. An individual KLAdmins group can be created for each Administration Server from the network. you can open port 15000 on a client computer. 45 .  Assign access rights within each administration group. SECURE CONNECTION TO ADMINISTRATION SERVER Data exchange between client computers and Administration Server. If an installation package is used for installation. You can track user activity by using the records of events in the Administration Server operation. You can exclude local administrators from the list of users who have Kaspersky Security Center administrator rights. To increase the performance of tasks initiated by a remote Administration Server. All operations initiated by a Kaspersky Security Center administrator are performed using the account rights of the Administration Server for which these operations have been started.  When installing Network Agent on client computers. The number of client computers maintaining a continuous connection with an Administration Server cannot exceed 100. The SSL protocol uses public keys to authenticate the interacting parties and encrypt data. as well as the Administration Console connection to Administration Server. the group will have the necessary rights for that Administration Server only. These event records are displayed in the console tree in the Events folder. CONDITIONS OF CONNECTION TO AN ADMINISTRATION SERVER VIA THE INTERNET If an Administration Server is remotely located outside of a corporate network. encrypt the data that is transferred. in the Audit events subfolder. an administrator of Kaspersky Security Center can:  Modify the rights granted to the KLOperators groups.  Grant rights to access the functionality of Kaspersky Security Center to other user groups and individual users who are registered on the administrator's workstation. select the Do not disconnect from the Administration Server check box. The SSL protocol can identify the interacting parties. All operations started by the administrators of Kaspersky Security Center are performed using the rights of the Administration Server account. the domain administrator is the Kaspersky Security Center administrator for all the groups. MANAGING ADMINISTRATION SERVER S In addition to users included in the KLAdmins group. These events have the severity level Info and the event types begin with "Audit". The Kaspersky Security Center administrator can assign access rights to each administration group or to other objects of Administration Server in the Security section in the properties window of the selected object. In this case. wait until the Server is synchronized with the remote client computer. The KLAdmins group is the same for those administration groups. After the check box is selected. specify the external IP address manually in the properties of the installation package.  Network Agent must be first installed on client computers. administrator rights for Kaspersky Security Center are also provided to the local administrators of computers on which Administration Server is installed. to run a task. If computers belonging to the same domain are included in the administration groups of different Administration Servers. you must specify the external IP address of the remote Administration Server. in the properties window of that computer in the General section. it is created during installation of the first Administration Server. client computers can connect to it via the Internet. in the Settings section.  To use the remote Administration Server to manage applications and tasks for a client computer. the Administration Server sends a special packet to Network Agent over port 15000 without waiting until completion of synchronization with the client computer. After the application is installed. For client computers to connect to an Administration Server over the Internet. can be performed using the Secure Sockets Layer (SSL) protocol.

.. In the console tree select the node corresponding to the Administration Server that should be disconnected... Administration Console saves a copy of the new Administration Server certificate... 46 Administration Server authentication during client computer connection .......... the Administration Console offers to confirm connection to the Administration Server with the specified name and download a new certificate............... 2........................... ADMINISTRATION SERVER AUTHENTICATION DURING ADMINISTRATION CONSOLE CONNECTION At the first connection to Administration Server.. The certificate is also used for authentication when a connection is being established between master and slave Administration Servers. you can select the Administration Server certificate manually. The Administration Server certificate is created only once...... If the Administration Server certificate is lost. If the copies do not match................. Network Agent requests the Administration Server certificate at each connection of the client computer to Administration Server and compares it with the local copy......... Network Agent on the client computer downloads a copy of the Administration Server certificate and stores it locally.... to get it back you must reinstall the Administration Server component and restore the data........................ 46 Administration Server authentication during Administration Console connection.................. After the connection is established........ the client computer is not allowed access to Administration Server.................. The downloaded copy of the certificate is used to verify Administration Server rights and permissions during subsequent connections.. 46 ADMINISTRATION SERVER CERTIFICATE Authentication of an Administration Server during connection by Administration Console and data exchange with client computers is based on the Administration Server certificate...ADMINISTRATOR'S GUIDE IN THIS SECTION: Administration Server certificate ...................... From the context menu of the node select Disconnect from Administration Server............. If you install Network Agent to a client computer locally............. ADMINISTRATION SERVER AUTHENTICATION DURING CLIENT COMPUTER CONNECTION When a client computer connects to Administration Server for the first time........ After that..... each time when Administration Console tries to connect to this Administration Server.......... the Administration Server is identified based on the certificate copy..... 46 ... If the Administration Server certificate does not match the copy stored on the administrator's workstation. During future sessions....... which will be used to identify the Administration Server in the future. during Administration Server installation... The Administration Server certificate is created automatically during installation of the Administration Server component and is stored in the ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit093\cert folder. Administration Console requests the Administration Server certificate and saves it locally on the administrator's workstation.............. DISCONNECTING FROM AN ADMINISTRATION SERVER To disconnect from an Administration Server: 1......

 User account. 2. Correct operation of Kaspersky Security Center requires that the account used to start the Administration Server service had the rights of administrator of the resource where the Administration Server database is hosted. This action also launches the wizard for modification of Administration Server service account. MANAGING ADMINISTRATION SERVER S ADDING AN ADMINISTRATION SERVER TO THE CONSOLE TREE To add an Administration Server to the console tree: 1. the Administration Server account is changed. 2. The Administration Server service will start under the Local System Account and using its credentials. REMOVING AN ADMINISTRATION SERVER FROM THE CONSOLE TREE To remove an Administration Server from the console tree: 1. if necessary. In the console tree select the node corresponding to the Administration Server that you want to remove. 2. 47 . In the Account password window set a password for the selected user account. Number of launches of the utility is virtually unlimited. After the wizard completes its operations. In this case the Administration Server is to initiate all operations by using the rights of that account. a node named Administration Server . In the main window of Kaspersky Security Center select the Kaspersky Security Center node from the console tree. From the context menu of the node select Remove. Click the Find now button and select a user in the Select "User" window that opens: Close the Select: "User" window and click the Next button. To select the user whose account will be used to start the Administration Server service: 1. In the Administration Server service account window select any of the two options for setting an account:  Local System Account. the utility is automatically copied in the application installation folder. Follow the Wizard's instructions. 2. you can use a utility named klsrvswch and designed for changing the Administration Server account. UTILITY TOOL KLSRVSWCH If you need to change the Administration Server service account set when installing Kaspersky Security Center.<Computer name> (Not connected) will be created in the console tree from which you will be able to connect to any of the Administration Servers on the network. To change an Administration Server service account: 1. The Administration Server service is started under the account of a user within the domain. When installing Kaspersky Security Center. From the context menu of the node select Create  Administration Server. After it's done. Launch the klsrvswch utility from the installation folder of Kaspersky Security Center. CHANGING AN ADMINISTRATION SERVER SERVICE ACCOUNT.

.............. in the Virus outbreak event properties window.........................................ADMINISTRATOR'S GUIDE When using an SQL server in a mode that presupposes authenticating user accounts with Microsoft Windows tools........ IN THIS SECTION: Adjusting the general settings of Administration Server ................................... Risks of virus outbreaks are assessed by controlling virus activity on client computers........................................ 48 ...................................... 49 Configuring Web Server ...................... 50 ADJUSTING THE GENERAL SETTINGS OF ADMINISTRATION SERVER You can adjust the general settings of Administration Server in the General........................................................................... CONTROL OF VIRUS OUTBREAKS Kaspersky Security Center allows you to quickly respond to emerging threats of virus outbreaks............................................... 49 Interaction between Administration Server and KSN Proxy service ........ and Security of the properties window of Administration Server.................... 49 Configuring cooperation with Cisco Network Admission Control (NAC) ...................................... use the Virus outbreak section of the properties window of Administration Server............ access to the database should be granted... to do this.... Settings.......................... Each event has a characteristic that reflects its importance level........................................................................................................................................ 48 Control of virus outbreaks ........... 48 Configuring event processing settings ........................................ VIEWING AND MODIFYING THE SETTINGS OF AN ADMINISTRATION SERVER You can adjust the settings of an Administration Server in the properties window of this Server..................... To open the Properties: Administration Server select Properties from the context menu of the Administration Server node in the console tree............ Events of the same type may have different importance levels depending on the conditions in which the event occurred.. You can specify the notification procedure for the Virus outbreak event in the Events section of the properties window of Administration Server (see the section "Configuring event processing settings" on page 48)............................... To make this section displayed.......................................................... The user must have the status of owner of the Kaspersky Anti-Virus database............ CONFIGURING EVENT PROCESSING SETTINGS You can view lists of events that occur in the application's operation............. You can configure assessment rules for threats of virus outbreaks and actions to take in case one emerges...... 49 Working with internal users .... go to the View  Configuring interface and in the Configuring interface window that opens select the Display security settings sections check box............. Whether the Security section is shown or hidden is determined by the user interface settings................................................................... 48 Limiting traffic ........ The dbo schema is used by default................. and configure the processing of events in the Events section of the Administration Server properties window....................................... Events Storage................................

You can configure KSN Proxy in the KSN Proxy server section of the properties window of the Administration Server. You can define the settings for connection of Web Server to Administration Server and set a Web Server certificate in the Web Server section of the properties window of Administration Server. Checkup. Otherwise. you should save information about all Malicious object detected events on Administration Server in order to recognize virus outbreaks. only information from the client computers of the master Administration Server is to be taken into account. the application provides the option to limit the speed of data transfer to an Administration Server from specified IP ranges and IP subnets. So. LIMITING TRAFFIC To reduce traffic volumes within a network. MANAGING ADMINISTRATION SERVER S The Virus outbreak event is generated in case of detection of Malicious object detected events in the operation of anti- virus applications. 49 .  KSN Proxy caches processed data. CONFIGURING COOPERATION WITH CISCO NETWORK ADMISSION CONTROL (NAC) You can set correspondence links between conditions of anti-virus protection of client computers and security statuses of Cisco® Network Admission Control (NAC). You can create and configure traffic limiting rules in the Traffic section of the Administration Server properties window. and files from the shared folder. the Cisco NAC section is not displayed in the properties window of Administration Server. you should create conditions under which a client computer is assigned certain security statuses of Cisco® Network Admission Control (NAC). thus reducing the workload on the outbound channel and the time period spent for waiting for information requested by a client computer. For each slave Server the Virus outbreak event settings are adjusted individually. Quarantine or Infected. The use of KSN Proxy provides you with the following options:  Client computers can send requests to KSN and transfer information to KSN even if they do not have direct access to the Internet. The information from slave Administration Servers is not taken into account. CONFIGURING WEB SERVER Web Server is designed for publishing standalone installation packages. INTERACTION BETWEEN ADMINISTRATION SERVER AND KSN PROXY SERVICE KSN Proxy is a service that ensures interaction between the infrastructure of Kaspersky Security Network and client computers managed by an Administration Server. The Cisco NAC section is displayed in the properties window of Administration Server if Kaspersky Lab Cisco® NAC Posture Validation component has been installed together with Administration Server during the application installation (for details refer to the Kaspersky Security Center Implementation Guide). iOS MDM profiles. You can specify the settings of saving information about any Malicious object detected event in the policies of anti-virus applications. Healthy. You can configure correspondence between statuses of Cisco® NAC and conditions of anti-virus protection of client computers in the Cisco NAC section of the Administration Server properties window. When counting Infected object detected events. To set such correspondence.

The Internal users section is only displayed in the Administration Server properties window if the Administration Server is virtual or contains virtual Administration Servers. The accounts of internal users are created and used only within Kaspersky Security Center. Kaspersky Security Center authenticates internal users. the administrator of a virtual Administration Server can start Kaspersky Security Center Web Console to check the anti-virus security status of a network. You can configure the settings of accounts of internal users in the Internal users section of the Administration Server properties window.ADMINISTRATOR'S GUIDE WORKING WITH INTERNAL USERS The accounts of internal users are used to work with virtual Administration Servers. Kaspersky Security Center grants the rights of real users to internal users of the application. 50 . No data on internal users is transferred to the operating system. Under the account of an internal user.

...............MANAGING ADMINISTRATION GROUPS This section provides information about how to handle administration groups........ The user interface settings determine whether the Administration Servers folder appears in the console tree.............................................................. go to the View  Configure interface and in the Configure interface window that opens select the Display slave Administration Servers check box.......... 52 Deleting administration groups ............  change the hierarchy of administration groups by moving individual client computers and whole groups to other groups..... Immediately after the installation of Kaspersky Security Center...................... To make this section displayed................... 54 CREATING ADMINISTRATION GROUPS The hierarchy of administration groups is created in the main application window of Kaspersky Security Center....... 53 Automatic creation of a structure of administration groups ..... You can take the following actions on administration groups:  add any number of nested groups of any level of hierarchy to administration groups..................................................  add client computers to administration groups..... 51 .....  define which Kaspersky Lab applications will be automatically installed on client computers included in a group.......  move client computers from the administration groups of an Administration Server to those of another Server.............. When creating a hierarchy of administration groups. Administration groups are displayed as folders in the console tree (see figure below)................................ in the Managed computers folder....... as well as add nested groups........... you can add client computers and virtual machines to the Managed computers folder........................................... the Managed computers folder only contains the Administration Servers folder which is empty.........  add slave and virtual Administration Servers to administration groups.................................... IN THIS SECTION: Creating administration groups............. 53 Automatic installation of applications to computers in an administration group ................................................................................................................................................. You can add slave Administration Servers to the Administration Servers folder.........  remove nested groups and client computers from administration groups.... 51 Moving administration groups.......

2. If a group with the same name already exists in the folder into which you move the administration group. 3. open the Managed computers folder. (2). Start the administration group creation process in one of the following ways:  Using the Create  Group command from the context menu  By clicking the Create a subgroup link located in the workspace of the main application window. tasks of this group. which is empty. You cannot rename the Managed computers folder because it is a built-in element of Administration Console. Figure 11. 52 . In the console tree. intended to handle slave Administration Servers of this group. on the Groups tab. If you have not changed the name of the group being moved. To move a group to another folder of the console tree: 1. If you create a new top-level administration group. In the Group name window that opens. and computers included is displayed on the corresponding tabs in the workspace of this group. you should change the name of the latter. slave Administration Servers. Viewing administration groups hierarchy To create an administration group: 1. a new administration group folder with the specified name appears in the console tree. Select a group to move from the console tree.ADMINISTRATOR'S GUIDE Identically to the Managed computers group. in the Managed computers folder select a nested folder corresponding to the group. and tasks. As a result. Do one of the following:  Move the group using the context menu: 1. an index in _<serial number> format is added to its name after it is moved. The system will apply to the group all the settings that correspond to its new position in the hierarchy of administration groups. which should comprise the new administration group. 4. client computers. you can skip this step. group policies. 2. MOVING ADMINISTRATION GROUPS You can move nested administration groups within the groups hierarchy. The name of the group should be unique within one level of the hierarchy. enter a name for the group and click the OK button. each created group initially contains the Administration Servers folder only. for example: (1). Information about policies. Select Cut from the context menu of the group. If you want to create a subgroup in an existing administration group. An administration group is moved together with all child groups.

 contents of a text file created by the administrator manually. and the delimiter must begin with a line break. you should delete all slave Administration Servers. b. MANAGING AD MINISTRA TION GROUPS 2. c. Example: Office 1 Office 2 Office 3 Three groups of the first hierarchy level will be created in the target group. Select Action  Cut from the main menu. Select Paste from the context menu of the administration group to which you need to move the selected group. AUTOMATIC CREATION OF A STRUCTURE OF ADMINISTRATION GROUPS Kaspersky Security Center allows you to create a structure of administration groups using the New Administration Group Structure Wizard. Select Action  Paste from the main menu. 53 . nested groups. from the console tree. and if no group tasks or policies have been created for it. and client computers from that group.  The name of the nested group must be entered with a slash mark (/). the following requirements should be met:  The name of each new group must begin with a new line. To delete a group: 1. DELETING ADMINISTRATION GROUPS You can delete an administration group if it contains no slave Administration Servers. Blank lines are ignored.  Move the group using the main application menu: a. The Wizard creates a structure of administration groups based on the following data:  structures of Windows domains and workgroups  structures of Active Directory groups.  Press the DEL key. or client computers. nested groups. Before deleting an administration group.  Move the group to another one in the console tree using the mouse. When generating the text file. Select an administration group in the console tree. Select the administration group to which you need to move the selected group. Do one of the following:  Select Delete from the context menu of the group  Select Action  Delete from the main application menu. Example: Office 1/Division 1/Department 1/Group 1 Four subgroups nested into each other will be created in the target group. 2.

To launch the automatic creation of a structure of administration groups: 1. If some installation packages of one application were selected for automatic installation. select the required administration group. select the installation packages to be installed to new computers by selecting the check boxes next to the names of the installation packages of the required applications. it will not be automatically moved to the administration group. AUTOMATIC INSTALLATION OF APPLICATIONS TO COMPUTERS IN AN ADMINISTRATION GROUP You can specify which installation packages should be used for automatic remote installation of Kaspersky Lab applications to client computers that have recently been added to a group. Follow the Wizard's instructions. 54 . and "Division 4". 2. you must specify the "full path to the group". the installation task will be created for the most recent application version only. Creating a structure of administration groups using the Wizard does not violate the integrity of the network: New groups are added. Select the Managed computers folder in the console tree. Example: Office 1/Division 1/Department 1 Office 1/Division 2/Department 1 Office 1/Division 3/Department 1 Office 1/Division 4/Department 1 One group of the first hierarchy level Office 1 will be created in the destination group. From the context menu of the Managed computers folder select All tasks  Create groups structure. the New Administration Group Structure Wizard launches. A client computer cannot be included in an administration group again. As a result. "Division 2". Each of these groups will include the "Department 1" group. In the console tree. a client computer has not been included in the Unassigned computers group by any reason (it has been shut down or lost the network connection). If. As a result.ADMINISTRATOR'S GUIDE  To create several nested groups of the same hierarchy level. when creating a structure of administration groups. You can add client computers to administration groups manually after the Wizard finishes its operation. group tasks will be created that will be run on the client devices immediately after they are added to the administration group. Open the properties window of this administration group. but do not replace the existing ones. because it is removed from the Unassigned computers group after the client computer is moved to the administration group. In the Automatic installation section. 2. To configure automatic installation of applications to new devices in an administration group: 1. Click OK. this group will include four nested groups of the same hierarchy level: "Division 1". 3. "Division 3".

..........MANAGING APPLICATIONS REMOTELY This section provides information about how to perform remote management of Kaspersky Lab applications installed on client computers...................... Next time they are run with the new values of the settings.............................................. any changes made to the policy settings are propagated to inherited policies on slave Administration Servers...... 57 Deleting a policy .................................... Any periodic tasks (on-demand scan....................................................................... on the Policies tab....... The results of policy distribution to the slave Administration Server are displayed in the policy properties window of the console on the master Administration Server........................................ Those settings can be subsequently modified manually.............................. the policy on the slave Server continues........... and local settings of applications................ Policy enforcement is performed in the following way: if a client computer is running resident tasks (real-time protection tasks)................................................................................................... policy settings can be modified on the master Administration Server................... 57 55 ...................................................... If Administration Servers are structured hierarchically................ Policy settings modified on the master Administration Server are distributed to a slave Administration Server after the connection is re-established...................... slave Administration Servers receive policies from the master Administration Server and distribute them to client computers. If the connection is terminated between the master and slave Administration Servers...................................... After that.......................................................... using the applied settings............ 57 Copying a policy .................... Policies created for applications in an administration group are displayed in the workspace.............. 56 Displaying inherited policy in a subgroup ........ policy settings can be modified on a slave Administration Server independently from the master Administration Server.................... When inheritance is enabled................ Before the name of each policy an icon with its status is displayed.............................. or the policy keeps running under the applied settings until the connection is re-established............... If inheritance is disabled....... 67 MANAGING POLICIES The applications installed on client computers are configured centrally through definition of policies.................................................................. IN THIS SECTION: Creating a policy .............. IN THIS SECTION: Managing policies .............. 57 Applying an out-of-office policy............................................................................. After a policy is deleted or revoked... the application continues working with the settings specified in the policy......... 56 Activating a policy automatically at the Virus outbreak event ................................................................................................................................................................................... 58 Managing tasks ............................ tasks......... 61 Viewing and changing local application settings .......................................................................... update of application databases) started keep running with the values unchanged............................................................................ Results of propagation of policies to client computers are displayed in the policy properties window of Administration Server to which they are connected........... they keep running with the new values of the settings.... policy profiles................................................................................. the client computer starts running under the policy for mobile users (if it is defined)........ If connection between Administration Server and a client computer is interrupted........... 55 Managing policy profiles.. 56 Activating a policy ......................................................... using policies...............................................

... perform one of the following actions:  From the context menu of the policy select Active policy........... but only one policy can be active at a time... the policy becomes active for the selected administration group. After the policy is created... Follow the Wizard's instructions......... From the context menu of the list of policies select View  Inherited Policies................. 58 CREATING POLICIES To create a policy for administration group: 1......... This starts the New Policy Wizard............. In the console tree select the administration group for which inherited policies should be displayed................ ACTIVATING A POLICY To make a policy active for the selected group: 1................................. When the settings inheritance mode is enabled............................... In the workspace for the group........... inherited policies are displayed on the list of policies with the icon (light-colored icon)....... the previous active policy becomes inactive............................ 2....... both the load on the Administration Server and the network traffic increase significantly for a period of time............. settings prohibited to modify (marked with the "lock" ) take effect on client computers regardless of what settings had been specified for the application earlier..... 3..... DISPLAYING INHERITED POLICY IN A SUBGROUP To enable the display of inherited policies for a nested administration group: 1. In the workspace for the selected group select the Policies tab................. 57 Importing a policy ................ In the console tree............ 2... select the Policies tab and click the Create a policy link to run the New Policy Wizard....ADMINISTRATOR'S GUIDE Exporting a policy .........  In the policy properties window open the General section and select Active policy from the Policy status settings group............ To activate the policy....................... you can specify a minimum set of parameters required for the application to function properly............................. You can change the policy after it is created.. As a result... 2..... When a policy is applied to a large number of clients................... You can create several policies for one application from the group. In the workspace of the group.... 56 ...... on the Policies tab select the policy that you need to make active........... which inherits them........... As a result..................... 58 Converting policies ....... When you create new active policy........ select an administration group for which you want to create a policy..... Settings of Kaspersky Lab applications changed after policies are applied are described in details in their respective Guides............ Modification of those inherited policies is not available in the group.... All other values are set to the default values applied during the local installation of the application.. inherited policies are only available for modification in the group in which they have been created........ When creating a policy........

You can add a policy to the group. APPLYING AN OUT-OF-OFFICE POLICY An out-of-office policy takes effect on a computer in case it is disconnected from the enterprise network. MANAGING A PPLICATIONS R EMOTELY ACTIVATING A POLICY AUTOMATICALLY AT THE VIRUS OUTBREAK EVENT To make a policy perform the automatic activation at the Virus outbreak event: 1. on the Policies tab select a policy. the (<sequence number>) index is automatically added to the name of the policy: (1). from which it was copied. As a result. (2). 57 . To apply the selected out-of-office policy. From the context menu of the list of policies for the selected group. If necessary. the policy will be copied with all its settings and applied to the computers within the group into which it was copied. 3. 2.  By clicking the Delete policy link located in the workspace. select a group to which you want to add the policy. COPYING A POLICY To copy a policy: 1. on the Policies tab select Paste. In the workspace of a group. EXPORTING A POLICY To export a policy: 1. As a result. 2. In the Administration Server properties window open the Virus outbreak section. 2. Delete the policy using one of the following methods:  By selecting Delete from the context menu of the policy. in the section intended for handling the selected policy. If you paste the policy to the same group from which it has been copied. From the context menu of the policy select Copy. An active policy becomes inactive while it is copied. 4. In the console tree. the manual mode is the only way that you can use to return to the previous policy. you can make it active. the policy applies to the computers in case they are disconnected from the enterprise network. DELETING A POLICY To delete a policy: 1. Open the Policy activation window by clicking the Configure policies to activate on "Virus outbreak" event link and add the policy to the selected list of policies activated upon detection of a virus outbreak. in the properties window of the policy open the General section and select Out-of-office policy from the Policy status settings group. In the workspace of the required group. Export a policy in one of the following ways:  By selecting All Tasks  Export from the context menu of the policy. If a policy has been activated on the Virus outbreak event. on the Policies tab select the policy that you need to delete.

2. for example: (1). as well as ways of applying them. In the window that opens. 2. Policy profiles are only supported for Kaspersky Endpoint Security 10 for Windows and Kaspersky Mobile Device Management 10 Service Pack 1. If a policy with the name coinciding with that of the imported policy is already included on the list of policies. (2). This section also provides instructions on how to create. Click the Save button. 58 . ABOUT POLICY PROFILES Policy profile is a named set of variable settings of a policy that is activated on a client computer when specific conditions are met. which use the settings of policies from earlier versions of Kaspersky Lab applications. To convert policies: 1. In the workspace of the required group. Follow the Wizard's instructions.ADMINISTRATOR'S GUIDE  By clicking the Export policy to file link located in the workspace. Activation of a profile modifies the policy settings that had been active on the computer before the profile was activated. In the Save as window that opens. configure and delete policy profiles. IMPORTING A POLICY To import a policy: 1. on the Policies tab select one of the following methods of importing policies:  By selecting All tasks  Import from the context menu of the list of policies. specify the path to the file from which you want to import a policy. From the console tree select Administration Server for which you want to convert policies. in the section intended for handling the selected policy. Those settings take values that have been specified in the profile.0 for Windows Workstations MP4  Kaspersky Endpoint Security 8 for Windows  Kaspersky Endpoint Security 10 for Windows.  Click the Import policy from file link in the management block for policy list. The advantages of policy profiles are described. CONVERTING POLICIES Kaspersky Security Center can convert policies from earlier versions of Kaspersky Lab applications into those from up- to-date versions of the same applications. This will start the Policies and Tasks Conversion Wizard. After the wizard finishes its operation. Click the Open button. The policy is then displayed in the list of policies. From the context menu of Administration Server select All tasks  Policies and tasks conversion wizard. new policies are created. MANAGING POLICY PROFILES This section provides information about policy profiles that are used for efficient management of groups of client computers. the name of the imported policy will be expanded with the with a suffix (<next number>). Conversion is available for policies of the following applications:  Kaspersky Anti-Virus 6. specify the name of the policy file and the path to save it. 2.

Policies in the hierarchy of administration groups While policies influence each other in accordance with the hierarchy of administration groups. In administration group B.  The hierarchy of policies is supported.  You do not have to allocate an individual out-of-office policy. The active policy is recalculated when you start Network Agent. policy P(A) has profiles X1. enable and disable the out-of-office mode. profiles of that policy will also be applied in standalone mode only.  If a policy is active in standalone mode. which is a subgroup of group A. The priorities of profiles are necessary because several profiles may be active simultaneously on a client computer. etc. the computer or its owner is located in a security group of Active Directory. Properties and restrictions of policy profiles Profiles have the following properties:  Profiles of an inactive policy have no impact on client computers. Priorities of profiles A policy profile is activated on a client computer when an activation rule triggers.  You do not have to maintain and manually apply several instances of a single policy that differ only by a few settings. or edit the list of tags assigned for the client computer. The priority of profile X2 will depend on the initial state of X2 of policy P(B) and X2 of policy P(A). X3. 59 .  New policy profiles are easy to create since export and import of profiles are supported. CREATING A POLICY PROFILE Creating a policy profile is only available for policies of Kaspersky Endpoint Security 10 for Windows.  You can use rules of connection between Network Agent and Administration Server when creating profile activation rules. policy P(B) has been created with profiles X2.  If UDP port 15000 is used for connection of a client computer to Administration Server. profiles for which the activation rules trigger.  A policy cannot contain notification settings. Profiles that have been created for a policy are sorted in descending order of priority. as well as creation of new profiles based on existing ones by copying.  The client computer has been assigned specified tags.e. X5 (in descending order of priority). you should activate the corresponding policy profile within one minute when assigning a tag to the client computer. profiles with identical names merge. For example. If profile X precedes profile Y on the list of profiles. The active policy is the sum of the main policy and all active profiles of that policy. in administration group A. X4. this means that X has a higher priority than Y. X5. such as Server address.  The client computer is running in standalone mode. i.  Profiles do not support static analysis of access to executable files. X2. X4. Then policy P(B) will be modified with policy P(A) so that the list of profiles in policy P(B) will look as: X1. Profile activation rules. and X3 (in descending order of priority). An activation rule can contain the following conditions:  The Network Agent on a client computer connects to the Server with a specified set of connection parameters. port number. MANAGING A PPLICATIONS R EMOTELY Advantages of policy profiles Policy profiles simplify the management of client computers using policies:  Profiles contain only settings that differ from the basic policy.  Several policy profiles can be active on a single client computer simultaneously. X2. Profiles of a 'higher' policy have a higher priority..  The client computer is located in a specific unit of Active Directory®.

In the console tree. In the workspace of the group.ADMINISTRATOR'S GUIDE To create a policy profile for an administration group: 1. 8. Select a policy profile and click the Properties button. Open the Policy profile section in the policy properties window and click the Add button. in the General section. edit the profile activation rules. 3. in the Policy profiles section. Profiles that have been created for a policy are displayed in the policy properties. 4.  Enable or disable the profile using the Enable profile check box. MODIFYING A POLICY PROFILE Editing the settings of a policy profile Editing a policy profile is only available for policies of Kaspersky Endpoint Security 10 for Windows. The profile will be activated on the client computer when the activation rules trigger. Select a policy and switch to the policy properties window using the context menu. 2.  Click OK. 6. select the administration group for which the policy profile should be modified. 7. as well as delete the profile (see the section "Deleting a policy profile" on page 61).  Click the Add button. select the administration group for which you want to create a policy profile. In the Properties: New profile window. open the Policies tab. create activation rules for the profile. In the Activation rules section. the profile cannot be used for managing the client computer. 3. 5. save the changes by clicking the OK button. Select a policy and switch to the policy properties window using the context menu. specify the name of the profile.  Edit the policy settings in the corresponding sections. 6. Click OK. open the Policies tab. In the console tree. 4. The name of a profile cannot include more than 100 characters. Open the Policy profile section in the policy properties. The settings that you have modified will be applied either after the client computer is synchronized with Administration Server (if the policy profile is active). You can modify a policy profile and change the profile's priority (see the section "Editing a policy profile" on page 60). change the profile name and enable or disable the profile using the Enable profile check box.  Define the policy profile activation rules in the Property: New rule window. Several policy profiles can be activated simultaneously when the activation rules trigger. This section contains a list of profiles that have been created for the policy. configure the policy profile:  In the General section. 5. Profiles are displayed on the list in accordance with their priorities. If this check box is cleared. 60 . As a result.  In the Activation rules section. 7. Configure the profile in the properties window:  If necessary. or after the activation rule triggers (if the policy profile is inactive). 2. the profile will be saved. Edit the policy settings in the corresponding sections. In the workspace of the group. After the profile is configured and activation rules are created. To modify a policy profile: 1.

updating databases and software modules. Open the Policy profile section in the properties of the policy of Kaspersky Endpoint Security 10 for Windows. 4. The activation rules for those profiles are identical. The priority of Profile 1 is higher than that of Profile 2. If you import a list of computers from a file or create one manually.  Administration Server tasks. NetBIOS name. The setting on the client computer will take Value 1. the policy profile will be deleted. Tasks that are performed on the Administration Server. or to the policy. 61 . there are also profiles with priorities that are lower than that of Profile 2. 3. Tasks that are performed on the client computers of the selected administration group. scanning files. The profile with the highest priority is ranked first. profiles are displayed in accordance with their respective priorities. Profile 1 will be activated. For example. Tasks that are performed on an individual client computer. You can compile a list of computers for which a task should be created. If you delete Profile 1. launching and stopping applications. Moreover. select the administration group for which you want to delete a policy profile. or DNS name as the computer address. 2. the list should contain only computers for which information has already been added to the Administration Server database when connecting the computers or in the course of a network poll. You can use an IP address (or an IP range). and taking other actions on applications. As a result. An application task can only be created if the management plug-in for that application is installed on the administrator's workstation. MANAGING TASKS Kaspersky Security Center manages application installed on client computers by creating and running tasks. two policy profiles have been created: Profile 1 and Profile 2. tasks for specific computers. In the workspace of the group. You can change the priority of a profile by using the following buttons: and . Tasks that are performed on selected computers. MANAGING A PPLICATIONS R EMOTELY Changing the priority of a policy profile The priorities of policy profiles define the activation order of profiles on a client computer. Exchange of information about tasks between an application installed on a client computer and the Kaspersky Security Center database is carried out in the moment Network Agent is connected to Administration Server. open the Policies tab. The active status will pass either to another policy profile of which the activation rules trigger on the client computer. or local tasks. Priorities are used if identical activation rules are set for different policy profiles. On the list of policy profiles.  Local tasks.  Tasks for specific computers. DELETING A POLICY PROFILE To delete a policy profile: 1. Tasks are required for installing. then Profile 2 will have the highest priority. by using one of the following methods:  Select computers detected by Administration Server on the network  Specify a list of computers manually. In the console tree. For each application you can create any number of group tasks. Select the policy profile that you want to delete and click the Delete button.  Import a list of computers from a TXT file containing the addresses of computers to be added (each address should be placed in an individual line). Select a policy and switch to the policy properties window using the context menu. regardless of whether they are included in any administration groups. and client computers are identified by their names. so the setting will take Value 2. Tasks are subdivided into the following types:  Group tasks. 5. When an activation rule triggers. which differ by the respective values of a single setting (Value 1 and Value 2).

view their progress. Kaspersky Security Center can perform the following main tasks:  Install application remotely (for more information. Tasks are launched on a client only if the application for which the task was created is running. This starts the New Task Wizard. select the Administration Server tasks folder. Start creating the task in one of the following ways:  In the console tree. Follow the Wizard's instructions. they will not be displayed in the task type selection window of the New Task Wizard. Results of tasks run are saved in the events log of Microsoft Windows and Kaspersky Security Center – as in centralized mode on Administration Server. CREATING AN ADMINISTRATION SERVER TASK The Administration Server performs the following tasks:  Automatic distribution of reports  Downloading of updates to the repository  Backup of Administration Server data  Windows Update synchronization  Creation of an installation package based on the OS image of a reference computer. see Kaspersky Security Center Implementation Guide). In the console tree. 2. 62 . The Download updates to the repository. Back up Administration Server data. and Backup of Administration Server data tasks can be created only once. To create an Administration Server task: 1. On a virtual Administration Server. select Create  Task. export. CREATING A TASK FOR A SET OF COMPUTERS In Kaspersky Security Center you can create tasks for specific computers. Follow the Wizard's instructions.ADMINISTRATOR'S GUIDE You can make changes to the settings of tasks. 2. copy. Perform Windows Update synchronization. Run the task creation by clicking the Create a task link. all running tasks are canceled. only the automatic report delivery task and the installation package creation task from reference computer OS image are available. import. and Windows Update synchronization tasks have been already created for Administration Server. CREATING A GROUP TASK To create a group task: 1. The repository of the virtual Administration Server displays updates downloaded to the master Administration Server. In the workspace of the administration group for which you need to create a task. and delete them. in the Administration Server tasks folder context menu. Backup of virtual Server's data is performed along with backup of master Administration Server's data. When the application is not running. so in local mode on each client computer. This starts the New Task Wizard.  Send message for user (see the section "Sending a message to the users of client computers" on page 75). Computers joined in a set can be included in various administration groups or be out of any administration groups.  Change Administration Server (see the section "Changing Administration Server for client computers" on page 74). select the Tasks tab.  Click the Create a task link in the workspace. If the Download updates to the repository.

inherited tasks are displayed on the list of tasks with the icon. To create a task for a set of computers: 1.  Distribute installation package (for more information. 63 . This starts the New Task Wizard. b. inherited tasks can only be edited in the group in which they have been created. see Kaspersky Security Center Implementation Guide). Select the Computers tab in the workspace of the group that includes the client computer. STARTING CLIENT COMPUTERS AUTOMATICALLY BEFORE LAUNCHING A TASK Kaspersky Security Center allows you to adjust the settings of a task so that the operating system starts loading on client computers. Select View  Inherited tasks from the context menu of the list of tasks. select the Tasks section and click Add. In the computer properties window that opens. From the computer context menu. From the list of computers on the Computers tab select the computer for which a local task should be created.  Install application remotely on the slave Administration Servers (for more information. Select the Tasks tab in the workspace of a nested group.  Click the Create a task link in the workspace. see Kaspersky Security Center Implementation Guide).  Uninstall application remotely (for more information. 2. Inherited tasks cannot be edited in the group that inherits the tasks. Follow the Wizard's instructions. Detailed instructions on how to create and configure local tasks are provided in the Guides for the respective Kaspersky Lab applications. If the settings inheritance mode is enabled.  From the computer properties window in the following way: a. which are turned off. Follow the Wizard's instructions. This starts the New Task Wizard. 2. select the Tasks for specific computers folder. 3. MANAGING A PPLICATIONS R EMOTELY  Manage client computer (see the section "Remote turning on. Start creating the task for the selected computer in one of the following ways:  By clicking the Create a task link in the workspace of the computer. As a result. see Kaspersky Security Center Implementation Guide). 2. before the task is launched.  Verify updates (see the section "Verifying downloaded updates" on page 143). select Properties. turning off and restarting client computers" on page 74). DISPLAYING AN INHERITED GROUP TASK IN THE WORKSPACE OF A NESTED GROUP To enable the display of inherited tasks of a nested group in the workspace: 1. Start creating the task in one of the following ways:  From the context menu of the console tree folder named Tasks for specific computers select New  Task. CREATING A LOCAL TASK To create a local task for client computer: 1. In the console tree.

by clicking the Advanced link. EXPORTING A TASK You can export group tasks and tasks for specific computers into a file. which are turned off. if the task is not yet complete when the specified time interval expires. In the Advanced window that opens. 3. select the Stop if the task is taking longer than (min) check box and specify the time interval in minutes. TURNING OFF THE COMPUTER AFTER A TASK IS COMPLETE Kaspersky Security Center allows you to adjust the settings of a task so that the client computers. In the task properties window. by clicking the Advanced link. 2. Open the window intended for configuration of actions on client computers. 3. select the Activate computer before the task is started by the Wake On LAN function (min) check box and specify the time interval in minutes. LIMITING TASK RUN TIME To limit the time of task run on client computers: 1. IMPORTING A TASK You can import group tasks and tasks for specific computers. 64 . As a result. In the Save as window that opens. In the task properties window. the operating system will start loading on client computers. 2. select the Turn off computer after task is complete check box. Automatic loading of the operating system is only available on computers that support the Wake On Lan feature. In the Advanced window that opens. Open the window intended for configuration of actions on client computers. in the section intended for handling the selected policy. Open the window intended for configuration of actions on client computers.ADMINISTRATOR'S GUIDE To configure the automatic startup of client computers before launching a task: 1. The rights of local users are not exported. turn off automatically after it is complete. To turn off the client computers after the task is complete: 1. Click the Save button. Export the task using one of the following methods:  By selecting All tasks  Export from the context menu of the task. As a result. 3. the specified time interval before the task is launched. 2. to which it is applied. by clicking the Advanced link. Administration Server tasks and local tasks are not available for import. To export a task: 1. Kaspersky Security Center stops the task run automatically. specify the name of the file and the path to save it. Administration Server tasks and local tasks are not available for export. In the Advanced window that opens. 2. select the Schedule section. In the task properties window. select the Schedule section. select the Schedule section.  By clicking the Export task to file link located in the workspace.

3. for example: (1). Running group tasks from the context menu of a client computer is allowed to users included in the KLAdmins group (see the section "Rights of access to Administration Server and its objects" on page 44). which use the settings of tasks from earlier versions of the applications. new tasks are created. To start or stop a task from the context menu or the properties window of the task: 1. 2. From the context menu of Administration Server select All tasks  Policies and tasks conversion wizard. in the workspace of the required group select the Tasks tab. Click the Open button. click Start or Stop. select an Administration Server for which you want to convert tasks. select All Tasks  Import. To convert tasks: 1. CONVERTING TASKS You can use Kaspersky Security Center to convert tasks from earlier versions of Kaspersky Lab applications into those from up-to-date versions of the applications. Conversion is available for tasks of the following applications:  Kaspersky Anti-Virus 6. 2. in the General section. If a task with the same name as that of the imported task is already included in the selected list. STARTING AND STOPPING A TASK MANUALLY You can start and stop tasks by using one of the two following methods: From the context menu of the task or in the properties window of the client computer to which the task has been assigned. an index in (<serial number>) format will be added to the name of the imported one. Select the task list to which the task should be imported:  If you want to import the task to the list of group tasks. 2. select a task. select the Tasks for specific computers folder from the console tree. MANAGING A PPLICATIONS R EMOTELY To import a task: 1. select Start or Stop. (2).  If you want to import a task into the list of tasks for specific computers.0 for Windows Workstations MP4  Kaspersky Endpoint Security 8 for Windows  Kaspersky Endpoint Security 10 for Windows.  Click the Import task from file link in the task list management block. In the console tree. Follow the Wizard's instructions. 65 . This will start the Policies and Tasks Conversion Wizard. After the wizard completes its operation. Start or stop the task in one of the following ways:  In the context menu of the task. The task is then displayed in the task list. In the window that opens. In the list of tasks. Select one of the following options to import the task:  In the context menu of the task list. specify the path to the file from which you want to import task.  In the task properties window.

in the Tasks section. select Pause or Resume. No filtering is available for local tasks. In the middle part of the General section. 3. In the Task results window in the required table. select the General section and click Pause or Resume. MONITORING TASK EXECUTION To monitor task execution. To view task results. select the Filter context menu item. select a task. and Administration Server tasks. tasks for specific computers. configure the filter in the Events. Select the relevant task from the list of tasks. In the Set filter window that opens. In the list of tasks. tasks for specific computers.ADMINISTRATOR'S GUIDE To start or stop a task from the context menu or the properties window of the client computer: 1. 2. select the General section and click the Results link to open the Task results window. CONFIGURING FILTERING OF INFORMATION ABOUT TASK RUN RESULTS Kaspersky Security Center allows you to filter information about run results for group tasks. 2. Computers and Time sections. click the or button. The list of computers to which the task is assigned will be replaced with the computer that you have selected. the current task status is displayed. Start or stop the task in one of the following ways:  In the context menu of the client computer. select the General section of the task properties window. select the General section and click the Results link to open the Task results window. No run results can be viewed for local tasks. the Task results window displays information that meets the settings specified in the filter. The task starts. To configure filtering of information about task run results: 1. VIEWING TASK RUN RESULTS STORED ON ADMINISTRATION SERVER Kaspersky Security Center allows you to view run results for group tasks.  In task properties window. and Administration Server tasks. 2. The table in the upper part of the window contains all client computers for which the task is assigned. Select a computer from the list of computers. In the task properties window. PAUSING AND RESUMING A TASK MANUALLY To pause or resume a running task: 1. select All Tasks  Run task. As a result. in the task properties window.  In the properties window of the client computer. The table in the lower part of the window displays the results of the task performed on the selected client computer. 66 . Click OK. Pause or resume the task using one of the following methods:  In the context menu of the task.

67 . select the required application. You can change the values only of the settings that have not been prohibited for modification by a group policy (that is. To view or change application's local settings: 1. In the client computer properties window. those settings not marked with the "lock" in a policy). Open the application properties window by double-clicking the application name or by clicking the Properties button. Local application settings are the settings of an application that are specific for a client computer. select the Computers tab. 3. You can use Kaspersky Security Center to specify local application settings on client computers included in administration groups. In the workspace of the group to which the required client computer belongs to. MANAGING A PPLICATIONS R EMOTELY VIEWING AND CHANGING LOCAL APPLICATION SETTINGS The Kaspersky Security Center administration system allows remote management of local application settings on remote computers through Administration Console. 2. Detailed descriptions of settings of Kaspersky Lab applications are provided in the respective guides. As a result. in the Applications section. the local settings window of the selected application opens so that you can view and edit those settings.

............................ 69 Tunneling the connection between a client computer and Administration Server ........................................................................................... Kaspersky Security Center remote diagnostics utility .......................... every 15 minutes)........................ 68 ........................................ and task settings. 72 Identifying client computers on Administration Server............ IN THIS SECTION: Connecting client computers to Administration Server ........ Uninterrupted connection is necessary in cases when real-time control of application status is required and Administration Server is unable to establish a connection to the client for some reason (connection is protected by a firewall............ 71 Checking the connection between a client computer and Administration Server ...........  synchronization of the policies....... the client IP address is unknown.....................  Delivery of the event information to Administration Server for processing................................. 73 Changing Administration Server for client computers ...... execution of tasks and applications' operation statistics by the Server.............. You can specify the connection interval manually....... You can establish a continuous connection between a client computer and Administration Server in the General section of the client computer properties window..................... Klmover utility .................... 74 Remote turning on......................... Information about an event is delivered to Administration Server as soon as it occurs............................................................................ 75 Controlling changes in the status of virtual machines ................................ Automatic data synchronization is performed regularly in accordance with the Network Agent settings (for example........ opening of ports on the client computer is not allowed............................................................................................................................................................. 75 Remote diagnostics of client computers. application settings............. because the Administration Server supports only a limited number (several hundred) of concurrent connections............................................................................................ When a client computer connects to Administration Server.................... 74 Sending a message to the users of client computers..............................MANAGING CLIENT COMPUTERS This section provides information about how to handle client computers. 71 Audit of actions on a remote client computer......................... 68 Connecting a client computer to Administration Server manually.. 70 Remote connection to the desktop of a client computer ................  Retrieval of up-to-date information about the condition of applications........................ the following operations are performed:  Automatic data synchronization:  synchronization of applications installed on the client computer........................................................................................ It is recommended to establish a continuous connection with the most important client hosts.............. and so on)........... turning off and restarting client computers .................. 70 Configuring the restart of a client computer ..................... Kaspersky Security Center allows you to configure connection between a client computer and Administration Server so that the connection remains active after all operations are completed.................. tasks.............................................................. 76 CONNECTING CLIENT COMPUTERS TO ADMINISTRATION SERVER The connection of the client computer to the Administration Server is established through Network Agent installed on client computer................................. 73 Adding computers to an administration group ..........................................................

Administration Server sends a connection request to the UDP port of the client computer. CONNECTING A CLIENT COMPUTER TO ADMINISTRATION SERVER MANUALLY. MANAGING C LIENT COMPUTER S When synchronizing manually. When installing Network Agent on a client computer. The default port number is 14000. with which connection is initiated by Administration Server. the connection starts establishing.  -silent – run the utility in silent mode. Using the key may be useful if. If the Server's certificate matches the certificate copy stored on the client computer. the utility is automatically copied to the Network Agent installation folder. for example. If the key is not in use. When started from the command line.  -cert <path to certificate file>– use the specified certificate file for authentication of access to Administration Server. by recovering it from an ISO disk image. the Administration Server's certificate is verified.  -nossl– use non-encrypted connection to Administration Server. 69 . execution of tasks.  records the operation results into the event log file or displays them on the screen.  -pn <port number>– number of the port via which non-encrypted connection to Administration Server will be established. In response. you can use the klmover utility on the client computer. the NetBIOS name or DNS name of a computer as an address. the utility is started from the login script at the user's registration. KLMOVER UTILITY If you want to connect a client computer to the Administration Server. If the key is not in use. You can specify an IP address. and applications' operation statistics. start the klmover utility from the command line. The default port number is 13000. the system uses an auxiliary connection method. on the client computer.  -ps <SSL port number>– number of the SSL port via which encrypted connection to Administration Server is established using the SSL protocol. you should open the UDP port.  -dupfix – the key is used if Network Agent has been installed using a method that differs from the usual one (with the distribution package) – for example. Network Agent is connected to Administration Server over the encrypted SSL protocol. To connect a client computer to the Administration Server manually by using the klmover utility. the klmover utility can perform the following actions (depending on the keys in use):  connects Network Agent to Administration Server with the specified settings. If the key is not in use.  -address <server address>– address of Administration Server for connection. results and error messages are displayed on the screen. The manual launch of synchronization is also used for obtaining up-to-date information about the condition of applications. By default information is saved in the standard output stream (stdout). Utility command line syntax: klmover [-logfile <file name>] [-address <server address>] [-pn <port number>] [-ps <SSL port number>] [-nossl] [-cert <path to certificate file>] [-silent] [-dupfix] The command-line parameters are as follows:  -logfile <file name>– record the utility run results into a log file. Before establishing the connection. Network Agent receives a certificate at the first connection to Administration Server.

ADMINISTRATOR'S GUIDE

TUNNELING THE CONNECTION BETWEEN A CLIENT
COMPUTER AND ADMINISTRATION SERVER
Tunneling of the connection between a client computer and Administration Server is required if the port for connection to
Administration Server is not available on the client computer. The port on the client computer may be unavailable in the
following cases:
 The remote computer is connected to a local network that uses NAT mechanism.
 The remote computer is part of the local network of Administration Server, but its port is closed by a firewall.
To tunnel the connection between a client computer and Administration Server:
1. In the console tree, select the administration group that contains the client computer.
2. On the Computers tab, select the client computer.
3. From the context menu of the client computer, select All Tasks  Connection Tunneling.
4. Create a tunnel in the Connection Tunneling window that opens.

REMOTE CONNECTION TO THE DESKTOP OF A CLIENT
COMPUTER
The administrator can obtain remote access to the desktop of a client computer through a Network Agent installed on the
client computer. Remote connection to a client computer through the Network Agent is also possible if the TCP and UDP
ports of the client computer are closed.
Upon establishing the connection with the client computer, the administrator gains full access to information stored on
this computer so he or she can manage applications installed on it.
Remote connection with a client computer can be established using one of the two methods:
 Using a standard Microsoft Windows component named Remote Desktop Connection. Connection to a remote
desktop is established through the standard Windows utility mstsc.exe in accordance with the utility's settings.
Connection to the current remote desktop session of the user is established without the user's knowledge. Once
the administrator connects to the session, the client computer user is disconnected from the session without an
advance notification.
 Using the Windows Desktop Sharing technology. When connecting to an existing session of the remote
desktop, the session user on the client computer receives a request for connection from the administrator. No
information about remote activity on the computer and its results will be saved in reports created by Kaspersky
Security Center.
The administrator can connect to an existing session on a client computer without disconnecting the user who is
operating in this session. In this case, the administrator and the session user on the client computer will share
access to the desktop.
The administrator can configure an audit of user activity on a remote client computer. During the audit, the
application saves information about files on the client computer that have been opened and / or modified by the
administrator (see the section "Audit of actions on a remote client computer" on page 71).
To connect to the desktop of a client computer through Windows Desktop Sharing, you should meet the following
conditions:
 Microsoft Windows Vista or a later Windows operating system is installed on the client computer.
 Microsoft Windows Vista or a later Windows operating system is installed on the administrator's workstation.
The type of the operating system of the computer hosting the Administration Server imposes no restrictions on
connection through Windows Desktop Sharing.
 Kaspersky Security Center uses a license for Systems Management.

70

MANAGING C LIENT COMPUTER S

To connect to the desktop of a client computer through the Remote Desktop Connection component:
1. In the administration console tree, select a client computer to which you need to obtain access.
2. In the context menu of the client computer, select All Tasks  Connect to computer  RDP.
As a result, the standard Windows utility mstsc.exe starts, which helps establishing connection to the remote desktop.
3. Follow the instructions shown in the utility's dialog boxes.
Upon establishing the connection to the client computer, the desktop is available in the remote connection window of
Microsoft Windows.
To connect to the desktop of a client computer through the Windows Desktop Sharing technology:
1. In the administration console tree, select a client computer to which you need to obtain access.
2. In the context menu of the client computer, select All Tasks  Connect to computer  Windows Desktop
Sharing.
3. In the Select remote desktop session window that opens, select the session on the client computer to which
you need to connect.
If connection to the client computer is established successfully, the desktop of the client computer will be
available in the Kaspersky Remote desktop session viewer window.
4. To start interaction with the client computer, in the main menu of the Kaspersky Remote desktop session
viewer window, select Actions  Interactive mode.

SEE ALSO:
Kaspersky Security Center licensing options.............................................................................................................. 33

CONFIGURING THE RESTART OF A CLIENT COMPUTER
While using, installing, or removing Kaspersky Security Center, a restart of a client computer may be required. The
application allows you to configure the restart of client computers.
To configure the restart of a client computer:
1. In the console tree, select the administration group for which you need to configure the restart.
2. In the workspace of the group, open the Policies tab.
3. Select a policy of Kaspersky Security Center Network Agent in the list of policies, then select Properties in the
context menu of the policy.
4. In the properties window of the policy, select the Restart management section.
5. Select the action that must be performed if a restart of the client computer is required:
 Select Do not restart the operating system to block the automatic restart.
 Select Restart the operating system automatically if necessary to allow the automatic restart.
 Select Prompt user to enable prompting the user to allow the restart.
You can specify the frequency of restart requests, enable forced restart and forced closure of applications in
blocked sessions on the client computer, by selecting the corresponding check boxes.
6. Click the ОК button to save the changes and close the policy properties window.
As a result, the restart of the client computer will be configured.

AUDIT OF ACTIONS ON A REMOTE CLIENT COMPUTER
The application allows performing the audit of the administrator's actions on a remote client computer. During the audit,
the application saves information about files on the client computer that have been opened and / or modified by the
administrator. Audit of the administrator's actions is available when the following conditions are met:
 An active Systems Management license is available
 The administrator has the right to run the shared access to the desktop of the remote computer.

71

ADMINISTRATOR'S GUIDE

To enable audit of actions on a remote client computer:
1. In the console tree, select the administration group for which the audit of the administrator's actions should be
configured.
2. In the workspace of the group, open the Policies tab.
3. Select a policy of Kaspersky Security Center Network Agent, then select Properties in the context menu of the
policy.
4. In the policy properties window, select the Desktop sharing section.
5. Select the Enable audit check box.
6. In the Masks of files of which reading should be monitored and Masks of files of which modifications
should be monitored lists, add file masks on which actions should be monitored during the audit.
By default, the application monitors actions on files with txt, rtf, doc, xls, docx, and xlsx extensions.
7. Click the ОК button to save the changes and close the policy properties window.
Thus, the audit of the administrator's actions on the user's remote computer with shared desktop access is configured.
Records of the administrator's actions on the remote computer are logged:
 In the event log on the remote computer
 In a file with the syslog extension located in the installation folder of Network Agent on the remote computer
 In the events database of Kaspersky Security Center.

CHECKING THE CONNECTION BETWEEN A CLIENT
COMPUTER AND ADMINISTRATION SERVER
Kaspersky Security Center allows you to check connections between a computer and Administration Server
automatically or manually.
Automatic check of connection is performed on Administration Server. Manual check of connection is performed on the
client computer.

IN THIS SECTION:
Automatic check of connection between a client computer and Administration Server ................................................. 72
Manual check of connection between a client computer and Administration Server. Klnagchk utility ............................ 72

AUTOMATIC CHECK OF CONNECTION BETWEEN A CLIENT COMPUTER
AND ADMINISTRATION SERVER
To start an automatic check of connection between a client computer and Administration Server:
1. In the console tree select the administration group that includes the client computer.
2. In the workspace of the administration group, on the Computers tab select the client computer.
3. Select Check connection from the context menu of the client computer.
As a result, a window opens that provides information about the computer's accessibility.

MANUAL CHECK OF CONNECTION BETWEEN A CLIENT COMPUTER
AND ADMINISTRATION SERVER. KLNAGCHK UTILITY
You can check connection and obtain detailed information about the settings of connection between a client computer
and Administration Server using the klnagchk utility.

72

 -restart – restart the Network Agent after the utility has completed. The name of a client computer is transferred to the Administration Server either when the Windows network is polled and a new computer is discovered in it.  By selecting New Computer from the context menu of the list of computers. The setting is in use if the connection to Administration Server is established via a proxy server. start the klnagchk utility from the command line. By default. When started from the command line. If a client computer with this name is already registered on Administration Server. the utility sends an ICMP packet to check the status of the computer on which Administration Server is installed.  -savecert <filename> – save the certificate used to access the Administration Server in the specified file. the name matches the computer name in the Windows network (NetBIOS name). IDENTIFYING CLIENT COMPUTERS ON ADMINISTRATION SERVER Identifying client computers is based on their names.  -sp – show the password for the user's authentication on the proxy server. In the Managed computers folder select the nested folder that corresponds to the group. By default information is saved in the standard output stream (stdout). an index with the next sequence number will be added to the new client computer name.  Records into an event log file Network Agent statistics (since its last startup) and utility operation results. or during the first connection of the Network Agent installed on a client computer to the Administration Server. If the key is not in use. on the client computer. which should include the client computers. settings. the klnagchk utility can perform the following actions (depending on the keys in use):  Displays on the screen or records into an event log file the values of the connection settings of Network Agent installed on the client computer to Administration Server. or displays the information on the screen. A client computer name is unique among all the names of computers connected to Administration Server. ADDING COMPUTERS TO AN ADMINISTRATION GROUP To include one or several computers in a selected administration group: 1. Utility command line syntax: klnagchk [-logfile <file name>] [-sp] [-savecert <path to certificate file>] [- restart] The command-line parameters are as follows:  -logfile <file name>– record the values of the settings of connection between Network Agent and Administration Server and the utility operation results into a log file. <Name>-2.  Makes an attempt to establish connection between Network Agent and Administration Server. and error messages are displayed on the screen. MANAGING C LIENT COMPUTER S When installing Network Agent on a client computer. on the Computers tab run the process of including the client computers in the group using one of the following methods:  Add the computers to the group by clicking the Add computers link in the section intended for managing the list of computers. results. 73 . In the workspace of the selected administration group. the klnagchk utility is automatically copied to the Network Agent installation folder. 2. To check connection between a client computer and Administration Server using the klnagchk utility. 3. The client computer is added to the administration group under that name. If the connection attempt fails. you can skip this step. for example: <Name>-1. If you want to include the client computers in the Managed computers group. open the Managed computers folder. In the console tree.

In other cases. or a DNS name as the address of a computer. You can add to the list manually only computers for which information has already been added to the Administration Server database when connecting the computer. a notification is displayed stating that in case any encrypted data are stored on computers. After the wizard finishes its operation. Create the management task for a client computer using one of the following methods:  If you need to turn on.ADMINISTRATOR'S GUIDE This will start the Add client computers wizard.txt file with a list of addresses of computers to be added. create a task for specific computers (see the section "Creating a task for specific computers" on page 62). you will be provided access only to encrypted data that you have handled earlier. In the Task type window of the New Task Wizard select the Kaspersky Security Center node. after the computers are switched under the management of the new server. select a method of adding the client computers to the group and create a list of computers to include in the group. You can add a client computer to the selected administration group by dragging it from the Unassigned computers folder to the administration group folder. Following its instructions. you can use an IP address (or an IP range). This starts the New Task Wizard. Connect to the Administration Server which manages the client computers. Create the Administration Server change task using one of the following methods:  If you need to change Administration Server for computers included in the selected administration group. open the Advanced folder. After the task is completed. and select the Change Administration Server task. create a group task (see the section "Creating a group task" on page 62). specify a. Run the created task. 3. Follow the Wizard's instructions. 2. 74 . 2. If you create the list of computers manually. no access to encrypted data is provided. Connect to the Administration Server which manages the client computers. To change Administration Server that manages client computers with another one: 1. To manage client computers remotely: 1. REMOTE TURNING ON. CHANGING ADMINISTRATION SERVER FOR CLIENT COMPUTERS You can change Administration Server that manages client computers with another one using the Change Administration Server task. the client computers for which it had been created are passed under the management of the Administration Server specified in the task settings. turn off or restart computers included in the selected administration group. a NetBIOS name. For the detailed descriptions of scenarios in which no access to encrypted data is provided please refer to the Kaspersky Endpoint Security 10 for Windows Administrator's Guide. Each address must be specified in a separate line. the selected client computers are included in the administration group and displayed in the list of computers under names generated by Administration Server.  If you need to change Administration Server for computers included in different administration groups or in none of the existing groups. and restarting them. create a group task (see the section "Creating a group task" on page 62). If Administration Server supports the feature of encryption and data protection. or after a network poll. when you create the Change Administration Server task. To import a list of computers from a file. turning off. TURNING OFF AND RESTARTING CLIENT COMPUTERS Kaspersky Security Center allows performing remote management of client computers: turning on.

tasks and policies. create a task for specific computers (see the section "Creating a task for specific computers" on page 62). If the values of the IDs mismatch. create a task for the selected group (see the section"Creating a group task" on page 62).  If you want to send message to the users of client computers that belong to different administration groups or do not belong to administration groups at all. In the Task type window. 2.M. create a task for specific computers (see the section "Creating a task for specific computers" on page 62). After the task completes. This starts the New Task Wizard. 3.. Follow the Wizard's instructions. Run the created task. the user can restore its status at any time using a snapshot of the virtual machine. 3. Administration Server resets all the settings of policies and tasks that are active for the virtual machine and sends the up-to-date policies and the list of group tasks to it. and select the Manage client computer task. information about the status of the virtual machine on Administration Server may become outdated. As a result. As a result. After the task is complete. which started to run on virtual machine VM_1 at 12:01 P. the user of virtual machine VM_1 changed its status by restoring it from a snapshot made at 11:00 A. turn off. outdated information on Administration Server states that the protection policy on virtual machine VM_1 keeps running.M. Create a message sending task for client computer users in one of the following ways:  If you want to send message to the users of client computers that belong to the selected administration group. the protection policy stops running on the virtual machine. At 12:30 P.. 75 . the selected command (turn on. or the settings of managed applications. However. Administration Server compares the values of those IDs on both sides. Follow the Wizard's instructions. select the Kaspersky Security Center node. or restart) will be executed on the selected client computers. Run the created task. After each synchronization with a client computer. the created message will be sent to the users of selected client computers. SENDING A MESSAGE TO THE USERS OF CLIENT COMPUTERS To send a message to the users of client computers: 1. turn off or restart computers included in various administration groups or belonging to none of them. which is stored both on the client computer's side and on the Administration Server's side. open the Advanced folder and select the User notification task. Before starting the next synchronization.M.M. This starts the New Task Wizard. Connect to the Administration Server which manages the client computers. Kaspersky Security Center helps controlling all changes in the status of virtual machines. For example. If a virtual machine functions as a managed computer. Administration Server generates a unique ID. open the Advanced folder. In the Task type window of the New Task Wizard select the Kaspersky Security Center node. CONTROLLING CHANGES IN THE STATUS OF VIRTUAL MACHINES Administration Server stores information about the status of managed computers. such as the hardware registry and the list of installed applications. Administration Server recognizes the virtual machine as restored from a snapshot. MANAGING C LIENT COMPUTER S  If you need to turn on. the administrator had created a protection policy on Administration Server at 12:00 P.

.................. in the context menu of any client computer select Custom tools  Remote diagnostics.......................... Select any administration group from the console tree...... downloading the trace file........................ Connection to a client computer is only possible under the account of the local administrator of the client computer................................................. KASPERSKY SECURITY CENTER REMOTE DIAGNOSTICS UTILITY The utility for remote diagnostics of Kaspersky Security Center (here in after referred to as the remote diagnostics utility) is designed for remote performing of the following operations on client computers:  enabling and disabling tracing....... 78 Starting diagnostics and downloading its results ......... Connecting under the current user account............................................................ Specify the User name and the Password of the required account........ The remote diagnostics utility is installed on the computer automatically together with the Administration Console....................... 2..... 4..  Specify an account to connect to the computer:  Connect as current user (selected by default).............. You can use an IP address................ 79 CONNECTING THE REMOTE DIAGNOSTICS UTILITY TO A CLIENT COMPUTER To connect the remote diagnostics utility to a client computer: 1....................... NetBIOS or DNS name as the computer address......ADMINISTRATOR'S GUIDE REMOTE DIAGNOSTICS OF CLIENT COMPUTERS...... downloading the trace file ........................ In the first field of the main window of the remote diagnostics utility specify the tools that you intend to use to connect to the client computer:  Access using Microsoft Windows network.. As a result.........  Use provided user name and password to connect..................................... The default value is the address of the computer from the context menu of which the utility has been run....... perform the following actions:  In the Computer field specify the computer that should be connected to.... changing the tracing level............... 76 Enabling and disabling tracing......... on the Computers tab.... 78 Starting...................................... IN THIS SECTION: Connecting the remote diagnostics utility to a client computer ................  downloading event logs....... 78 Downloading applications' settings .....................................  downloading applications' settings...... 3....... If you have selected Access using Microsoft Windows network in the first field of the main utility window.............. 76 .......................................................  starting and stopping applications............. stopping and restarting applications .......... In the workspace.  starting the diagnostics and downloading diagnostics results............ the main window of the remote diagnostics utility opens... Connecting under a provided user account........................  Access using Administration Server................. 78 Downloading event logs .............

The right part of the window contains the objects tree of the client computer that the utility can handle. The default value is the address of Server from which the utility has been run. The bottom part of the window displays the progress of the utility's operations. You can use an IP address. If you have selected Access using Administration Server in the first field of the main utility window. MANAGING C LIENT COMPUTER S 5. Remote diagnostics utility. 77 . To connect to the client computer.  If required. To do this. and Computer belongs to slave Administration Server check boxes. select the Use SSL. click the Browse button. below). click the Enter button. perform the following actions:  In the Administration Server field specify the address of Administration Server from which you intend to connect to the client computer. which manages the client computer. Compress traffic. NetBIOS or DNS name as the server address. The left part of the window contains links to operations of client computer diagnostics. If the Computer belongs to slave Administration Server check box is selected. you can fill in the Slave Server field with the name of the slave Administration Server. Figure 12. 6. This opens the window intended for remote diagnostics of the client computer (see fig. Window of remote diagnostics of client computer The remote diagnostics utility saves files downloaded from client computers on the desktop of the computer from which it has been run.

You can delete the highlighted trace file. As a result. 3. a diagnostics report appears in the node of the selected application in the objects tree. 2. download the trace file. Run the remote diagnostics utility and connect to the required computer. From the objects tree of the client computer select the required application and start diagnostics by clicking the Run diagnostics link. For large-sized files only the most recent trace parts can be downloaded. and disable tracing: 1. In some cases an anti-virus application and its task should be restarted in order to enable tracing. 78 .ADMINISTRATOR'S GUIDE ENABLING AND DISABLING TRACING. 2. In the Event log folder of the computer objects tree select the required log and download it by clicking the Download event log Kaspersky Event Log link in the left part of the remote diagnostics utility window. 3. in the Trace files folder select the required file and download it by clicking the Download file link. the selected utility is downloaded and run on the client computer.  Load application settings. Disable tracing for the selected application by clicking the Disable tracing link. Select the newly generated diagnostics report in the objects tree and download it by clicking the Download file link. Tracing can be enabled and disabled for applications with self-defense only if the client computer is connected using tools of Administration Server. Run the remote diagnostics utility and connect to the required computer. From the objects tree of the remote diagnostics window select the top node with the name of the computer and select the required action in the left part of the window:  Load system information. specify the executable file of the selected application for which you need to generate a memory dump file. specify the executable file of the selected utility and its startup settings. The file can be deleted after tracing is disabled. In the node of the application for which tracing is enabled. DOWNLOADING THE TRACE FILE To enable tracing. Run the remote diagnostics utility and connect to the required computer. 2. and enable tracing by clicking the Enable tracing link in the left part of the remote diagnostics utility window. STARTING DIAGNOSTICS AND DOWNLOADING ITS RESULTS To start diagnostics for an application and download its results: 1. 4. In the window that opens after you click this link.  Generate process memory dump. Run the remote diagnostics utility and connect to the required computer.  Start utility. From the objects tree of the client computer select the application for which you need to build a trace. DOWNLOADING EVENT LOGS To download an event log: 1. In the window that opens after you click this link. As a result. 2. DOWNLOADING APPLICATIONS' SETTINGS To download applications' settings: 1.

or restarted. or restart an application: 1. From the objects tree of the client computer select the required application and select an action in the left part of the window:  Stop application  Restart application  Start application Depending on the action that you have selected. 79 . stopped. STOPPING AND RESTARTING APPLICATIONS You can only start. To start. 2. and restart applications if you have connected the client computer using Administration Server tools. the application will be started. MANAGING C LIENT COMPUTER S STARTING. stop. Run the remote diagnostics utility and connect to the required client computer. stop.

................................. ADDING A USER ACCOUNT To add a new Kaspersky Security Center user account: 1........................................................ for example.............. User roles . By default.................................................. Administration Server retrieves data of the accounts of those users when polling the organization's network........MANAGING USER ACCOUNTS This section provides information about users' accounts and roles supported by the application.. This section contains instructions on how to create accounts and roles for users of Kaspersky Security Center.... 2............................................................. 80 Configuring rights................................. the newly created user account will be displayed in the workspace of the User accounts folder......................................... 83 HANDLING USER ACCOUNTS Kaspersky Security Center allows managing user accounts and groups of accounts........................... the user will not be able to connect to the application................................. IN THIS SECTION: Handling user accounts ....................... 81 Delivering messages to users ........... Click OK................................................................................................... User roles" on page 81)  Send messages to users by email and SMS (see the section "Delivering messages to users" on page 82)  View the list of the user's mobile devices (see the section "Viewing the list of the user's mobile devices" on page 82)  Hand and install certificates on the user's mobile devices (see the section "Installing a certificate for a user" on page 82)  View the list of certificates handed to the user (see the section "Viewing the list of certificates handed to the user" on page 83). 82 Installing a certificate for a user ..................................... 3............. Those are applied when handling virtual Administration Servers..... 80 ..... click the Add new user link to open the Properties window................... 4........................... You can select this check box....... The application supports two types of accounts:  Accounts of organization employees.............................. 82 Viewing the list of a user's mobile devices .......... this check box is cleared............................ In the workspace............ In the console tree...... As a result.. You can perform the following actions on user accounts and groups of accounts:  Configure users' rights of access to the application's features by means of roles (see the section "Configuring rights........... This section also contains instructions on how to handle list of the user's certificates and mobile devices and how to deliver messages to users............... Specify account settings and set a password for the user's connection to Kaspersky Security Center...................... All user accounts can be viewed in the User accounts folder of the console tree..... open the User accounts folder............. 80 Adding a user account ... Accounts of internal users are created (see the section "Adding a user account" on page 80) and used only within Kaspersky Security Center.................................................  Accounts of internal users (see the section "Handling internal users" on page 50)....................... There are no special requirements for the password............ in case of the dismissal of an employee....................... If you select the Disable account check box......................................... 82 Viewing the list of certificates handed to a user ............

Applying roles simplifies and reduces routine procedures of configuring users' rights of access to the application. by selecting the Allow and Deny check boxes next to the application's features. 5. 2. You can provide users rights of access to the application's features. In the Administration Server properties window. 2. USER ROLES You can flexibly configure access to various features of the application by users and user groups. If the user or the group is not contained in the field. Access rights within a role are configured in accordance with the 'standard' tasks and the users' scope of duties. using one of the two methods:  Configuring the rights for each user or group of users individually  Create standard user roles with a predefined set of rights and assign those roles to users depending on their scope of duties. 5. select Properties. select the Security section. The User roles section is available if the Display security settings sections check box is selected in the interface settings window. In the console tree. For example. 81 . select the node with the name of the required Administration Server. 4. In the Names of groups or users field. When you add a user by clicking the Add button. configure the role:  In the General section. in the User roles section. 3. In the console tree. The name of a role cannot include more than 100 characters. ADDING A USER ROLE To add a user role: 1. In the context menu of the Administration Server. configure the set of rights. A role can be provided to a user of a group of users. you can add it by clicking the Add button. select Properties. In the Administration Server properties window. MANAGING USER ACCOUNTS CONFIGURING RIGHTS. The User roles window opens. You can create an unlimited number of roles in the application. User roles that have been created for Administration Server are displayed in the Server properties window. specify the name of the role. Kaspersky Security Center authentication is used for selecting the accounts of internal users that are used for handling virtual Administration Servers. Open the Roles tab and click the Add button. you can select the type of user authentication (Microsoft Windows or Kaspersky Security Center). User role is an exclusively created and predefined set of rights of access to the application's features. 3. 4. This window displays user roles that have been created. the role will be saved. User roles can be assigned names that correspond to their respective purposes. (see the section "Configuring the interface" on page 30) ASSIGNING A ROLE TO A USER OR A USER GROUP To assign a role to a user or a group of users: 1. In the Properties: New role window. as well as assign roles to user groups (see the section "Assigning a role to a user or a user group" on page 81) or individual users. select a user or a group of users that should be assigned a role. select the User roles section and click the Add button. select the node with the name of the required Administration Server. a user role can only have rights to read and send information commands to mobile devices of other users through Self Service Portal. In the context menu of the Administration Server. As a result. Click OK.  In the Rights section. You can edit and delete user roles.

ADMINISTRATOR'S GUIDE

6. In the User roles window, select a role for the user group.
7. Click OK.
As a result, the role with a set of rights for handling Administration Server will be assigned to the user of the user group.
Roles that have been assigned are displayed on the Roles tab in the Security section of the Administration Server
properties window.

The Security section is available if the Display sections with security settings check box is selected in the interface
settings window (see the section "Configuring the interface" on page 30).

DELIVERING MESSAGES TO USERS
To send a message to a user by email:
1. In the console tree, in the User accounts folder, select a user.
2. In the user's context menu, select Send message by email.
3. Fill in the relevant fields in the Send message to user window and click the OK button.
As a result, the message will be sent to the email that has been specified in the user's properties.
To send an SMS message to a user:
1. In the console tree, in the User accounts folder, select a user.
2. In the user's context menu, select Send SMS message.
3. Fill in the relevant fields in the SMS text window and click the OK button.
As a result, the message will be sent to the mobile device with the number that has been specified in the user's
properties.

VIEWING THE LIST OF A USER'S MOBILE DEVICES
To view a list of a user's mobile devices:
1. In the console tree, in the User accounts folder, select a user.
2. In the context menu of the user account, select Properties.
3. In the properties window of the user account, select the Mobile devices section.
In the Mobile devices section, you can view the list of the user's mobile devices and information about each of them.
You can click the Export to file button to save the list of mobile devices to a file.

INSTALLING A CERTIFICATE FOR A USER
You can install three types of certificates for a user:
 General certificate, which is required to identify the user's mobile device
 Mail certificate, which is required to set up the corporate mail on the user's mobile device
 VPN certificate, which is required to set up the virtual private network on the user's mobile device
To hand a certificate to a user and then install it:
1. In the console tree, open the User accounts folder and select a user account.
2. In the context menu of the user account, select Install certificate.
The Certificate Installation Wizard starts. Follow the Wizard's instructions.
After the Certificate Installation Wizard has finished, the certificate will be created and installed for the user. You can view
the list of installed certificates of a user and export it to a file (see the section "Viewing the list of certificates handed to a
user" on page 83).

82

MANAGING USER ACCOUNTS

VIEWING THE LIST OF CERTIFICATES HANDED TO A USER
To view a list of all certificates handed to a user:
1. In the console tree, in the User accounts folder, select a user.
2. In the context menu of the user account, select Properties.
3. In the properties window of the user account, select the Certificates section.
In the Certificates section, you can view the list of the user's certificates and information about each of them. You can
click the Export to file button to save the list of certificates to a file.

83

WORKING WITH REPORTS, STATISTICS,
AND NOTIFICATIONS
This section provides information about how to handle reports, statistics, and selections of events and client computers in
Kaspersky Security Center, as well as how to configure Administration Server notifications.

IN THIS SECTION:
Working with reports ................................................................................................................................................. 84
Working with the statistical information ...................................................................................................................... 86
Configuring notification settings ................................................................................................................................. 86
Event selections ....................................................................................................................................................... 87
Exporting events to an SIEM system ......................................................................................................................... 88
Computer selections ................................................................................................................................................. 89
Policy selections ....................................................................................................................................................... 91
Task selections......................................................................................................................................................... 91

WORKING WITH REPORTS
Reports in Kaspersky Security Center contain information about the condition of the anti-virus protection system. Reports
are generated based on information stored on Administration Server. You can create reports for the following types of
objects:
 For a selection of client computers
 for computers of a specific administration group;
 for a set of client computers from different administration groups;
 for all the computers on the network (available for the deployment report).
The application includes a set of standard report templates; it also supports creation of user-defined report templates.
Reports are displayed in the main application window, in the Reports and notifications folder of the console tree.

IN THIS SECTION:
Creating a report template ........................................................................................................................................ 84
Creating and viewing a report.................................................................................................................................... 85
Saving a report ......................................................................................................................................................... 85
Creating a report delivery task................................................................................................................................... 85

CREATING A REPORT TEMPLATE
To create a report template,
select the Reports and notifications folder from the console tree and perform one of the following actions:
 Select New  Report Template from the context menu of the Reports and notifications folder.
 In the workspace of the Reports and notifications folder, on the Reports tab run the report template creation
process by clicking the Create a report template link.
As a result, the New Report Template Wizard starts. Follow the Wizard's instructions.

84

CREATING A REPORT DELIVERY TASK Delivery of reports in Kaspersky Security Center is carried out using the report delivery task. its brief description and the reporting period. 3. AND NOTIFICATIONS After the Wizard finishes its operation. In the console tree open the Reports and notifications folder in which report templates are listed. Follow the Wizard's instructions. You can deliver reports by email or save them in a dedicated folder. In the Task type wizard window select Deliver reports. 2. The report delivery task is created automatically if email settings have been specified during the Kaspersky Security Center installation. As a result. In the console tree open the Reports and notifications folder in which report templates are listed.  Graphic diagram reflecting the most crucial data from the report. in a shared folder on Administration Server or a local computer. for example. From the context menu of the selected report template select Save. 2. select the Send Reports item. select Create  Task. the newly created report template is added to the Reports and notifications folder of the console tree. in the Administration Server tasks folder. Select the required report template from the console tree or from the workspace on the Reports tab. You can use this template for generating and viewing reports. In the report template's context menu. STA TISTIC S. After the Wizard finishes its operation. In the console tree open the Reports and notifications folder in which report templates are listed.  Table of detailed data from the report. Follow the Wizard's instructions. WORKING WITH R EPOR TS. the Administration Server Task Creation Wizard starts. 3. The created report delivery task is displayed in the console tree. 2. To create a task of sending several reports: 1. To create a delivery task for a report: 1. 2. In the console tree. CREATING AND VIEWING A REPORT To create and view a report: 1. The Report Saving Wizard starts. 85 . in the Administration Server tasks folder context menu. As a result. select the Administration Server tasks folder. the workspace will display a report created on the selected template. as well as information about the group of devices for which the report is generated. the folder opens into which you have saved the report file. This will start the Report Delivery Task Creation Wizard. The report displays the following data:  The name and type of report. SAVING A REPORT To save a created report: 1. Start creating the task in one of the following ways:  In the console tree. Select the required report template from the console tree or from the workspace on the Reports tab. Select the required report template from the console tree or from the workspace on the Reports tab.  Summary table of data reflecting calculated values from the report. Follow the Wizard's instructions.  Click the Create a task link in the workspace.

 – located in the top right corner of the Statistics tab. 86 . The statistical information is displayed as a table or chart (pie or bar).  In the workspace of the Reports and notifications folder.  SMS.  – located on the right from the information pane name. The administrator can receive the parameters of the event that has occurred by means of the executable file. When an event occurs. When an event occurs.  Executable file. The Statistics tab contains several pages. select the notification method and configure notification settings. on the Statistics tab. CONFIGURING NOTIFICATION SETTINGS Kaspersky Security Center allows you to configure notification of the administrator of events occurring on client devices and to select a notification method:  Email. Minimize the information pane. Configure the statistics page. You can edit the text of the notification. the application sends a notification to email addresses specified. As a result. Notification via the messaging service is only available for Windows 5.  – located on the right from the information pane name. the re-adjusted notification settings are applied to all events occurring on client devices. When an event occurs on a client computer. and the data display mode in information panes. Maximize the information pane. Windows XP. You can change the number and structure of pages on the Statistics tab. Print the current statistics page. their location. Configuring the contents of the Statistics tab: adding and removing statistics pages. the executable file is launched on the administrator's workstation. 2. the application sends notifications using the messaging service.  – located on the right from the information pane name. reflecting the current condition of the anti-virus protection system. Open the properties window of the Reports and notifications folder of the console tree in one of the following ways:  Select Properties from the context menu of the Reports and notifications folder of the console tree. You can configure SMS notifications to be sent via the mail gateway or by means of the SMS Broadcasting utility.X operating systems (Windows 2000. To configure notification of events occurring on client devices: 1.  NET SEND (messaging service). In the Notification section in the properties window of the Reports and notifications folder. the application sends a notification to the phone numbers specified. Configure the information pane. each one of them consists of informational panes that display statistical information. The data in the information panes are updated while the application is running. The following buttons are intended to edit the display settings and print settings for statistics:  – located in the top right corner of the Statistics tab.ADMINISTRATOR'S GUIDE WORKING WITH THE STATISTICAL INFORMATION Statistical information about the protection system status is displayed in the workspace of the Reports and notifications folder. the number of information panes on each page. on the Notifications tab open the window by clicking the Modify notification delivery settings link. Windows Server® 2003). When an event occurs.  – located on the right from the page name.

.............. and locate Events.............. 3.............. The information in the Events folder is represented in selections............. As a result.......... the Events subfolder..... In the event selection properties window that opens you can configure the event selection.................................................. 87 Creating an event selection ........ You can view information from the Kaspersky Security Center event log in the Reports and notifications folder of the console tree............... 2. 87 Customizing an event selection ................................. of the selected type.... 87 ....................... You can sort the information in the events list............................................ the folder contains some standard selections...... After application installation............................ In the console tree............... Open the event selection properties in one of the following ways:  In the context menu of the event selection.............. Open the required event selection in the Events folder........................ expand the Reports and notifications folder...... 88 Deleting events from selection ............................................ You can obtain quick access to the settings of events by clicking the Configure Kaspersky Endpoint Security events and Modify Administration Server event settings links..................... CUSTOMIZING AN EVENT SELECTION To customize an event selection: 1................ You can create additional event selections or export event information to file....... Each selection includes events that meet specified conditions................................... In the console tree.. expand the Reports and notifications folder................ 88 Exporting event selection to text file ..... either in ascending or descending order in any column.................................. and locate Events.. stored on the Administration Server................................................................ AND NOTIFICATIONS You can configure the notification of an event in the properties window of that event..................... 48 EVENT SELECTIONS Information on the events in Kaspersky Security Center operation is saved both in the Microsoft Windows system log and in the Kaspersky Security Center event log............................................................................... select Properties... 88 VIEWING COMPUTER SELECTION To view the event selection: 1..... the workspace will display a list of events.. IN THIS SECTION: Viewing an event selection ........................................ WORKING WITH R EPOR TS......... STA TISTIC S..................................... 2.......  In the Events folder workspace click the link that corresponds to the event selection that you need........  Click the Selection properties in the event selection management block... SEE ALSO: Configuring event processing settings .... Open the event selection in one of the following ways:  Expand the Events folder and select the folder that contains the required event selection...

By default. select Remove. Open the required event selection in the Events folder.  Click the Export events to file link in the event selection management block. or Delete events link if several events are selected in the working block for these events. and locate Events. select Properties. 3. 88 . 4. enter the name of the new selection and click OK. In the context menu of the Events folder. 3.ADMINISTRATOR'S GUIDE CREATING AN EVENT SELECTION To create an event selection: 1. displaying the Exporting events section. expand the Reports and notifications folder. 2. expand the Reports and notifications folder. and locate Events. and locate Events. and locate Events. If you select the Delete All item from the context menu. the Shift or Ctrl key. In the New event selection window that opens. Start the event export in one of the following ways:  From the context menu of the selection. all displayed events will be removed from the selection. In the console tree. 2. select New  Selection. DELETING EVENTS FROM SELECTION To delete events: 1. you should customize the selection. a new folder with the name you entered will appear in the console tree in the Events folder. expand the Reports and notifications folder. to an SIEM system (where SIEM stands for Security Information and Event Management). In the console tree. To make a selection display only the events you are particularly interested in. Select the Automatically export events to SIEM system database check box. As a result. As a result. regardless of your selection of events for selection. Follow the Wizard's instructions.  Click the Delete event link if one event is selected. the selected events will be deleted from the Events folder. In the console tree. Start creating the event selection in one of the following ways:  From the context menu of the folder. 2. Open the required event selection in the Events folder. This starts the Events Export Wizard. In the console tree. To configure events export to an SIEM system: 1. EXPORTING EVENT SELECTION TO TEXT FILE To export an event selection to text file: 1. 3. 2. expand the Reports and notifications folder. a created event selection contains all events stored on the Administration Server. Select the events that you want to delete by using a mouse. EXPORTING EVENTS TO AN SIEM SYSTEM The application allows exporting events that have been registered in the operation of Administration Server and other Kaspersky Lab applications installed on client computers. 3.  Click the Create a selection link in the workspace of the Events folder. The events properties window opens. select All TasksExport. Delete the selected events by one of the following ways:  In the context menu of any of the selected events.

............ Open the computer selection in one of the following ways:  Open the Computer selections folder and select the folder that contains the required computer selection......... 90 Removing computers from administration groups in a selection .. such as QRadar and ArcSight............................................................. IN THIS SECTION: Viewing computer selection........... ArcSight system is selected........................................... The workspace will display the list of computers that correspond to the selection filter................. either in ascending or descending order in any column.... after you select the Automatically export events to SIEM system database check box and configure connection with the server......................... COMPUTER SELECTIONS Information about the statuses of client computers is available in the Reports and notifications folder of the console tree...................... by using the link that corresponds to the required computer selection...... By default..... In the Reports and notifications folder of the console tree select the Computer selections subfolder.... 89 ................ You can sort the information in the computers list....................... the application will automatically export all events to the SIEM system when they are registered in the operation of Administration Server and other Kaspersky Lab applications..................  In the Computer selections folder workspace................................... In the SIEM system dropdown list............... 6..... 2... the application exports events starting from the current date.................. AND NOTIFICATIONS 4.. export selection settings to file or create selections with settings imported from another file....................... 91 VIEWING COMPUTER SELECTION To view a computer selection: 1............................. STA TISTIC S........ 89 Creating a computer selection . In the Computer selections folder the data is represented as a set of selections..... You can create additional computer selections............ 2............................ 90 Exporting settings of a computer selection to file .................................... By default............. Events can be exported to SIEM systems............. WORKING WITH R EPOR TS..... Specify the address of an SIEM system server and a port for connection to that server in the corresponding fields... each of which displays information about computers matching the specified conditions. 90 Create a computer selection by using imported settings .................. 5. CONFIGURING A COMPUTER SELECTION To customize a computer selection: 1. After application installation..... Click OK......................................................................... select the system to which you need to export events......... in the Computer selections subfolder....... As a result...... the folder contains some standard selections................ In the Reports and notifications folder of the console tree select the Computer selections subfolder.......... Clicking the Export archive button causes the application to export newly created events to the database of the SIEM system starting from the specified date.. Open the required computer selection in the Computer selections folder.......................... 89 Configuring a computer selection .....

 By clicking the Import selection from file link in the folder management block. you should customize the selection. select All TasksExport settings. (2). CREATING A COMPUTER SELECTION To create a computer selection: 1. Open the computer selection properties in one of the following ways:  In the context menu of the computer selection. In the New computer selection window that opens. select Properties. 90 . From the context menu of the computer selection. In the Reports and notifications folder of the console tree select the Computer selections subfolder. Its settings are imported from the file that you specified. In the computer selection properties window that opens you can configure the computer selection. 2. By default. 3. In the Reports and notifications folder of the console tree select the Computer selections subfolder. select New  Selection. Open the required computer selection in the Computer selections folder.  Click the Create a selection link in the workspace of the Computer selections folder. Click the Open button. In the window that opens. 4. To make a selection display only the computers you are particularly interested in. specify the path to the file from which you want to import the selection settings. The settings of the computer selection will be saved to the specified file. If a selection named New selection already exists in the Computer selections folder. Create a computer selection by using the settings imported from file in one of the following ways:  From the context menu of the folder. a new folder with the name you entered will appear in the console tree in the Computer selections folder. 3. 3. enter the name of the new selection and click the OK button. select a folder to save it to. in the Computer selections folder a New selection is created. In the Reports and notifications folder of the console tree select the Computer selections subfolder. select All TasksImport. and click the Save button. EXPORTING SETTINGS OF A COMPUTER SELECTION TO FILE To export the settings of a computer selection to text file: 1.  Click the Selection properties in the computer selection management block. the new computer selection contains all computers included in the administration groups of the Server on which the selection has been created. an index in (<serial number>) format is added to the name of the selection being created. for example: (1). 2. 2.ADMINISTRATOR'S GUIDE 3. As a result. In the Save as window that opens. CREATE A COMPUTER SELECTION BY USING IMPORTED SETTINGS To create a computer selection by using imported settings: 1. specify a name for the selection settings export file. As a result. Start creating the computer selection in one of the following ways:  From the context menu of the folder.

WORKING WITH R EPOR TS. The Task selections folder displays a list of tasks that have been assigned to client computers in administration groups and to Administration Server. As a result. In the Reports and notifications folder of the console tree select the Computer selections subfolder. in the Policy selections subfolder. 3. TASK SELECTIONS Information about tasks is available in the Reports and notifications folder of the console tree. in the Task selections subfolder. select Remove. You can update the list and view the properties of tasks. the folder contains a list of tasks that have been created automatically. To remove computers from administration groups: 1. You can update the list and view the properties of any policy selected from the list. as well as run and stop tasks. without switching to the administration groups in which these computers are located. Select the computers that you want to remove by using the Shift or Ctrl keys. you can remove computers from administration groups. Remove the selected computers from groups in one of the following ways:  In the context menu of any of the selected computers. 2. selected computers will be removed from the corresponding administration groups. STA TISTIC S. the folder contains a list of policies that have been created automatically. AND NOTIFICATIONS REMOVING COMPUTERS FROM ADMINISTRATION GROUPS IN A SELECTION When working with computer selections. After the application installation. 4. POLICY SELECTIONS Information about policies is available in the Reports and notifications folder of the console tree.  By clicking the Remove from group link in the workspace of the selected computers. The Policy selections folder displays a list of policies that have been created in administration groups. Open the required computer selection in the Computer selections folder. 91 . After the application installation.

.......... The content of the Unassigned computers folder will be updated based on the results of this polling......................................... IP subnets........................... The information on the Active Directory unit structure and DNS names of the computers from the Active Directory is recorded into the Administration Server database............ in the domain subfolder or in the workgroup of this computer...... The Unassigned computers folder of the virtual Administration Server does not contain the IP subnets folder............................ You can change the IP subnets folder structure by creating and modifying the settings of existing IP subnets.... There are two types of Windows network polls: quick or a full....... IN THIS SECTION: Network discovery .............................................. the following information is requested from each client computer: operating system name....... 95 Using VDI dynamic mode on client computers . Viewing and changing the domain settings ... only information on hosts in the list of NetBIOS names of all network domains and workgroups is collected..... Client computers found while polling IP subnets on the virtual Administration Server are displayed in the Domains folder............ The Active Directory folder displays computers reflecting the Active Directory groups structure................ and NetBIOS name...... Viewing and modifying group settings ... 92 Working with Windows domains........... If the computers in the corporate network are configured to be moved to administration groups automatically....................... DNS name............. The Unassigned computers folder contains three subfolders: Domains.............................. If you add a computer to an administration group........... IP subnets. Kaspersky Security Center uses the collected information and the data on corporate network structure to update the contents of the Unassigned computers and Managed computers folders................. Information about computers within a corporate network that are not included in administration groups can be found in the Unassigned computers folder............... 95 NETWORK DISCOVERY Information about the structure of the network and computers on this network is received by the Administration Server through regular polling of the Windows network.......... the information on it is deleted from the Domains folder............ the discovered computers are included in the administration groups........... and Active Directory................ the information on it is displayed in the Domains folder...................................... and collect a complete set of data on hosts within the IP subnets........... The Administration Server can use the following types of network scanning:  Windows network polling..UNASSIGNED COMPUTERS This section provides information about how to manage computers on an enterprise network if they are not included in an administration group........................ During a quick poll.........  Active Directory groups polling...... and Active Directory within the corporate computer network........ The Domains folder contains the hierarchy of subfolders that show the structure of domains and workgroups in the Windows network of the organization that were not included in the administration groups.............. During a full poll.. If you remove a computer from the administration group.................... 94 Working with the Active Directory groups................... 95 Creating rules for moving computers to administration groups automatically ..  IP subnets polling...... IP address................................. The IP subnets folder displays computers reflecting the structure of IP subnetworks created within the corporate network. 94 Working with IP subnets. Each subfolder of the Domains folder at the lowest level contains a list of computers of the domain or of the workgroup............ The Administration Server will poll the specified IP subnets by using ICMP packets.... 92 .

......... in the Network poll section............................. select the Unassigned computers folder..... Active Directory window where you can edit the settings of Active Directory groups polling........ You can also change the settings of the Active Directory groups polling in the workspace of the Unassigned computers folder by using the Edit polling settings link in the Active Directory polling block..... 2.... 93 Viewing and modifying the settings for IP subnet polling...... VIEWING AND MODIFYING THE SETTINGS FOR IP SUBNET POLLING To modify the settings for IP subnets polling: 1........ 2.. Open the Properties: Domains window using any of the following methods:  From the context menu of the folder...... UNASSIGNED COMPUTER S IN THIS SECTION: Viewing and modifying the settings for Windows network polling .................. 93 ........... the Domains subfolder.... On the virtual Administration Server you can view and edit the polling settings of the Windows network in the properties window of the update agent.............. On the virtual Administration Server you can view and edit the settings of polling Active Directory groups in the properties window of the update agent............. This will open the Properties window........ in the Network poll section. Domains window where you can edit the settings of Windows network polling.... 93 VIEWING AND MODIFYING THE SETTINGS FOR WINDOWS NETWORK POLLING To modify the settings for the Windows network polling: 1.... IP subnets window where you can edit the settings of IP subnets polling..  By clicking the Edit polling settings link in the folder management block....... select Properties. 2.................................... You can also change the settings of Windows network polling in the workspace of the Unassigned computers folder by using the Edit polling settings link in the Windows network polling settings section..... select the Unassigned computers folder..... This will open the Properties window..... the Active Directory subfolder..  By clicking the Edit polling settings link in the folder management block. Open the Properties: Active Directory window using one of the following methods:  From the context menu of the folder........ select the Unassigned computers folder....  By clicking the Edit polling settings link in the folder management block.... Open the Properties: IP subnets window using any of the following methods:  From the context menu of the folder....... select Properties.. the IP subnets subfolder..... In the console tree...... select Properties... In the console tree.............. 93 Viewing and modifying Active Directory group properties ............ This will open the Properties window...... VIEWING AND MODIFYING ACTIVE DIRECTORY GROUP PROPERTIES To modify the settings for polling Active Directory groups: 1... In the console tree....

WORKING WITH IP SUBNETS You can customize existing IP subnets and create the new ones. In the console tree......... VIEWING AND CHANGING THE IP SUBNET SETTINGS To modify the IP subnet settings: 1. select Properties.. select the Unassigned computers folder... This will open the Properties: <Domain name> window where you can configure the selected domain.. the IP subnets subfolder. Select an IP subnet and open its properties window in one of the following ways:  From the context menu of the IP subnet.... select the Unassigned computers folder... From the context menu of the folder..... IN THIS SECTION: Creating an IP subnet ............ 3......... select NewIP subnet............................... In the console tree........ the Domains subfolder.. 2........... Select a domain and open its properties window in one of the following ways:  From the context menu of the domain..............ADMINISTRATOR'S GUIDE You can also change the settings of IP subnets polling in the workspace of the Unassigned computers folder by using the Edit polling settings link in the IP subnets polling block............ 94 Viewing and changing the IP subnet settings ....... in the Network poll section.... the IP subnets subfolder........................ 2...... VIEWING AND CHANGING THE DOMAIN SETTINGS To modify the domain settings: 1........... This will open the Properties: <IP subnet name> window where you can configure the selected IP subnet................. 94 . In the console tree. new IP subnet appears in the IP subnets folder.  By clicking the Show group properties link. select the Unassigned computers folder...... In the New IP subnet window that opens customize the new IP subnet...... 94 CREATING AN IP SUBNET To create an IP subnet: 1.......... On the virtual Administration Server you can view and edit the settings of polling IP subnets in the properties window of the update agent.. Client computers found during the polling of IP subnets are displayed in the Domains folder of the virtual Administration Server............... 2..... WORKING WITH WINDOWS DOMAINS.......  By clicking the Show group properties link..... select Properties............ As a result.................

.... To configure rules for moving computers to administration groups automatically......... Kaspersky Security Center supports dynamic mode for Virtual Desktop Infrastructure (VDI)...... Select an Active Directory group and open its properties window in one of the following ways:  From the context menu of the group. CREATING RULES FOR MOVING COMPUTERS TO ADMINISTRATION GROUPS AUTOMATICALLY You can configure the computers to be moved automatically to administration groups after they are found. This will open the Properties window................. In the console tree...... 2...  By clicking the Show group properties link... 96 Searching for computers making part of VDI .... Network Agent notifies the Administration Server that the machine has been disabled.............. VIEWING AND MODIFYING GROUP SETTINGS To modify the settings for the Active Director group: 1...... To prevent information about non-existent virtual machines from being saved....... non-existent virtual machines may be displayed in Administration Console.. If the virtual machine is disabled with errors and Network Agent does not send a notification about the disabled virtual machine to the Administration Server... a record about the removed virtual machine may be saved in the database of the Administration Server................... Unassigned computers Configure the rules to move computers to administration groups automatically in the Computer relocation section.... After a virtual machine has been disabled successfully. open the properties window of the Unassigned computers folder in one of the following ways:  From the context menu of the folder.. Under to this scenario......... 96 95 .... When a temporary virtual machine is disabled....... a backup scenario is used................................ select Properties...................... Kaspersky Security Center detects temporary virtual machines and adds information about them to the database of the Administration Server........ the Active Directory subfolder............... this machine is removed from the virtual infrastructure.... USING VDI DYNAMIC MODE ON CLIENT COMPUTERS A virtual infrastructure can be deployed on a corporate network using temporary virtual machines. it is removed from the list of computers connected to the Administration Server. After a user finishes using a temporary virtual machine..... select Properties... select the Unassigned computers folder... Also......... However.....  Click the Configure rules of computer allocation to administration groups link in the workspace of this folder... 96 Moving computers making part of VDI to an administration group .... UNASSIGNED COMPUTER S WORKING WITH THE ACTIVE DIRECTORY GROUPS. The administrator can enable the support of dynamic mode for VDI (see the section "Enabling the VDI dynamic mode in the properties of a Network Agent installation package" on page 96) in the properties of a Network Agent installation package that will be installed on a temporary virtual machine.. IN THIS SECTION: Enabling VDI dynamic mode in the properties of an installation package for Network Agent ... This will open the Properties: <Active Directory group name> window where you can configure the selected Active Directory group......... a virtual machine is removed from the list of computers connected to the Administration Server after three unsuccessful attempts at synchronization with the Administration Server....

MOVING COMPUTERS MAKING PART OF VDI TO AN ADMINISTRATION GROUP To move computers that make part of VDI to an administration group: 1. 96 . SEARCHING FOR COMPUTERS MAKING PART OF VDI To find computers that make part of VDI: 1. 3. Kaspersky Security Center Network Agent. The application search for computers that make part of Virtual Desktop Infrastructure. 2. The client computer to which Network Agent is being installed will be a part of Virtual Desktop Infrastructure. 3. in the Part of Virtual Desktop Infrastructure dropdown list. select Yes. In the workspace of the Unassigned computers folder. select Properties. In the context menu of the Network Agent installation package. click the Find unassigned computers link to open the Search window. The New rule window opens. In the Properties: Kaspersky Security Center Network Agent window. click the Configure rules of computer allocation to administration groups link to open the properties window of the Unassigned computers folder. In the New rule window. click the Add button.ADMINISTRATOR'S GUIDE ENABLING VDI DYNAMIC MODE IN THE PROPERTIES OF AN INSTALLATION PACKAGE FOR NETWORK AGENT To enable the VDI dynamic mode: 1. 4. select the Virtual machines section. select the Enable dynamic mode for VDI check box. 3. select Yes. In the Advanced section. In the Remote installation folder of the console tree select the Installation packages subfolder. A rule will be created for computer relocation to an administration group. In the Search window. 4. Click the Find now button. in the Computer relocation section. 2. In the workspace of the Unassigned computers folder. 2. on the Virtual machines tab. In the properties window of the Unassigned computers folder. select the Advanced section. The Properties dialog will appear. In the Part of Virtual Desktop Infrastructure dropdown list.

. The administrator can view results of static analysis applied to rules of applications run on client computers for each of the users... For example..... 97 Application vulnerabilities ............ While in White List mode..... the administrator can set rules for that category.............................  The administrator specifies a computer from which executable files are to be included in the selected category................................ 102 GROUPS OF APPLICATIONS This section describes how to handle groups of applications installed on client computers................... Managing launch of applications on client computers Kaspersky Security Center allows managing launch of applications on client computers in White List mode (for details refer to the Administrator's Guide for Kaspersky Endpoint Security 10 for Windows).................... You can create categories of applications using the following methods:  The administrator specifies a folder in which executable files have been included in the selected category.................... on selected client computers you can only launch applications included in the specified categories......... The administrator can perform the following actions:  Create categories of applications based on specified criteria  Manage categories of applications using dedicated rules  Manage applications startup on client computers  Perform inventories and maintain a registry of software installed on client computers  Fix vulnerabilities in software installed on client computers  Install updates from Windows Update and other software vendors to client computers  Monitor the use of keys for groups of licensed applications................. you can block or allow launching applications included in the category............................... including its version and manufacturer.........MANAGING APPLICATIONS ON CLIENT COMPUTERS Kaspersky Security Center allows you to manage applications by Kaspersky Lab and other vendors installed on client computers..................................................... Creating application categories Kaspersky Security Center allows creating categories of applications installed on client computers................ IN THIS SECTION: Groups of applications ..................... Rules define the behavior of applications included in the specified category.............. 97 .............. 101 Software updates................................. Network Agent retrieves information about all of the applications installed on client computers....... Information collected during inventory is displayed in the workspace of the Applications registry folder... When the category of applications is created................... The administrator can view detailed information about any application................... Inventory of software installed on client computers Kaspersky Security Center allows performing inventory of software on client computers........................  The administrator sets criteria that should be used to include applications in the selected category.............

. In the Application management folder of the console tree.................................. Follow the Wizard's instructions...... you should set at least one criterion of including applications in such group.. 99 Viewing the results of statistical analysis of startup rules applied to executable files ..... you can manually specify criteria according to which executable files will be assigned to the category being created.. Each licensed applications group has its own key....................  Category which includes executable files from selected computers................................... an information event is logged on Administration Server............... If the number of installations has exceeded the limit set by the key.... You can view created categories in the Application categories folder........................ In this case...ADMINISTRATOR'S GUIDE Managing groups of licensed applications Kaspersky Security Center allows creating groups of licensed applications...... in the workspace of the Executable files folder..................... In the Wizard window select a type of user category:  Category with content added manually.......................................... 100 Managing keys for groups of licensed applications.............. IN THIS SECTION: Creating application categories ............... When this date arrives....................... In this case............... The key of a group of licensed applications defines the maximum allowed number of installations for applications included in this group........ you can specify a computer...... The administrator can specify an expiration date for the key......... 98 .............. When you have finished with the Wizard......... Collected information about executable files is displayed in the main application window................................................ Executable files detected on this computer will be automatically assigned to that category..................... A group of licensed applications includes applications that meet criteria set by the administrator.................................................................... Click the Create a category link to start the Create User Category Wizard.... 3..........................................  Category with content added automatically............ 100 Viewing information about executable files ...... a user category of applications is created............. 100 Creating groups of licensed applications....... To create a group of licensed applications... Viewing information about executable files Kaspersky Security Center collects all information about executable files that have been run on client computers since the operating system had been installed to them.... Applications that meet one or several criteria are automatically included in a group.......... 99 Viewing the applications registry ................................................. The administrator can specify the following criteria for groups of licensed applications:  Application name  Application version  Manufacturer  Application tag.......... In this case. 4...................................... 2............. 98 Configuring applications launch management on client computers .. select the Application categories subfolder........ you can specify a folder from which executable files will be automatically assigned to the category being created..................... an information event is logged on Administration Server.... 101 CREATING APPLICATION CATEGORIES To create an application category: 1...........................

The Application Startup Control window opens. 6. Launch of applications included in the specified category will be performed on client computers according to the rule that you have created. 5. In the Application Startup Control rule window. In the Managed computers folder of the console tree select the Policies tab. 3. 99 . VIEWING THE RESULTS OF STATISTICAL ANALYSIS OF STARTUP RULES APPLIED TO EXECUTABLE FILES To view information about which executable files are prohibited for users to run: 1. 2. In the workspace of the Application categories folder. For more details on the application startup control rules. 5. 7. Select a user from the list. 3. You can configure the applications launch management in a specified category through the settings of the policy. in the Category drop-down list select a category of applications that the launch rule will cover. 4. displaying a list of executable files included in the category of applications. To view the list of executable files included in a category. select a category of applications and click the View files in category button. If such a policy already exists. The properties window of the protection policy opens. The Analysis of the access rights list window opens. MANAGING A PPLICATIONS ON C LIENT COMPUTERS CONFIGURING APPLICATIONS LAUNCH MANAGEMENT ON CLIENT COMPUTERS To configure the applications launch management on client computers: 1. To view executable files which are prohibited for the user to run. In the protection policy properties window select the Application Startup Control section and click the Statistical analysis button. The created rule is displayed in the properties window of the policy for Kaspersky Endpoint Security 10 for Windows. In the Managed computers folder. 2. in the Analysis of the access rights list window click the View files button. 4. in the Application Startup Control section click the Add button. The properties window of the policy for Kaspersky Endpoint Security 10 for Windows opens. on the Policies tab. which are prohibited for the user to run. on the Policies tab click the Create Kaspersky Endpoint Security policy link to run the New Policy Wizard for Kaspersky Endpoint Security 10 for Windows and follow the Wizard's instructions. you can skip this step. In the properties window of the policy for Kaspersky Endpoint Security 10 for Windows. 6. In the Application management folder of the console tree. The newly created policy is displayed in the Managed computers folder. A window opens. A window opens. The left part of the Analysis of the access rights list window displays a list of users based on Active Directory data. Select Properties from the context menu of the policy for Kaspersky Endpoint Security 10 for Windows. The right part of the window displays categories of applications assigned to this user. refer to the Kaspersky Endpoint Security 10 for Windows Administrator's Guide. create an category of applications (see the section "Creating application categories” on page 98) that you want to manage. Configure the launch rule for the selected category of applications. 7. displaying a list of executable files. Click OK. in the Application Startup Control section. select the Application categories subfolder. In the Protection policies context menu select Properties.

you can use filtering fields in the workspace of the Applications registry folder. 4. Kaspersky Lab software version report. 3. The Key window opens. In the Managing keys of licensed applications window click the Add button. In the Application management folder of the console tree. select Properties from the context menu of the application. To view the properties of a selected application. Select Properties from the context menu of the report. In the Application management folder of the console tree. select the Third-party licenses usage subfolder. 100 . The name of the key. In the Application management folder of the console tree. CREATING GROUPS OF LICENSED APPLICATIONS To create a group of licensed applications: 1. 2. The number of client computers to which the application using this key can be installed. a group of licensed applications is created and displayed in the Third- party licenses usage folder. Information about the applications installed on client computers that are connected to slave and virtual Administration Servers is also stored in the applications registry of the master Administration Server. 2.  Name.ADMINISTRATOR'S GUIDE VIEWING THE APPLICATIONS REGISTRY To view the registry of applications installed on client computers. Use a report of application registry to view this information. enabling collection of data from slave and virtual Administration Servers into it. In the Administration Servers hierarchy section select the Include data from slave and virtual Administration Servers check box. The expiration date of the key. select the Third-party licenses usage subfolder. as well as a list of computers on which the application is installed. Gathering of information about installed applications is available only for computers running on Microsoft Windows. MANAGING KEYS FOR GROUPS OF LICENSED APPLICATIONS To create a key for a group of licensed applications: 1. Click the Add a group of licensed applications link to run the Licensed Application Group Addition Wizard. To include information from slave Administration Servers in the report: 1. In the Key window specify the settings of the key and restrictions that the key imposes on the group of licensed applications. Notes on the selected key. 3.  Comment. To view applications that meet specific criteria. In the Reports and notifications folder select Kaspersky Lab software version report. 2.  Expiration date. Follow the Wizard's instructions. select the Applications registry subfolder. 3. Created keys are displayed in the Managing keys of licensed applications window. A window opens displaying the application details and information about its executable files. The Properties dialog will appear. In the workspace of the Third-party licenses usage folder click the Manage keys of licensed applications link to open the Key Management in licensed applications window. The workspace of the Applications registry folder contains a list of applications that have been detected by Network Agent installed on the client computers.  Restriction. After the Wizard completes its operation.

in the Keys section select Control if license limit is exceeded. 5. 2. view the list of computers on which the vulnerability has been found. The properties window of the group of licensed applications opens. VIEWING INFORMATION ABOUT EXECUTABLE FILES To view a list of all executable files detected on client computers. In the properties window of the group of licensed applications. Click OK. select a group of licensed applications to which you want to apply a key. In the Selecting a key window select a key that you want to apply to a group of licensed applications. select the Third-party licenses usage subfolder. 6. The workspace of the folder displays a list of vulnerabilities in applications detected on client computers by Network Agent installed on them. By opening the properties window of a selected application in the Software vulnerabilities folder. To view the properties of an executable file. and information about the fixing of this vulnerability. select the Software vulnerabilities subfolder. select Properties from the context menu of the vulnerability. The workspace of the Executable files folder displays a list of executable files that have been run on client computers since the installation of the operating system or have been detected while running the inventory task of Kaspersky Endpoint Security 10 for Windows. select Properties from the context menu of the file. VIEWING INFORMATION ABOUT VULNERABILITIES IN APPLICATIONS To view a list of vulnerabilities detected on client computers. you can use filtering. The feature of analysis of information about vulnerabilities in applications is only available for computers running on Microsoft Windows operating systems. about the application where it has been detected. To view details of executable files that match specific criteria. In the Application management folder of the console tree. To obtain information about a selected vulnerability. Restrictions imposed on a group of licensed applications and specified in the key will also cover the selected group of licensed applications. In the Application management folder of the console tree. The Selecting a key window opens. 3. In the Third-party licenses usage folder. 4. In the Application management folder of the console tree. Click the Add button. MANAGING A PPLICATIONS ON C LIENT COMPUTERS To apply a key to a group of licensed applications: 1. select the Executable files subfolder. 7. you can obtain general information about a vulnerability. A window opens displaying information about the executable file and a list of client computers on which this executable file can be found. APPLICATION VULNERABILITIES The Software vulnerabilities folder included in the Application management folder contains a list of vulnerabilities in applications that have been detected on client computers by the Network Agent installed on them. Select Properties from the context menu of the group of licensed applications. 101 .

The task is displayed in the Managed computers folder on the Tasks tab. After the Wizard completes its operation. After you have configured data synchronization with Windows Update. and fixing vulnerabilities in Microsoft applications and other vendors' products through installation of required updates. click the View report on software vulnerabilities link in the Software vulnerabilities folder. 2. 3. To use Administration Server as Windows Update server. the vulnerability scan task is created automatically. The feature of analysis of information about vulnerabilities in applications is only available for computers running on Microsoft Windows operating systems. the Installing application updates and fix vulnerabilities task is created and displayed in the Managed computers folder on the Tasks tab. the Installing application updates and fix vulnerabilities task is created automatically. You can view the task in the Managed computers folder. You can view the report in the Reports and notifications folder. In the Application management folder of the console tree. Follow the Wizard's instructions. To create a task for vulnerability scan in applications installed on client computers: 1. Kaspersky Security Center searches for updates through the update search task and downloads them to the updates storage. The Task Creation Wizard window opens. SOFTWARE UPDATES Kaspersky Security Center allows managing updates of software installed on client computers. Administration Server can be used as Windows Update server (WSUS). FIXING VULNERABILITIES IN APPLICATIONS If you have selected Find and install application updates in the Update management settings window of the Quick Start Wizard. you should configure synchronization of updates with Windows Update. 4. Click the Create a task link to run the New Task Wizard. 102 . In the Select task type window of the Wizard specify the Installing application updates and fixing vulnerabilities task type. To view the report on all detected vulnerabilities. Information about available updates for Microsoft Windows is provided by Windows Update service. 2.ADMINISTRATOR'S GUIDE The properties window of the vulnerability opens. the Find vulnerabilities and application updates task is created and displayed on the list of tasks in the Managed computers folder on the Tasks tab. In the console tree select the Managed computers folder on the Tasks tab. After completing the search of updates. Follow the Wizard's instructions. Administration Server provides updates to Windows Update services on client computers in centralized mode and with the set frequency. select the Software vulnerabilities subfolder. 3. Click the Configure vulnerability scan link in the workspace to run the Vulnerabilities and Required Updates Search Task Creation Wizard. After the Wizard completes its operation. the application provides the administrator with information about available updates and vulnerabilities in applications that can be fixed using those updates. To create the vulnerabilities fix task using available updates for applications: 1. SEARCHING FOR VULNERABILITIES IN APPLICATIONS If you have configured the application through the Quick Start Wizard. on the Tasks tab. displaying the following information:  Application in which the vulnerability has been detected  List of computers on which the vulnerability has been detected  Information on whether the vulnerability has been fixed. A report on vulnerabilities in applications installed on client computers will be generated.

......... In the Application management folder of the console tree................................... select the Software updates subfolder...................... Click the Configure Windows Update synchronization link to run the Windows Update Center Data Retrieval Task Creation Wizard.......... In the Application management folder of the console tree....... Follow the Wizard's instructions..................................... the Windows Update synchronization task is created automatically..................... you should create a Network Agent policy and configure software updating in the corresponding windows of the New Policy Wizard................ 103 Automatic installation of updates on client computers....... The Wizard creates the Perform Windows Update synchronization task displayed in the Administration Server tasks folder............. To create a task for synchronizing Windows Updates with Administration Server: 1... After viewing information about available updates........... To do this.. you can perform a test installation to make sure installed updates will cause no failures to the operation of applications on the client computers...... the administrator can install them to client computers................ select the Software updates subfolder................ in the workspace of the Software updates folder select Properties from the context menu of the update............. The functionality of a software update is only available after the Perform Windows Update synchronization task is successfully completed.. 104 Installing updates on client computers manually .......................... The administrator can view a list of available updates in the Software updates subfolder included in the Application management folder................... MANAGING A PPLICATIONS ON C LIENT COMPUTERS You can also manage software updates through a Network Agent policy.. In the workspace of the folder you can view a list of available updates for applications installed on client computers.... You can run the task in the Administration Server tasks folder... 103 ............. You can also create the Windows Update synchronization task in the Administration Server tasks folder by clicking the Create a task link......... IN THIS SECTION: Viewing information about available updates .................. Before installing the updates to all of the client computers.. To view the properties of an update.................. 103 Synchronizing updates from Windows Update with Administration Server ................. 104 Configuring application updates in a Network Agent policy .. 2............................................... This folder contains a list of updates for Microsoft applications and other vendors' products retrieved by Administration Server that can be distributed to client computers.................... 105 VIEWING INFORMATION ABOUT AVAILABLE UPDATES To view a list of available updates for applications installed on client computers........ The following information is available for viewing in the properties window of the update:  List of client computers for which the update is intended (target computers)  List of system components (prerequisites) that need to be installed before the update (if any)  Vulnerabilities in applications that the update should fix.. 3............................ SYNCHRONIZING UPDATES FROM WINDOWS UPDATE WITH ADMINISTRATION SERVER If you have selected Use Administration Server as WSUS server in the Update management settings window of the Quick Start Wizard..

6. 8.  Mobile mode update settings: a connection is not established between Kaspersky Security Center and the client computer (for example. If this option is selected. the application installs updates after the terms of the End User License Agreement have been accepted by the user. Select the Download application module updates check box to download and install application module updates together with application databases. 5. you can configure the update task settings in local or mobile mode:  Local mode update settings: a connection is established between Kaspersky Security Center and the client computer. the Installing application updates and fix vulnerabilities task is created automatically. If the check box is selected. Click OK. If you have selected Search for critical updates in the Quick Start Wizard. From the context menu of the task. 7. when application module updates are available Kaspersky Endpoint Security installs critical updates automatically and all other application module updates only after their installation is approved locally via the application interface or on the side of Kaspersky Security Center. In the Settings section. The task is created when the wizard finishes. If application module updates require reviewing and accepting the terms of the End User License Agreement.  Click the Create a task link in the workspace. you can install software updates to client computers through the Installing application updates and fix vulnerabilities task. when application module updates are available Kaspersky Endpoint Security installs them only after their installation is approved locally via the application interface or on the side of Kaspersky Security Center. select an update task that you have created. Select the Copy updates to folder check box in order for the application to save downloaded updates to the folder specified by clicking the Browse button. Click the Settings button to select the update source. select the Settings section. Create an Update task in one of the following ways:  From the context menu of the console tree folder named Tasks for specific computers select New  Task. 9.ADMINISTRATOR'S GUIDE AUTOMATIC INSTALLATION OF UPDATES ON CLIENT COMPUTERS You can configure automatic updates of databases and application modules of Kaspersky Endpoint Security on client computers. If this option is selected. 2. Kaspersky Endpoint Security notifies the user about available application module updates and includes application module updates in the update package while running the update task. To configure the download and automatic installation of updates on client computers: 1. select Properties. In the console tree. when the computer is not connected to the Internet). Follow the Wizard's instructions. In the task properties window. The way application module updates are applied is determined by the following settings:  Install critical and approved updates. select the Tasks for specific computers folder. 3.  Install approved updates only. This starts the New Task Wizard. In the workspace of the Tasks for specific computers folder. 4. 104 . You can run or stop the task in the Managed computers folder on the Tasks tab. INSTALLING UPDATES ON CLIENT COMPUTERS MANUALLY If you have selected Find and install application updates in the Update management settings window of the Quick Start Wizard.

on the Policies tab click the Create a policy link to run the New Policy Wizard. all required system components are installed before the update. Upgrading to a new version of an application may cause misoperation of dependent applications on client computers.  Perform scan on selected computers. In the Managed computers folder. In the Select application for which you want to create a group policy window of the Wizard specify Kaspersky Security Center Network Agent as the application. When this option is enabled. This opens the Updates Installation and Vulnerabilities Fix Task Creation Wizard. Administration Server will not be used for downloading and installing Windows updates. 4. In the Application management folder of the console tree. Select this option if you want to test updates installation on selected computers. In the properties window of the task. If the check box is cleared. Select this option if you do not want to perform a test installation of updates. the Installing application updates and fix vulnerabilities task is created and displayed in the Managed computers folder on the Tasks tab. Select this option if you want to test updates installation on a group of computers. or click the Install update (create task) link in the section intended for handling selected updates. 2. The properties window of the Installing application updates and fix vulnerabilities task opens. In the Percentage of test computers from all target computers field specify the percentage of computers on which you want to perform a test installation of updates. In the Software updates folder open the context menu of an update and select Install update  New task. 3. In the Specify a test group field specify a group of computers on which you want to perform a test installation. In the Software updates and vulnerabilities window of the Wizard select the Use Administration Server as WSUS server check box if you want to use Administration Server as the update server. Follow the Wizard's instructions. To configure a test installation of updates: 1. do the following: 1. Select this option if you want to test updates installation on some portion of target computers. 3. CONFIGURING APPLICATION UPDATES IN A NETWORK AGENT POLICY To configure Windows Updates on client computers in a Network Agent policy: 1. In the settings of the updates installation task you can configure a test installation of updates. on the Tasks tab. 105 . You can enable automatic installation of system components (prerequisites) prior to installation of an update in Install Applications and Fix Vulnerabilities task properties. Upon selecting any of the options but the first one.  Install on the specified percentage of computers. in the Time to take the decision if the installation is to be continued field specify the number of hours that should elapse from the test installation of updates until the start of installation of the updates to all the target computers. In the console tree select the Installing application updates and fixing vulnerabilities task in the Managed computers folder. MANAGING A PPLICATIONS ON C LIENT COMPUTERS To create an update installation task. After the Wizard completes its operation. updates will be downloaded to Administration Server and installed to client computers through Network Agent. 2. you can allow installation of updates that upgrade application to a new version. A list of the required components can be found in properties of the update. 3. 2. In this case. in the Test installation section select one of the available options for test installation:  Do not scan. Select Properties from the context menu of the task. In the properties of Install Applications and Fix Vulnerabilities task. Click the Add button and select computers on which you want to perform a test installation of updates.  Perform scan on computers in the specified group. select the Software updates subfolder.

Network Agent periodically passes Administration Server information from Windows Update about updates retrieved at the last synchronization of Windows Update with the update source. on the Policies tab select a Network Agent policy.  Passive. on the Policies tab. 2. 106 . select Properties. 3. Administration Server collects no information about updates. If no synchronization of Windows Update with an update source is performed. After that. information about updates on Administration Server becomes out-of-date.  Disabled.ADMINISTRATOR'S GUIDE 4. Network Agent passes information received from Windows Update to Administration Server. The newly created policy is displayed in the Managed computers folder. If a Network Agent policy has already been created. in the Windows Update search mode section select one of the following options:  Active. In the properties window of the Network Agent policy configure Windows Update in the Software updates and vulnerabilities section. Open the properties window of the Network Agent policy. In the Software updates and vulnerabilities window of the Wizard. In the context menu of the policy. perform the following actions: 1. If you select this option. Administration Server with support from Network Agent initiates a request from Windows Update on a client computer to an update source: Windows Update Servers or WSUS. In the Managed computers folder.

To create images of operating systems.  No DHCP server should be active on the computer. The operating system image of a reference computer can be captured and created by using the Add new package task (see the section "Creating an installation package of an application” on page 110). The administrator can manually specify the MAC addresses of client computers that have not yet connected. a utility named sysprep. 2. 4.  The image capturing process provides for a restart of the reference computer. The administrator can add required drivers to the installation package with the operating system image and specify a configuration file with the operating system settings (answer file) that should apply during installation. Windows Automated Installation Kit (WAIK) tool package should be installed on Administration Server. This computer should meet the following requirements:  Network Agent should be installed on the computer. the operating system is automatically installed to those computers. The client computer is registered on Administration Server. since a PXE server uses the same ports as a DHCP server. the computer should be connected to the network. The following conditions should be met to deploy an operating system: a network card should be mounted on the computer. The administrator assigns the client computer an installation package with an operating system image. Such images of operating systems are stored on Administration Server in a dedicated folder. as well as performing remote installation of applications by Kaspersky Lab and other vendors. When the selected client computers connect to the PXE server. The functionality of operating system image capturing has the following features:  An operating system image cannot be captured on a computer on which Administration Server is installed.exe resets the settings of the reference computer. Deployment of an operating system is performed as follows: 1. Deploying images of operating systems on new computers The administrator can use images to deploy on new networked computers on which no operating system has been installed yet. and the Network boot option should be selected in BIOS when booting the computer. Capturing images of operating systems Kaspersky Security Center can capture images of operating systems from target computers and transfer those images to Administration Server.  While capturing an operating system image. A technology named Preboot eXecution Environment (PXE) is used in this case. The operating system is deployed on the client computer.REMOTE INSTALLATION OF OPERATING SYSTEMS AND APPLICATIONS Kaspersky Security Center allows creating images of operating systems and deploying them on client computers over the network. you should select the Save computer backup copy check box in the Operating System Image Creation Wizard. The PXE server establishes a connection with a new client computer while it boots up. The client computer becomes included in Windows Preinstallation Environment (WinPE). 107 . The administrator selects a networked computer that will be used as the PXE server. and assign them the installation package with the operating system image. 3.  The network segment comprising the computer should not contain any other PXE servers. If you need to restore the settings of the reference computer. 5. Adding the client computer to WinPE environment may require configuration of the set of drivers for WinPE.

.................. 109 Deploying operating systems on new networked computers .......... 2............ The Wizard's activities create an Administration Server task named Copy the OS image from the computer............................. click the Configure driver set for Windows Preinstallation Environment (WinPE) link to open the Windows Preinstallation Environment drivers window... 108 Adding drivers for Windows Preinstallation Environment (WinPE) ................ADMINISTRATOR'S GUIDE Deploying images of operating systems on computers where another operating system has already been installed Deployment of images of operating systems on client computers where another operating system has already been installed is performed through the remote installation task for specific computers.................... ADDING DRIVERS FOR WINDOWS PREINSTALLATION ENVIRONMENT (WINPE) To add drivers for WinPE: 1............ including those specified by the user.................................. 110 Creating installation packages of applications ........ 108 .. In the Remote installation folder of the console tree select the Deploying computer images subfolder............................. 3.............................................. 4...................................................exe utility.............. To create the reference computer operating system image making task: 1. In the Remote installation folder of the console tree select the Installation packages subfolder...... You can view the installation package in the Installation packages folder........................... The Add driver window opens... Click the Create installation package link to run the New Package Wizard......... Follow the Wizard's instructions........................................................... 2........................................ In the workspace of the Deploying computer images folder... When the Copy the OS image from the computer task is completed................................. and install the applications to client computers through the remote installation task...................................... 110 Deploying operating systems on client computers ... 3....... 108 Adding drivers to an installation package with an operating system image ............ IN THIS SECTION: Creating images of operating systems ................ 111 CREATING IMAGES OF OPERATING SYSTEMS Images of operating systems are created through the reference computer operating system image making task................................................................................ In the Select installation package type window of the Wizard click the Create installation package based on OS image of reference computer button......................................... Installing applications by Kaspersky Lab and other vendors The administrator can create installation packages of any applications......... You can view the task in the Administration Server tasks folder..... an installation package is created that you can use to deploy the operating system on client computers through a PXE server or the remote installation task....... 110 Installing applications to client computers ....................................................... In the Windows Preinstallation Environment drivers window click the Add button.................... 109 Configuring sysprep.......................................

The driver will be added to the Administration Server repository. click the Apply button. In the installation package properties window select the Additional drivers section.  Specify configuration file. 4. Click OK in the Select driver window. 6. In the installation package properties window select the sysprep. Added drivers are displayed in the Additional drivers section of the properties window of the installation package with the operating system image. Click OK. You can specify the path to an installation package by clicking the Select button in the Adding driver window. 5. CONFIGURING SYSPREP.exe settings section. Click the Add button in the Additional drivers section. To apply the changes made. 3.  Specify custom values of main settings.exe utility: 1. Select this option to use the answer file generated by default when capturing the operating system image. You can add new drivers to the Administration Server repository by clicking the Add button in the Select driver window.exe is intended to prepare the computer to creation of an operating system image. Select this option to specify values for settings via the user interface. In the sysprep. To configure sysprep. The installation package properties window opens. 109 . From the context menu of an installation package with an operating system image select Properties. When added to the repository. the driver is displayed in the Select driver window. 5. In the Remote installation folder of the console tree select the Installation packages subfolder. The driver will be added to Windows Preinstallation Environment (WinPE).exe settings section specify a configuration file that will be used when deploying the operating system on the client computer:  Use default configuration file. The installation package properties window opens. 5. 3. In the Add driver window specify the name of a driver and the path to the driver installation package.EXE UTILITY The utility sysrep. REMOTE INSTA LLATION OF OPERATING SYSTEMS A ND APPLICATIONS 4. In the Select driver window select drivers that you want to add to the installation package with the operating system image. The Select driver window opens. Select this option to use a custom answer file. 6. 4. 2. 2. Click OK. ADDING DRIVERS TO AN INSTALLATION PACKAGE WITH AN OPERATING SYSTEM IMAGE To add drivers to an installation package with an operating system image: 1. From the context menu of an installation package with an operating system image select Properties. In the Remote installation folder of the console tree select the Installation packages subfolder.

4. In the Select installation package window of the Wizard specify an installation packages with an operating system image.ADMINISTRATOR'S GUIDE DEPLOYING OPERATING SYSTEMS ON NEW NETWORKED COMPUTERS To deploy an operating system on new computers that have not yet had any operating system installed: 1. To add computers by MAC address.  click the Add MAC address of target computer link in the Deploying computer images folder to open the New target computer window. CREATING INSTALLATION PACKAGES OF APPLICATIONS To create an installation package of an application: 1. In the Remote installation folder of the console tree click the Start Remote Installation Wizard link to run the Remote Installation Wizard. Boot the client computer on which you want to deploy the operating system. In the Actions section click the Assign installation package link to select an installation package that will be used for installing the operating system to the selected computer. Follow the Wizard's instructions. 9. 2. Click the Create installation package link to run the New Package Wizard. 3. click the Manage the list of PXE servers in the network link to open the Properties window: Deploying computer images on the PXE servers section. The Wizard's activities create a remote installation task intended for installation of the operating system to the client computers. DEPLOYING OPERATING SYSTEMS ON CLIENT COMPUTERS To deploy an operating system on client computers with another operating system installed: 1. After you have added a computer and assigned an installation package to it. 5. 2. the operating system deployment starts automatically on this computer. You can start or stop the task in the Tasks for specific computers folder. 8. The client computer connects to the PXE server and is then displayed in the workspace of the Deploying computer images folder. In the properties window of the selected PXE server. 2. In the BIOS of the client computer select the Network boot installation option. To cancel the deployment of an operating system on a client computer. and in the PXE servers window that opens. click the Cancel OS image installation link in the Actions section. In the PXE servers section select a PXE server and click the Properties button.  click the Import MAC addresses of target computers from file link in the Deploying computer images folder to select a file containing a list of MAC addresses of all computers on which you want to deploy an operating system. and specify the MAC address of a computer that you want to add. In the Remote installation folder of the console tree select the Installation packages subfolder. 110 . 6. on the PXE server connection settings tab configure connection between Administration Server and the PXE server. 3. The added computer will be displayed in the PXE servers section. Click the Add button in the PXE servers section. 7. In the Remote installation folder of the console tree select the Deploying computer images subfolder. select a computer that will be used as PXE server. In the Deploying computer images folder.

In the Select installation package window of the Wizard specify the installation package of an application that you want to install. Select this option if you want to create an installation package with an image of the operating system of a reference computer. In the Remote installation folder of the console tree click the Start Remote Installation Wizard link to run the Remote Installation Wizard. Follow the Wizard's instructions. For detailed information on installation packages. 4. You can view the installation package in the Installation packages folder. In the Select installation package type window of the Wizard click one of the following buttons:  Create Kaspersky Lab's installation package. When this task is completed. Select this option if you want to create an installation package for a Kaspersky Lab application. an installation package is created that you can use to deploy the operating system image through a PXE server or the remote installation task. 3. The Wizard's activities create a remote installation task to install the application to client computers. The Wizard's activities create an Administration Server task named Copy the OS image from the computer. The Wizard's activities create an installation package that you can use to install the application to client computers. You can start or stop the task in the Tasks for specific computers folder. REMOTE INSTA LLATION OF OPERATING SYSTEMS A ND APPLICATIONS 3.  Create installation package based on OS image of reference computer. INSTALLING APPLICATIONS TO CLIENT COMPUTERS To install an application to client computers: 1. Follow the Wizard's instructions.  Create installation package for specified executable file. Select this option if you want to create an installation package for an application requested by the user. 2. 111 . see Kaspersky Security Center Implementation Guide.

................  Configuring restrictions on usage of hardware features of the device and restrictions on installation and removal of mobile apps............. you can use the management plug-in of Kaspersky Mobile Device Management 10 Service Pack 1................... please refer to the Kaspersky Security Center Implementation Guide.................. 118 Managing iOS MDM mobile devices .... such as YouTube........................  Configuring the data storage on the device in encrypted form........... and videos............................ 113 Handling certificates ............. 112 Handling commands for mobile devices...... 120 Managing KES devices . or the use of Bluetooth  Configuring restrictions on the use of mobile applications on the device...................  Configuring the hardware features of mobile devices.  Configuring restrictions on media content viewed (such as movies and TV shows) by region where the device is located.........  Configuring settings of the connection to AirPrint printers for wireless printing of documents from the device...... 112 .............  Configuring settings of device connection to the Internet via the proxy server (Global HTTP proxy).... Kaspersky Mobile Device Management lets you create group policies for specifying the configuration settings of iOS MDM and EAS devices.  Configuring the settings of the account using which the user can access corporate apps and services (Single Sign On technology)................................ iTunes Store................................................... and virtual private networks (VPN) that use different authentication mechanisms and network protocols......................  Configuring settings of wireless networks (Wi-Fi)............... 116 Managing Exchange ActiveSync mobile devices .............................................................. For details on how to connect mobile devices.............................................................. IN THIS SECTION: Managing mobile devices using an MDM policy ..................... An MDM policy provides the administrator with the following options:  For managing EAS devices:  Configuring the device unlocking password........................................  For managing iOS MDM devices:  Configuring device password security settings.. Safari.... is called an MDM policy... which is included in the distribution kit of Kaspersky Security Center..................................  Monitoring Internet usage (visits to websites) on mobile devices....... such as the use of removable media...........................  Configuring restrictions on usage of pre-installed mobile apps......................... 126 MANAGING MOBILE DEVICES USING AN MDM POLICY To manage iOS MDM and EAS devices..........MANAGING MOBILE DEVICES This section describes how to manage mobile devices connected to Administration Server................ access points (APN).....  Configuring the synchronization of the corporate mail..... the use of the camera..................................... music...........................................  Configuring settings of the connection to AirPlay devices for streaming photos......... A group policy that allows modifying the configuration settings of iOS MDM and EAS devices without using iPhone Configuration Utility and the management profile of Exchange Active Sync..................

COMMANDS FOR MOBILE DEVICE MANAGEMENT The application supports commands for mobile devices management. HANDLING COMMANDS FOR MOBILE DEVICES This section contains information about commands for mobile devices management supported by the application. you can delete all corporate data from the device by using a command. The section provides instructions on how to send commands to mobile devices. the device settings will be rolled back to their default values.  Configuring user accounts for connecting to CalDAV and CardDAV services that give users access to corporate calendars and contact lists. All settings specified in an MDM policy are first applied to mobile device servers and then to mobile devices managed by such servers. For detailed information about how to use the MDM policy in Administration Console of Kaspersky Security Center please refer to the Kaspersky Security Mobile Administrator's Guide.  Adding custom settings for operation of mobile apps. all data will b deleted from the device. The following table shows sets of commands for each of the device types. entries in Contacts. For example. If the Delete corporate data command is successfully executed on a KES device. Each device type supports a dedicated set of commands. all corporate data. are removed from the device. the calendar. For all types of devices. In the case of a hierarchical structure of administration groups. provisioning profiles. After successful execution of the Delete corporate data command on an iOS MDM device. the iOS MDM profile. the call log. all installed configuration profiles. the SMS history. if the Delete data command is successfully executed. 113 . except for the Google account. For a KES device. The general operating principles of an MDM policy do not differ from the operating principles of policies created for managing other apps. slave mobile device servers receive MDM policy settings from master mobile device servers and distribute them to mobile devices. and the user's accounts. An MDM policy is special in that it is assigned to an administration group that includes the iOS MDM Mobile Device Server and the Exchange Active Sync mobile device server (hereinafter "mobile device servers"). will be deleted from the device.  Configuring settings of the iOS interface on the user's device. Such commands are used for remote management of mobile devices. the Internet connection settings. MANAGING MOBILE DEV ICES  Configuring settings of synchronization with the Microsoft Exchange server and user accounts for using corporate email on devices. Commands are used on three types of mobile devices:  iOS MDM devices  KES devices  EAS devices. such as fonts or icons for favorite websites.  Configuring settings of the SCEP server for automatic retrieval of certificates by the device from the Certification Center. as well as how to view the execution statuses of commands in the commands log.  Adding new security certificates on devices. all data from the memory card will also be deleted.  Configuring user accounts for synchronization with the LDAP directory service. and applications for which the Remove together with iOS MDM profile check box has been selected. in case your mobile device is lost.

114 . Push notifications are exchanged between KES devices and Administration Server through Google Сloud Messaging. Install application Application installed on the device. Unlock Device locking with a PIN code is disabled. Delete corporate data Corporate data. Delete profile Configuration profile deleted from the device. provisioning profiles. the iOS MDM profile. Kaspersky Security Center uses the mechanism of push notifications. you can define the settings of Google Сloud Messaging to connect KES devices to the service. USING GOOGLE CLOUD MESSAGING To ensure timely delivery of commands to KES devices managed by Android operating systems. The device emits a sound signal.ADMINISTRATOR'S GUIDE Table 10. EAS device Delete data All data deleted from the device. KES device Lock Device locked. are removed from the device. the Internet connection settings. the user's accounts (except for the Google account) have been deleted. settings rolled back to the default values. Alarm Device locked. Delete corporate data All installed configuration profiles. Force synchronization Device data synchronized with Administration Server. List of supported commands MOBILE DEVICE TYPE COMMANDS COMMAND EXECUTION RESULT iOS MDM device Lock Device locked. settings rolled back to the default values. Memory card data has been wiped. Install provisioning profile Provisioning profile installed on the device. the call log. In Kaspersky Security Center Administration Console. The mobile carrier charges a fee for sending the text message and for providing Internet connection. Install profile Configuration profile installed on the device. Mugshot Device locked. Photos can be viewed in the command log. The previously specified PIN code has been reset. the calendar. the SMS history. Unlock Device locking with a PIN code is disabled. and applications for which the Remove together with iOS MDM profile check box has been selected. Remove application Application removed from the device. The previously specified PIN code has been reset. Enter redemption code Redemption code entered for a paid application. Device located and shown on Google Maps™. The photo has been taken by the front camera of the device and saved on Administration Server. Configure roaming Data roaming and voice roaming enabled or disabled. Locate Device locked. The mobile carrier charges a fee for sending the text message and for providing Internet connection. Delete data All data deleted from the device. Delete data All data deleted from the device. Delete provisioning profile Provisioning profile deleted from the device. Force synchronization Device data synchronized with Administration Server. settings rolled back to the default values. entries in Contacts.

select Show command log. You can edit the settings of Google Cloud Messaging by clicking the Reset settings button. 115 . The command log contains information about the time and date each command was sent to the device. the administrator must have a Google account. This opens the properties window of the Mobile devices folder. Depending on the command that you have selected. For example. For example. For more details on how to retrieve the settings of Google Сloud Messaging. In the API key field. Records are stored in the command log for 30 days at most. select the Mobile devices subfolder. MANAGING MOBILE DEV ICES To retrieve the settings of Google Сloud Messaging. KES devices managed by Android operating systems will be connected to Google Cloud Messaging. select the Mobile devices subfolder. 4. Select the user's mobile device to which you need to send a command.kaspersky.com/11770. and detailed descriptions of command execution results. in case a command fails to be executed. 2. In the Sender ID field. The Command log section displays commands that have been sent to the device. In the Commands for mobile devices management window. then click the Send command button. You can click the Resend button to send the command to the user's mobile device once again. In the Mobile devices management folder of the console tree. enter a common API key that you have created in the Google Developer Console. VIEWING THE STATUSES OF COMMANDS IN THE COMMAND LOG The application saves to the command log information about all commands that have been sent to mobile devices. Define the advanced settings of the command in that window and confirm your selection. specify the number of a Google API project that you have received when creating one in the Google Developer Console. In the context menu of the mobile device. when you send the command for deleting a provisioning profile from a device. 4. SENDING COMMANDS To send a command to the user's mobile device: 1. proceed to the section with the name of the command that you need to send to the mobile device. their statuses. Commands sent to mobile devices can have the following statuses:  Running – the command has been sent to the device  Completed – the command execution has been successfully completed  Completed with error – the command execution has failed  Deleting – the command is being removed from the queue of commands sent to the mobile device  Deleted – the command has been removed from the queue of commands sent to the mobile device  Error deleting – the command could not be removed from the queue of commands sent to the mobile device. Select the Google Cloud Messaging settings section. 5. with the respective execution statuses. select Properties. please refer to the corresponding article in the Knowledge Base on the website of Technical Support http://support. You can click the Refresh button to refresh the list of commands. 3. 5. the command will be sent to the mobile device. 3. You can click the Remove from queue button to cancel execution of a command that had been sent if the latter has not yet been executed. The folder workspace displays a list of managed mobile devices 2. At the next synchronization with Administration Server. In the Mobile Device Management folder of the console tree. After that. the application prompts you to select the provisioning profile that should be deleted from the device. In the context menu of the Mobile devices folder. To configure Google Cloud Messaging: 1. clicking the Send command button may open the window of advanced settings of the application. Click the OK button to close the Commands for mobile devices management window. the log displays the cause of the error.

2. 3. click the Add certificate link to run the Certificate Installation Wizard. a notification will be sent to the user providing him or her with a link for downloading and installing the certificate on the mobile device. In the list of mobile devices. Follow the Wizard's instructions. select the one for which you want to view the command log. Administration Server is selected as the default source of certificates. After the Wizard completes its activities. You can view the list of all certificates and export it to a file (see the section "Viewing the list of certificates handed to a user" on page 83). To view the log of commands that have been sent to a mobile device: 1. To install a certificate on a user's mobile device: 1.ADMINISTRATOR'S GUIDE The application maintains a command log for each mobile device. Select sections with the commands that you need and view information about how the commands are sent and executed by opening the Command log section. select the Mobile devices subfolder. In the context menu of the mobile device. In the workspace of the Certificates folder. In the Command log section. 116 . configure the handing of the certificate:  Select a source of certificates (Administration Server or Certificates are specified manually). as well as view their properties. You can delete and re-hand certificates. The Show commands filter lets you display only commands with the selected status in the list. HANDLING CERTIFICATES This section contains information about how to handle certificates of mobile devices. INSTALLING A CERTIFICATE You can install three types of certificates to a user's mobile device:  General certificates for identifying the mobile device  Mail certificates for configuring the corporate mail on the mobile device  VPN certificate for setting up access to a virtual private network on the mobile device. you can view the list of commands that have been sent to the mobile device and details on those commands. CONFIGURING CERTIFICATE HANDING RULES To configure certificate handing rules: 1. 4. In the console tree. The section also contains instructions on how to integrate the application with the public keys infrastructure and how to configure the support of Kerbеros. The section contains instructions on how to install certificates on users' mobile devices and how to configure certificate handing rules. The sections of the Commands for mobile devices management window correspond to the commands that can be sent to the mobile device. In the console tree. 2. The folder workspace displays a list of managed mobile devices 2. 3. click the Configure certificate handing rules link to open the Certificate generation rules window. In the Generation settings section. In the Mobile Device Management folder of the console tree. open the Mobile Device Management folder and select the Certificates subfolder. select Show command log. a certificate will be created and added to the list of the user's certificates. open the Mobile Device Management folder and select the Certificates subfolder. Proceed to the section with the name of a certificate type: Generation of general type certificates – to configure handing of general-type certificates Generation of mail certificates – to configure handing of mail certificates Generation of VPN certificates – to configure handing of VPN certificates. in addition. 4. The Commands for mobile devices management window opens. In the workspace of the Certificates folder.

enter the domain password for the account. To enable support of Kerberos Constrained Delegation: 1.  To enable automatic updates of certificates. INTEGRATION WITH THE PUBLIC KEYS INFRASTRUCTURE Integration of the application with the Public Key Infrastructure (PKI) is required to simplify generation of domain certificates for users. Select the Enable encryption of certificates check box. Click OK to save the settings. b. install the Enrollment Agent certificate provided by domain administrators. In the Specify certificate template name in PKI system list. Use the slider to define the maximum number of symbols in the password for encryption. log on at least once under the configured account on the computer hosting the Administration Server. a. 6. In the Account field. configure automatic updates of the certificate:  In the Update when certificate expires in (days) field. select an iOS MDM Mobile devices server. enable and configure encryption of generated certificates. certificates are issued automatically. The service is started when the list of certificate templates is loaded by clicking the Update list button or when a certificate is generated. open the Mobile Device Management folder and select the Certificates subfolder. 5. select the certificate template based on which certificates will be generated for domain users. 5. click the Integrate with public-key infrastructure link to open the PKI integration section of the Certificate generation rules window. 3. Other template). Configuration of templates is available if the PKI integration section features the integration with the public keys infrastructure configured (on page 117). Encryption is only available for general-type certificates. In the Automatic update settings section. To configure integration with the public keys infrastructure: 1. 7. In the Encryption settings section. This service is responsible for issuing domain certificates of users. 117 . In the workspace. 2. 4. In the console tree. This opens the Integration with PKI section of the Certificate generation rules window. 6. In this user's repository of certificates on the computer hosting the Administration Server. specify the name of the user account to be used for integration with the public key infrastructure. You need to configure the account for integration with PKI. specify how many days should remain until the validity term expiration to update the certificate. ENABLING SUPPORT OF KERBEROS CONSTRAINED DELEGATION The application supports usage of Kerberos Constrained Delegation. In the console tree. select the Renew certificate automatically if possible check box. 2. In the workspace of the Mobile Device Management folder. 7. The account must meet the following requirements:  Be a domain user and administrator of the computer hosting the Administration Server. In the Password field. Click OK. Select the Integrate abstract of certificates with PKI check box. A dedicated service is launched in Kaspersky Security Center under the specified account. MANAGING MOBILE DEV ICES  Specify a certificate template (Default template. select the Mobile Device Management folder. Following integration.  Be granted the SeServiceLogonRight privilege on the computer hosting the Administration Server. certificates are issued automatically. To create a permanent user profile. Following integration. A general-type certificate can be renewed manually only.

select an iOS MDM Mobile Device Server. which allows updating the information about users' mailboxes and mobile devices. Select Properties in the context menu of the Exchange ActiveSync Mobile Device Server. 5. the administrator can refer to the properties of a mobile device to know the time of the last synchronization with a Microsoft Exchange server. Click OK.  View information about the settings of EAS device management (see page 119). In the Settings section. ADDING A MANAGEMENT PROFILE To manage EAS devices. The New profile window opens. Depending on the device model. the administrator can use the following options:  Create management profiles for EAS devices. In the Policy profiles window. 4. you can create EAS device management profiles and assign them to selected Microsoft Exchange mailboxes. 4. settings of a management profile can be applied partially. assign them to users' mailboxes (see page 118). In the properties window of the iOS MDM Mobile Devices Server. In the properties window of the Exchange ActiveSync Mobile Devices Server. Only one EAS device management profile can be assigned to a Microsoft Exchange mailbox. 3. For information about how to connect Exchange ActiveSync mobile devices to Exchange ActiveSync mobile devices server. Select Properties from the context menu of the iOS MDM Mobile devices server. In an EAS device management profile. the name of the Exchange ActiveSync policy.  Disconnect EAS devices from management if they are out of use (see page 120). 6. you can configure the following groups of settings:  User password management settings  Mail synchronization settings  Restrictions on the use of the device features  Restrictions on the use of mobile applications on the device. For example. The Policy profiles window opens. and its current status on the device.ADMINISTRATOR'S GUIDE 3. In addition to management of EAS devices by means of commands. EAS device management profile is a policy of Exchange ActiveSync that is used on a Microsoft Exchange server to manage EAS devices. click the Add button. 6. 5. 2. Select a mailbox and click the Assign profile button. To add an EAS device management profile for a Microsoft Exchange mailbox: 1. In the console tree. the ID of the EAS device. The status of an Exchange ActiveSync policy that has been applied can be viewed in the device's properties. The Mobile devices server properties window opens. select the Settings section.  Define the settings of Active Directory polling by Exchange ActiveSync Mobile Device Server. In the workspace of the Mobile Device Management folder. The Mobile devices server properties window opens. select the Mobile Device Management folder. MANAGING EXCHANGE ACTIVESYNC MOBILE DEVICES This section describes advanced features for management of EAS devices through Kaspersky Security Center. 118 . select the Mailboxes section. refer to the Kaspersky Security Center Implementation Guide. select the Ensure compatibility with Kerberos Constrained Delegation check box.

as well as to those of which the profiles have been deleted. If you want this profile to be automatically assigned to new mailboxes.  If you want to configure restriction of the use of mobile applications on the device. In the workspace. In the properties window of the Exchange ActiveSync Mobile Devices Server. The folder workspace displays a list of managed mobile devices 2.  If you want to configure the password of the mobile device user. If you want to delete the current default profile. The new profile will be displayed on the list of profiles in the Policy profiles window. 4. 6. filter EAS devices by clicking the Exchange ActiveSync (EAS) link. Select a mailbox and click the Change profiles button. The default profile cannot be deleted. To delete the current default profile. 3. 3. select the Mobile Device Management folder. select it on the list of profiles and click the Set as default profile button. select the profile that you want to delete and click the deletion button marked with a red cross. go to the Synchronization settings tab. The Policy profiles window opens. 9. The Mobile devices server properties window opens. Configure the profile on the tabs of the New profile window. In the Policy profiles window. 2. select the Mailboxes section. From the context menu of the mobile device select Properties. go to the Password tab. MANAGING MOBILE DEV ICES 7. In the console tree. 5. Select Properties in the context menu of the Exchange ActiveSync Mobile Device Server.  If you want to configure synchronization with the Microsoft Exchange server. go to the Device tab. The management profile settings will be applied on the EAS device at the next synchronization of the device with the Exchange ActiveSync Mobile device server. The selected profile will be removed from the list of management profiles. select the Mobile devices subfolder. In the workspace of the Mobile Device Management folder. DELETING A MANAGEMENT PROFILE To delete an EAS device management profile for a Microsoft Exchange mailbox: 1. In the Mobile Device Management folder of the console tree. the properties window of the EAS device opens. go to the Applications on device tab. then delete the first one. Click OK in the Policy profiles window. go to the General tab. The current default profile will be applied to EAS devices managed by the profile that has been deleted. VIEWING INFORMATION ABOUT AN EAS DEVICE To view information about an EAS device: 1. The properties window of the mobile device displays information about the connected EAS device. re-assign the 'default profile' property to another profile. you should assign the "default profile" attribute to a different profile. select an iOS MDM Mobile Device Server.  If you want to specify the profile name and refreshing interval. 119 . Click OK.  If you want to configure restrictions of the device's features. 8. As a result.

5. you can use provisioning profiles for installation of in-house corporate apps on users' devices. You should download iPhone Configuration Utility from Apple Inc. For example. website and install it by using standard tools of your operating system. Every 24 hours. 120 . In the Configuration profiles section. The Add new configuration profile window opens. specify a name and ID for the profile. In the console tree. select an iOS MDM Mobile devices server. You can add or modify configuration profiles and install them on mobile devices.  Install apps on mobile devices bypassing App Store by means of provisioning profiles. The Mobile devices server properties window opens. The folder workspace displays a list of managed mobile devices 2. To create a configuration profile and add it to an iOS MDM Mobile devices server: 1. select Remove. 6. select the Mobile Device Management folder. 4.  Install apps on an iOS MDM mobile device via App Store. you should install iPhone Configuration Utility to the computer where Administration Console is installed. as well as applications installed on the iOS MDM device (see the section "Viewing information about an iOS MDM device" on page 125).identifier. The application supports the following options for management of iOS MDM mobile devices:  Define the settings of managed iOS MDM devices in centralized mode and restrict features of devices by means of configuration profiles. MANAGING IOS MDM MOBILE DEVICES This section describes advanced features for management of iOS MDM devices through Kaspersky Security Center. select the Mobile devices subfolder. As a result. The device is removed from the list of managed devices after it is removed from the database of the Exchange ActiveSync Mobile Device Server. 3. Before installing an application to an iOS MDM mobile device. ADDING A CONFIGURATION PROFILE To create a configuration profile. filter EAS devices by clicking the Exchange ActiveSync (EAS) link. 2. Select Properties from the context menu of the iOS MDM Mobile devices server. In the properties window of the iOS MDM Mobile devices server. The configuration profile ID should be unique.ADMINISTRATOR'S GUIDE DISCONNECTING AN EAS DEVICE FROM MANAGEMENT To disconnect an EAS device from management by the Exchange ActiveSync Mobile Device Server: 1. the EAS device is marked for removal with a red cross icon. the administrator has to remove the user's account on the Microsoft Exchange server. a PUSH notification is sent to all connected iOS MDM mobile devices in order to synchronize the data with the iOS MDM Mobile Device Server. In the workspace of the Mobile Device Management folder.companyname. For information about how to install an iOS MDM Mobile Device Server please refer to the Kaspersky Security Center Implementation Guide. In the Add new configuration profile window. A provisioning profile contains information about an app and a device. click the Create button. Select the mobile device that you need to disconnect from management by the Exchange ActiveSync Mobile Device Server. the value should be specified in Reverse-DNS format. select the Configuration profiles section. 4. To do so. 3. In the context menu of the mobile device. In the workspace. com. In the Mobile Device Management folder of the console tree. You can use the device properties window to view information about the configuration profile and the provisioning profile. for example. you should add the application to the iOS MDM mobile devices server.

After you have configured the profile with iPhone Configuration Utility. The folder workspace displays a list of managed mobile devices 2. filter iOS MDM devices by clicking the iOS MDM link. 121 . 6. In the workspace. The profile that you have created should be installed on iOS MDM devices (see the section "Installing a configuration profile on a device" on page 121). In the Commands for mobile devices management window. 3. You can click the Export button to save the configuration profile to a file. with the respective execution statuses. go to the Install profile section and click the Send command button. 8. To select the range of profiles. 7. You can click the Remove from queue button to cancel execution of a command that had been sent if the latter has not yet been executed. use the SHIFT key. You can click the Refresh button to refresh the list of commands. In the Mobile Device Management folder of the console tree. please refer to the documentation enclosed with iPhone Configuration Utility. You can also send the command to the device by selecting All commands in the context menu of the device. As a result. In the context menu of the mobile device. select the Mobile devices subfolder. the Select profiles window opens showing a list of profiles. the selected configuration profile will be installed on the user's mobile device. An application named iPhone Configuration Utility then starts. In the Mobile Device Management folder of the console tree. if necessary (see the section "Removing a configuration profile from a device" on page 121). You can select several profiles to install them on the device simultaneously. Select the user's mobile device on which you need to install a configuration profile. In the workspace. filter iOS MDM devices by clicking the iOS MDM link. You can click the Modify button to modify the configuration profile. 4. Select from the list the profile that you need to install on the mobile device. To combine profiles into a group. The Command log section displays commands that have been sent to the device. Click the OK button to send the command to the mobile device. the current status of the command in the commands log will be shown as Completed. You can click the Resend button to send the command to the user's mobile device once again. use the CTRL key. Click OK. Reconfigure the profile in iPhone Configuration Utility. and then Install profile. You can select multiple mobile devices to install the profile simultaneously. MANAGING MOBILE DEV ICES 7. When the command is executed. For a description of the profile settings and instructions on how to configure the profile. The profile that you have installed can be viewed and removed. INSTALLING A CONFIGURATION PROFILE TO A DEVICE To install a configuration profile to a mobile device: 1. select the Mobile devices subfolder. 5. Click the OK button to close the Commands for mobile devices management window. select Show command log. the new configuration profile is displayed in the Configuration profiles section in the properties window of the iOS MDM Mobile devices server. If the command is successfully executed. You can click the Import button to load the configuration profile to a program. REMOVING A CONFIGURATION PROFILE FROM A DEVICE To remove a configuration profile from a mobile device: 1. The folder workspace displays a list of managed mobile devices 2.

The Command log section displays commands that have been sent to the device. select the Mobile devices subfolder. 7. select Show command log. The folder workspace displays a list of managed mobile devices 2. ADDING PROVISIONING PROFILE To add a provisioning profile to iOS MDM mobile devices server: 1. 5. 8. As a result. use the CTRL key. In the properties window of the iOS MDM Mobile Devices Server. 6. Click the OK button to send the command to the mobile device. Select the user's mobile device on which you need to install the provisioning profile. with the respective execution statuses. To combine profiles into a group. The provisioning profile that you have imported can be installed on iOS MDM devices (see the section "Installing a provisioning profile on a device" on page 122). In the Mobile Device Management folder of the console tree. select the Mobile Device Management folder. 4. Click the OK button to close the Commands for mobile devices management window. In the console tree. INSTALLING A PROVISIONING PROFILE TO A DEVICE To install a provisioning profile on a mobile device: 1. You can also send the command to the mobile device by selecting All commands from the context menu of the device. go to the Remove profile section and click the Send command button. select an iOS MDM Mobile devices server. 122 . In the workspace. the current status of the command will be shown as Completed. You can select multiple profiles to remove them from the device simultaneously. In the workspace of the Mobile Device Management folder. the selected configuration profile will be removed from the user's mobile device. The profile will be added to the iOS MDM mobile devices server settings. You can select multiple mobile devices to install the provisioning profile simultaneously. go to the Install provisioning profile section and click the Send command button. 4. Select from the list the profile that you need to remove from the mobile device. In the Provisioning profiles section. To select the range of profiles. 3. 2. You can click the Export button to save the provisioning profile to a file. the Remove profile window opens showing the list of profiles. select Show command log. then selecting Remove profile. Select the user's mobile device from which you need to remove the configuration profile. You can click the Refresh button to refresh the list of commands. The Mobile devices server properties window opens. go to the Provisioning profiles section. In the Commands for mobile devices management window. 3. Select Properties from the context menu of the iOS MDM Mobile devices server. filter iOS MDM devices by clicking the iOS MDM link. When the command is executed.ADMINISTRATOR'S GUIDE 3. 4. You can select multiple mobile devices to remove the profile simultaneously. then selecting Install provisioning profile. 5. You can click the Resend button to send the command to the user's mobile device once again. In the Commands for mobile devices management window. In the context menu of the mobile device. 5. You can click the Remove from queue button to cancel execution of a command that had been sent if the latter has not yet been executed. click the Import button and specify the path to a provisioning profile file. In the context menu of the mobile device. You can also send the command to the device by selecting All commands from the context menu of the device. use the SHIFT key. If the command is executed successfully.

Click the OK button to send the command to the mobile device. To select the range of provisioning profiles. If the command is successfully executed. if necessary (see the section "Removing a provisioning profile from a device" on page 123). ADDING A MANAGED APPLICATION Before installing an application to an iOS MDM mobile device. the selected provisioning profile will be installed on the user's mobile device. with the respective execution statuses. You can select multiple provisioning profiles to remove them from the device simultaneously. 7. then selecting Delete provisioning profile. When the command is executed. In the Commands for mobile devices management window. the Select provisioning profiles window opens showing a list of provisioning profiles. You can also send the command to the mobile device by selecting All commands from the context menu. Click the OK button to close the Commands for mobile devices management window. You can click the Remove from queue button to cancel execution of a command that had been sent if the latter has not yet been executed. In the Mobile Device Management folder of the console tree. You can click the Resend button to send the command to the user's mobile device once again. If the command is executed successfully. use the SHIFT key. To combine provisioning profiles into a group. Click the OK button to send the command to the mobile device. Select from the list the provisioning profile that you need to install on the mobile device. go to the Delete provisioning profile section and click the Send command button. The Command log section displays commands that have been sent to the device. select the Mobile devices subfolder. 3. You can click the Resend button to send the command to the user's mobile device once again. Select from the list the provisioning profile that you need to remove from the mobile device. You can select multiple mobile devices to remove the provisioning profile simultaneously. You can select multiple provisioning profiles to install them on the device simultaneously. use the CTRL key. with the respective execution statuses. you should add the application to the iOS MDM mobile devices server. You can click the Refresh button to refresh the list of commands. You can click the Remove from queue button to cancel execution of a command that had been sent if the latter has not yet been executed. 4. 8. use the SHIFT key. To combine provisioning profiles into a group. You can click the Refresh button to refresh the list of commands. To select the range of provisioning profiles. the selected provisioning profile will be removed from the user's mobile device. the Delete provisioning profile window opens showing the list of profiles. The folder workspace displays a list of managed mobile devices 2. As a result. 7. the current status of the command will be shown as Completed. The profile that you have installed can be viewed and removed. When the command is executed. filter iOS MDM devices by clicking the iOS MDM link. the current status of the command in the commands log will be shown as Completed. A managed application can be handled remotely by means of Kaspersky Security Center. Applications that are related to the deleted provisioning profile will not be operable. Click the OK button to close the Commands for mobile devices management window. The Command log section displays commands that have been sent to the device. use the CTRL key. 6. In the context menu of the mobile device. 6. 123 . Select the user's mobile device from which you need to remove the provisioning profile. In the workspace. 5. An application is considered as managed if it has been installed on a device via Kaspersky Security Center. MANAGING MOBILE DEV ICES As a result. REMOVING A PROVISIONING PROFILE FROM A DEVICE To remove a provisioning from a mobile device: 1. select Show command log.

You can click the Resend button to send the command to the user's mobile device once again. select the Mobile devices subfolder. If you want a managed application to be removed from the user's mobile device along with the iOS MDM profile when removing the latter. In the context menu of the mobile device. You can select multiple applications to install them simultaneously. 8. The Command log section displays commands that have been sent to the device. in the Application name field. To select a range of applications. Click the Add button in the Managed applications section. The Add an application window opens. or specify a link to a manifest file that can be used to download the application. Click OK. The profile that you have installed can be viewed (see the section "Viewing information about an iOS MDM device" on page 125) and removed. In the properties window of the iOS MDM mobile devices server select the Managed applications section. specify the name of the application to be added. In the console tree. You can click the Refresh button to refresh the list of commands. The added application is displayed in the Managed applications section of the properties window of the iOS MDМ mobile devices server. 2. go to the Install application section and click the Send command button. To combine applications into a group. 124 . In the Mobile device management commands window. select the Block data backup check box. 7. 4. 10. 4. select the Mobile Device Management folder. filter iOS MDM devices by clicking the iOS MDM link. 5. Select Properties from the context menu of the iOS MDM Mobile devices server. the current status of the command in the commands log will be shown as Completed. with the respective execution statuses. 6. if necessary (see the section "Removing a provisioning profile from a device" on page 125). use the SHIFT key. In the Apple ID or link to the application field. You can select multiple mobile devices to install the application simultaneously. the Select applications window opens showing a list of profiles. In the Add an application window. The folder workspace displays a list of managed mobile devices 2. specify the Apple ID of the application to be added. use the CTRL key. Select the device on which you want to install an application. If you want to block backup of application data through iTunes. the selected application will be installed on the user's mobile device. The properties window of the iOS MDM mobile device server opens. 9. 5. If the command is successfully executed. Click the OK button to send the command to the mobile device. 3. When the command is executed. In the Mobile Device Management folder of the console tree. INSTALLING AN APPLICATION ON A DEVICE To install an application on a mobile device: 1. select the Remove together with iOS MDM profile check box. 3. 6. As a result. select Show command log. In the workspace. and then Install application. Select from the list the application that you need to install on the mobile device. You can also send the command to the device by selecting All commands in the context menu of the device. Click the OK button to close the Commands for mobile devices management window.ADMINISTRATOR'S GUIDE To add a managed application to an iOS MDM mobile devices server: 1. 7. Select an iOS MDM Mobile Device Server. You can click the Remove from queue button to cancel execution of a command that had been sent if the latter has not yet been executed.

8. MANAGING MOBILE DEV ICES REMOVING AN APPLICATION FROM A DEVICE To remove an application from a mobile device: 1. filter iOS MDM devices by clicking the iOS MDM link. 6. The folder workspace displays a list of managed mobile devices 2. then selecting Remove application. DISCONNECTING AN IOS MDM DEVICE FROM MANAGEMENT To disconnect an iOS MDM device from the iOS MDM Mobile Device Server: 1. 4. select the Mobile devices subfolder. In the Mobile Device Management folder of the console tree. If the command is executed successfully. You can also send the command to the mobile device by selecting All commands from the context menu of the device. In the workspace. 125 . the iOS MDM device will be marked on the list for removal. 3. select Remove. the Remove applications window opens showing a list of applications. Select the mobile device that you need to disconnect. the properties window of the iOS MDM device opens. 7. To select a range of applications. use the SHIFT key. The folder workspace displays a list of managed mobile devices 2. select the Mobile devices subfolder. filter iOS MDM devices by clicking the iOS MDM link. You can select multiple applications to remove them simultaneously. When the command is executed. To combine applications into a group. select the Mobile devices subfolder. You can click the Resend button to send the command to the user's mobile device once again. go to the Remove application section and click the Send command button. the current status of the command will be shown as Completed. In the context menu of the mobile device. In the Mobile Device Management folder of the console tree. 3. As a result. VIEWING INFORMATION ABOUT AN IOS MDM DEVICE To view information about an iOS MDM device: 1. As a result. Select the mobile device about which the information you need to view. select Show command log. 3. From the context menu of the mobile device select Properties. Removing a device from the database of the iOS MDM Mobile Device Server takes up to one minute. In the workspace. Select from the list the application that you need to remove from the mobile device. The properties window of the mobile device displays information about the connected iOS MDM device. 4. You can select multiple mobile devices to remove the application simultaneously. As a result. the selected application will be removed from the user's mobile device. The Command log section displays commands that have been sent to the device. Click the OK button to close the Commands for mobile devices management window. Select the user's mobile device from which you need to remove the application. 4. In the Mobile device management commands window. filter iOS MDM devices by clicking the iOS MDM link. Click the OK button to send the command to the mobile device. You can click the Remove from queue button to cancel execution of a command that had been sent if the latter has not yet been executed. In the Mobile Device Management folder of the console tree. with the respective execution statuses. The device will be automatically removed from the list of managed devices after the former is removed from the database of the iOS MDM Mobile Device Server. You can click the Refresh button to refresh the list of commands. In the workspace. The folder workspace displays a list of managed mobile devices 2. 5. In the context menu of the mobile device. use the CTRL key.

126 . The folder workspace displays a list of managed mobile devices 2. will be removed from the device (see the section "Adding a managed application" on page 123). filter KES devices by clicking the Kaspersky Endpoint Security (KES) link. Containers are used to control activities of applications running on the user's mobile device. please refer to the documentation enclosed with Kaspersky Endpoint Security 10 for Mobile. From the context menu of the mobile device select Properties. You can place a third-party app in a container. all installed configuration profiles. If you want to place an application into a container. 3. For more details on containers and how to manage them. CREATING A MOBILE APP PACKAGE FOR KES DEVICES A Kaspersky Endpoint Security 10 for Mobile Devices license is required to create a mobile app package for KES devices. This opens the properties window of the KES device. In the Mobile Device Management folder of the console tree. VIEWING INFORMATION ABOUT A KES DEVICE To view information about a KES device: 1. 2. in the Settings window of the Wizard. In the Remote installation folder of the console tree select the Installation packages subfolder. To create a mobile applications package: 1. The newly created mobile applications package is displayed in the Mobile applications packages management window. You can configure rules for applications in the properties window of the policy of Kaspersky Endpoint Security 10 for Mobile.ADMINISTRATOR'S GUIDE After the iOS MDM device is disconnected from management. 4. The Mobile Applications Package Creation Wizard starts. MANAGING KES DEVICES Kaspersky Security Center supports the following mobile KES device management features:  Manage KES devices in centralized mode by means of commands (see the section "Commands for mobile devices management" on page 113)  View information about the settings for management of KES devices (see the section "Viewing information about a KES device" on page 126)  Install applications by means of packages of mobile applications (see the section "Creating a mobile app package for KES devices" on page 126)  Disconnect KES devices from management (see the section "Disconnecting a KES device from management" on page 127). click the Manage packages of mobile applications link to open the Mobile applications packages management window. Follow the Wizard's instructions. 5. For detailed information about how to handle KES devices and connect them to Administration Server please refer to the Kaspersky Security Center 10 Implementation Guide. in the Containers section. In the workspace. 3. Select the mobile device about which the information you need to view. select the Mobile devices subfolder. the iOS MDM profile. select the Create container with selected application check box. In the Mobile applications packages management window. click the New. Security policy rules can be applied to applications placed into a container. You cannot place the Kaspersky Endpoint Security 10 for Mobile installation package into a container. and applications for which the Remove together with iOS MDM profile check box has been installed. In the workspace of the Installation packages folder. The properties window of the mobile device displays information about the connected KES device. 4.

The folder workspace displays a list of managed mobile devices 2. the device reappears on the list of managed devices after synchronization with the Administration Server. device information is removed from the database of the Administration Server. 127 . 4. In the context menu of the mobile device. To remove a KES device from the list of managed devices: 1. filter KES devices by clicking the Kaspersky Endpoint Security (KES) link. In the Mobile Device Management folder of the console tree. select Remove. 3. select the Mobile devices subfolder. If Kaspersky Endpoint Security for Android has not been removed from the device. In the workspace. As a result. the device is removed from the list of managed devices. Select the mobile device that you need to disconnect from management. Once the user has removed Network Agent. and the administrator can remove the device from the list of managed devices. the user has to remove Network Agent from the device. MANAGING MOBILE DEV ICES DISCONNECTING A KES DEVICE FROM MANAGEMENT To disconnect a KES device from management.

. 128 . the user can sign in to Self Service Portal and send commands to the managed device........ Delete data All data has been deleted from the device.. The mobile carrier charges a fee for sending the text message and for providing Internet connection.. iOS MDM profile............. After this the device becomes a managed device........... settings have been rolled back to the default values............ Network Agent will be installed on it..................... Self Service Portal supports automatic user authorization using Kerberos Constrained Delegation and domain authorization. and corporate policies will be applied to the device (see the section "Adding a device" on page 129).................... and Network Agent have been deleted........ and the device is no longer managed. Delete data All data has been deleted from the device................................. Table 11....... If necessary (for example...... Locate Device locked............ IN THIS SECTION: About Self Service Portal ............ The photo has been taken by the front camera of the device and saved on Administration Server.... settings have been rolled back to the default values.. when the user device has been lost or stolen).................... Photos can be viewed in the command log on Self Service Portal........ After a device is added............. 128 Adding a device .. iOS MDM profile......... Alarm Device locked. 129 Creating an account for Self Service Portal .......... Device located and shown on Google Maps™......... A mobile device user who has signed in on Self Service Portal can add a device on Self Service Portal. and the device is no longer managed.... The device emits a sound signal.. List of supported commands MOBILE DEVICE TYPE COMMANDS COMMAND EXECUTION RESULT iOS MDM device Lock Device locked.. 129 ABOUT SELF SERVICE PORTAL Self Service Portal is a web portal that lets the administrator delegate some of the mobile device management functions to users..... Self Service Portal supports mobile devices with the iOS and Android operating systems.... and Network Agent have been deleted.. and the device is no longer managed.. and the device is no longer managed........................................... The section provides Self Service Portal login instructions for users as well as instructions on creating Self Service Portal accounts and adding mobile devices on Self Service Portal................................ Delete corporate data Corporate data......................................... Mugshot Device locked.................. The mobile carrier charges a fee for sending the text message and for providing Internet connection...............SELF SERVICE PORTAL This section contains information about Self Service Portal... Delete corporate data Corporate data. KES device Lock Device locked.... A proprietary set of commands is supported for each type of device (see the following table).........

the user has to accept the Self Service Portal End User License Agreement and sign in on the portal. 3. If the device operating system could be determined automatically. 4. Mugshot and Locate are information commands.  Connect new devices. The installation package is required to install Network Agent on the device and apply corporate policies.  Send commands to mobile devices. users can use alias accounts for authorization. a window opens letting the user choose an operating system manually. The algorithm of adding a user device to Self Service Portal includes the following steps: 1. If domain authorization on Self Service Portal is prohibited by the administrator. in the User accounts folder.  Send only information commands. In the console tree. As a result.  Change. If the device operating system could not be determined automatically. After Network Agent has been installed. the device will be added to the list of managed devices and the corporate policies will be applied to it. you can create alias accounts for users in the Administration Console. A link to information about connecting to the Administration Server is sent to the user's email address. By clicking the Create package to install on new device link. The administrator can grant users the following Self Service Portal usage permissions:  Reading. A message with a link for downloading the installation package is sent to the user's email address. CREATING AN ACCOUNT FOR SELF SERVICE PORTAL If the use of domain authorization of users on Self Service Portal is forbidden. A new installation package can be created only after the previously created package has been removed from Administration Server. The screen shows the time interval during which a link for downloading the installation package will be available. select Provide account for access to Self Service Portal. ADDING A DEVICE Before adding a device on the Self Service Portal. 2. To provide a Self Service Portal account (alias account) to a user: 1. The list is expanded automatically when importing users from Active Directory (see the section "Viewing and modifying Active Directory group properties" on page 93) or manually (see the section "Adding a user account" on page 80). the device connects to Administration Server. 6. Self Service Portal creates an installation package and then displays a one-time link for downloading the installation package and a QR code in which the link is encoded. The user downloads the installation package and installs Network Agent on the mobile device. Users can log on to Self Service Portal using alias accounts. 129 . the user is taken to the installation package download page on the mobile device to be added to Self Service Portal. 5. 2. the installation package download page opens. Self Service Portal determines the operating system of the user device. The user opens the main page of the portal. In the context menu of the user account. Creating aliases for authentication on Self Service Portal is available in the properties of user accounts (see the section "Creating a Self Service Portal account" on page 129). select a user account. SELF SERVICE PORTA L Self Service Portal uses the global list of Kaspersky Security Center users.

The new password for Self Service Portal will be sent to the user's email or cell phone. As a result. it cannot be modified. In the New Self Service Portal account window. A password for the Self Service Portal account is generated automatically. select a Self Service Portal account and click the Set new password button. A notification of the password change will be sent to the user's email or mobile device. You can click the Set new password button to generate a new password for a selected Self Service Portal account. You can create an unlimited number of Self Service Portal accounts for a single user. in the Self Service Portal accounts section. 130 . After a Self Service Portal account has been created. you can delete a selected account by clicking the button with a red cross on the right of the list of Self Service Portal accounts. the Self Service Portal account will be created. As a result. containing the login and the password. specify a method of user notification and click the OK button. in the Self Service Portal accounts section. The password will be created automatically. click the Add button. A notification of account creation will be sent to the user's email or mobile device. However. In the properties window of a user account. the password will be changed. specify the login and the method of user notification. To modify a Self Service Portal account: 1.ADMINISTRATOR'S GUIDE 3. and then click ОК. In the properties window of the user account. You can click the Add button to create several Self Service Portal alias accounts. In the Generate new password for Self Service Portal account window. 4. 2.

...................... As a result.............. and about devices encrypted at the drive level.............................................................. removable media or hard drive is stolen/lost.... 132 VIEWING THE LIST OF ENCRYPTED DEVICES To view the list of devices storing encrypted information: 1................. After the information on a device is decrypted............................... create and deliver to users information on request for account name and password restoration............ Open the list of encrypted devices using one of the following methods:  By clicking the Go to list of encrypted devices link in the Manage encrypted devices section...... as well as removable storage media and hard drives entirely............ The administrator can perform the following actions:  Configure and perform files encryption and decryption on computer local drives  Configure and perform files encryption on removable media  Create application's rules of access to encrypted files  Create and deliver to user key file for access to encrypted files if file encryption is restricted on the user's computer  Configure and perform hard drive encryption  Manage user access to encrypted hard drives and removable drives (manage authentication agent accounts.........................  In the console tree select the Encrypted devices folder.............. 131 ....................... or upon the access of unauthorized users and applications........... the workspace displays information about devices on the network storing encrypted files................ENCRYPTION AND DATA PROTECTION FOLDER Encryption reduces the risk of unintentional data leakage in case your notebook........ 2............... Select the Encryption and data protection folder in the console tree of Administration Server.. Availability of the encryption management feature is determined by the user interface settings (see the section "Configuring the interface” on page 30)............................... 131 Viewing the list of encryption events ... as well as access keys for encrypted devices)  View encryption statuses and files encryption reports These operations are performed using tools integrated into Kaspersky Endpoint Security 10 for Windows............. Kaspersky Endpoint Security 10 for Windows provides encryption functionality..... 132 Creating and viewing encryption reports ....... For detailed instructions on how to perform operations and a description of encryption features please refer to the Kaspersky Endpoint Security 10 for Windows Administrator's Guide................... Kaspersky Endpoint Security 10 for Windows allows you to encrypt files stored on local drives of a computer and removable drives..................... Encryption and decryption upon existing rules are performed when applying a policy............................. IN THIS SECTION: Viewing the list of encrypted devices ................ the device is automatically removed from the list........ 132 Exporting the list of encryption events to a text file ................ Encryption rules are configured through Kaspersky Security Center by defining policies......... You can sort the information in the list of devices either in ascending or descending order in any column......

From the context menu of the events list select Export list. In the Export list window specify the name of the text file with the events list. and click the Save button. Presence or absence of the Encryption and data protection folder in the console tree is determined by the user interface settings (see the section "Configuring the interface” on page 30). using one of the following methods:  By clicking the Go to error list link in the Data encryption errors control section. Go to the list of events occurring during encryption. or create an encrypted archive due to license issues  Cannot encrypt/decrypt a file. or create an encrypted archive due to missing access rights  The application has been prohibited to access an encrypted file  Unknown errors. To view a list of events that have occurred when encrypting data on client computers: 1. The Export list window opens.  In the console tree select the Encryption events folder. the workspace displays information about problems that have occurred during data encryption on client computers. Select the Encryption and data protection folder in the console tree of Administration Server. Create a list of encryption events (see the section "Viewing the list of encryption events” on page 132). or create an encrypted archive due to a lack of free disk space  Cannot encrypt/decrypt a file. VIEWING THE LIST OF ENCRYPTION EVENTS When running data encryption and decryption tasks on client computers. EXPORTING THE LIST OF ENCRYPTION EVENTS TO A TEXT FILE To export the list of encryption events to a text file: 1. Kaspersky Endpoint Security 10 for Windows sends to Kaspersky Security Center information about events of the following types:  Cannot encrypt/decrypt a file. select a folder to save it. CREATING AND VIEWING ENCRYPTION REPORTS The administrator can generate the following reports:  Report on devices encryption containing information about the devices encryption status for all groups of computers  Report on rights of access to encrypted devices containing information about the status of the accounts of users who have been granted access to encrypted devices 132 .ADMINISTRATOR'S GUIDE Presence or absence of the Data encryption and protection folder in the console tree is determined by the user interface settings (see the section "Configuring the interface” on page 30). You can take the following actions on the list of encryption events:  Sort data records in ascending or descending order in any of the columns  Perform quick search for records (by text match with a substring in any of the list fields)  Export the list of events to a text file. 3. 2. 2. The list of encryption events will be saved to the file that you have specified. As a result.

3. 3. select the Reports and notifications folder. ENCRYPTION A ND DATA PROTECTION FOLDER  Report on encryption errors containing information about errors that have occurred when running data encryption and decryption tasks on client computers  Report on the status of computer encryption containing information about whether the status of computer encryption meets the encryption policy  Report on file access blocking containing information about blocking applications' access to encrypted files. The report generation process starts. In the Reports and notifications folder of the console tree a new report appears. The report is displayed in the console workspace. The report is displayed in the console workspace.  Select the Encryption events subfolder. The report generation process starts. Do one of the following:  Click the View report on encryption errors link in the Data encryption errors control section to run the New Report Template Wizard. 3. The report generation process starts. The report is displayed in the console workspace. In the console tree select the Encryption and data protection folder. Follow the instructions of the New Report Template Wizard. In the Reports and notifications folder of the console tree a new report appears. 2. To view the report on rights of access to encrypted devices: 1. Do one of the following:  Right-click to activate the context menu of the Reports and notifications folder. 3. To view the report on devices encryption: 1. and run the New Report Template Wizard. then click the View devices encryption report link to run the New Report Template Wizard.  Select the Encrypted devices subfolder. 2. in the Others section select Computer encryption status report. 4. The report appears in the workspace of the Administration Console. a new report template appears in the Reports and notifications folder of the console tree. Follow the instructions of the New Report Template Wizard. To view the report on the status of computer encryption: 1. 133 . In the Reports and notifications folder select the report template created at the previous steps. Do one of the following:  Click the View report on rights of access to encrypted devices link in the Manage encrypted devices section to run the New Report Template Wizard. Do one of the following:  Click the View devices encryption report link to run the New Report Template Wizard. In the Selecting the report template type window. To view the report on encryption errors: 1. In the Reports and notifications folder of the console tree a new report appears. 2. After you have finished with the New Report Template Wizard.  Select the Encrypted devices subfolder. then click the View report on encryption errors link to run the New Report Template Wizard. Follow the instructions of the New Report Template Wizard. select CreateReport template. In the console tree select the Encryption and data protection folder. In the console tree select the Encryption and data protection folder. Follow the instructions of the New Report Template Wizard. 2.  Click the Create a report template link to run the New Report Template Wizard. The report generation process starts. then click the View report on rights of access to encrypted devices link to run the New Report Template Wizard. In the console tree.

After you have finished with the New Report Template Wizard. In the Selecting the report template type window. The report generation process starts. To view the file access blocking report: 1. select the Reports and notifications folder. Do one of the following:  Right-click to activate the context menu of the Reports and notifications folder. 134 . and run the New Report Template Wizard. Follow the instructions of the New Report Template Wizard. In the console tree. 4. in the Others section select Report on access blockage to files. select Create  Report template. view information panes on the Statistics tab of the Reports and notifications folder (see the section "Working with the statistical information” on page 86). 3. a new report template appears in the Reports and notifications folder of the console tree. The report appears in the workspace of the Administration Console. In the Reports and notifications folder select the report template created at the previous steps.  Click the Create a report template link to run the New Report Template Wizard. 2.ADMINISTRATOR'S GUIDE For information about whether the encryption statuses of computers and removable media meet the encryption policy.

.................................................... which ensures a continuous operation of NAC on the organization's network............. When the computer hosting the main NAC agent is shut down.... When a network element is created.............................................................................. 138 Configuring NAC in a Network Agent policy ........................................................................ The administrator can create the following network access restriction rules:  A rule that blocks network access for all devices included in the network element.. Authorization portal is a web service that provides network access to guest devices.... the administrator should create network elements...... 136 Selecting an operation mode for the NAC agent .............. 138 Configuring the authorization page interface ...................................................................... IN THIS SECTION: Switching to the NAC settings in the Network Agent properties ................................................................................ The administrator can specify the following criteria for adding devices to a network element:  network attributes (IP address.. 137 Creating a list of allowed network addresses ................ Two NAC agents are used in each of the broadcast segments of a network: main and redundant..................................... Network element is a group of devices created on the basis of criteria defined by the administrator................................................................. NAC) Kaspersky Security Center allows controlling access of devices to an organization's network using access restriction rules and a white list of devices.... The main NAC agent is available for regular use of network access policies............................................... 136 Creating network elements. the administrator can create access restriction rules for it or add it to a white list........................................................... NAC agents are used to manage access of devices to an organization's network............ the redundant NAC agent takes its functions.................................................... MAC address)  device manufacturer  device's membership in a domain  device protection status  presence of non-installed critical application updates and security updates on the device...... The administrator can select a network element and add it to the white list..... 137 Creating a white list ................. 139 135 ..............................  A rule that redirects to the authorization portal any request of network access generated by any device included in the network element.................MANAGING DEVICES ACCESS TO AN ORGANIZATION'S NETWORK (NETWORK ACCESS CONTROL....... An NAC agent is installed to client computers together with Network Agent........................... Before creating network access restriction rules for devices and a white list of devices...  A rule that allows devices included in the network element to access the specified network addresses only................................................................................................................ 136 Creating network access restriction rules ............................................................ Roles of NAC agents can be deployed and distributed either manually or automatically.. The administrator creates accounts and assigns them to the users of guest devices.... Devices included in the white list are provided full access to the organization's network.. 138 Creating accounts to use on the authorization portal ....................................

Select this option if you want the created access restriction rules to take effect immediately in the network segment in which the NAC agent operates. select Properties. 2. Select this option if you do not want to apply the access restriction rules in the network segment in which the NAC agent operates. In the console tree select the Managed computers folder.ADMINISTRATOR'S GUIDE SWITCHING TO THE NAC SETTINGS IN THE NETWORK AGENT PROPERTIES To switch to the NAC settings in the properties of Network Agent: 1. In the Settings subsection. CREATING NETWORK ELEMENTS To create a network element: 1. 2. From the Add dropdown list select the type of devices that you want to add to the network element (for example. 4. Select this option to use the NAC agent as the main one. In the Settings of Kaspersky Security Center Network Agent window (see the section "Switching to the NAC settings in the Network Agent properties” on page 136). 2. select the Managing network access (NAC) section.  Standby.  Standard. In the context menu of the client computer. The Settings of Kaspersky Security Center Network Agent window opens. 3. 3. In the Creating network element window enter a name for the network element that you are creating. select the Network elements subsection. 5. computers). but rule applying events are logged. the rules do not apply. Select this option to use the NAC agent as the standby one. Select this option if you want the created access restriction rules apply in test mode. In the Settings of Network Agent of Kaspersky Security Center window select the Network Access Control (NAC) section and adjust the NAC settings. In the Applications section select Network Agent and click the Properties button. SELECTING AN OPERATION MODE FOR THE NAC AGENT To select an operation mode for the NAC agent: 1. The Creating network element window opens. select the Applications section. the standby one enables. In this case. The main NAC agent is responsible for continuous use of access restriction rules in the network segment. In the NAC operation mode block of settings select an operation mode for NAC:  Disabled. In the client computer properties window. A client computer properties window opens. 3. 6. 136 . In the Managed computers folder on the Computers tab select a client computer where Network Agent is installed. If the main NAC agent is inactive. Select this option to disable the NAC agent. in the Managing network access (NAC) section.  Emulation.  Main. in the NAC agent operation mode group of settings select an operation mode for the NAC agent:  Disabled. In the Settings of Kaspersky Security Center Network Agent window (see the section "Switching to the NAC settings in the Network Agent properties” on page 136).

or subnet mask. CREATING A WHITE LIST To create a white list of IP devices: 1. M A NA GING DE VICE S ACC E SS T O A N OR GA NIZA T ION ' S NE T WORK (N E TW OR K A CC ES S C ONTR OL . Domain membership can be used as a criterion that allows accessing the organization's network.  By software.  By computer status. 7. in the Managing network access (NAC) section. and availability of updates. If you select this option. in the Managing network access (NAC) section. The selected network element is displayed in the Properties of access restriction rule window. You can create rules restricting network access for computers with such status. If you select this option. you can add a computer or computers to the network element by IP address. If you select this option. 3.  Allow access to specified addresses only. "Critical". The added criteria are displayed in the Criteria field so that a network object should meet them. In the Properties of access restriction rule window. which should define whether a network device will be included in the network element that you are creating:  By network attributes. If you select this option. in the Network elements subsection. select the Access rules subsection. requests from devices in the network element will be redirected to the authorization server. you can specify a computer protection status: for example. In the Properties of access restriction rule window click the Add button to select a network element to which the rule will apply. select the Access rules subsection. IP range. In the Settings of Kaspersky Security Center Network Agent window (see the section "Switching to the NAC settings in the Network Agent properties” on page 136). In the Access rules section select the Access restrictions subsection and click the Add button. If you select this option. You can add several network elements to the same rule. 137 . In the Access rules section select the White list subsection and click the Add button. 4. firewall status. all devices in the network element are prohibited to access the network. The created rule is displayed in the Access restrictions subsection.  Redirect to authorization portal. 5. you can add computers to the network element on the basis of their membership in a domain. If you select this option. you can add computers to the network element by manufacturer. The Adding network elements window opens. 2.  By manufacturer. If you select this option. The Adding network elements window opens. 4. The created network elements are displayed in the properties window of the Kaspersky Security Center Network Agent policy. 6. Click OK. in the Available addresses field specify addresses that are accessible for devices included in the network element. In the Properties of access restriction rule window enter a name for the rule that you are creating. 2.  By domain membership. Click OK. In the Adding network elements window select a network element and click the OK button. you can add computers to the network element by operating system type. The Properties of access restriction rule window opens. MAC address. NAC) From the Add dropdown list select criteria. In the Settings of Kaspersky Security Center Network Agent window (see the section "Switching to the NAC settings in the Network Agent properties” on page 136). If you select this option. in the Restrict network access group of settings select one of the following options:  Block network access. CREATING NETWORK ACCESS RESTRICTION RULES To create a network access restriction rule: 1.

In the Network services addresses section. The Allowed network addresses window opens in which you can add the addresses of network services by IP address. 4.  Authorization portal. In the Adding network elements window select the network element that you want to add to the white list. select the Block account check box. 2. The added network addresses are displayed in the Network services addresses section. Devices added to the white list are granted full access to the organization's network. The new logo should have the same settings as the default one. In the Logo group of settings select a logo to use on the authorization page:  Default. The Account addition window opens. In the Settings of Kaspersky Security Center Network Agent window (see the section "Switching to the NAC settings in the Network Agent properties” on page 136). MAC address. IP range. 6. In the Account addition window adjust the account settings. Click the Select button if you want to specify the path to a logo file. in the Network Access Control (NAC) section. 138 . select the Authorization page subsection. 2. Click OK. in the Managing network access (NAC) section. 2. Click the Add button in the Accounts section. The Authorization portal window opens where you can specify the address of the server to which requests from network devices will be redirected. in the Managing network access (NAC) section. In the Settings of Kaspersky Security Center Network Agent window (see the section "Switching to the NAC settings in the Network Agent properties” on page 136). Network elements added to the white list are displayed in the White List subsection. In the Authorization page section select the Accounts subsection. CONFIGURING THE AUTHORIZATION PAGE INTERFACE To configure the interface of the authorization page: 1. Select this option to add the address of the authorization portal to which requests from guest devices will be redirected. 3.ADMINISTRATOR'S GUIDE 3. CREATING A LIST OF ALLOWED NETWORK ADDRESSES To create a list of allowed network addresses: 1. In the Settings of Kaspersky Security Center Network Agent window (see the section "Switching to the NAC settings in the Network Agent properties” on page 136). select the Network services addresses subsection. CREATING ACCOUNTS TO USE ON THE AUTHORIZATION PORTAL To create an account for further use on the authorization portal: 1. select the Authorization page subsection. Select this option if you want to use a custom logo. If you want to block network access for this account. 5. Select this option if you want to use Kaspersky Lab logo on the authorization page. In the Authorization page section select the Interface subsection. 4.  Custom. 3. Created accounts are displayed in the Accounts subsection comprised in the Authorization page section. and subnet mask. from the drop-down list on the right from the Add button select a network address type:  Allowed network addresses. Select this option to add allowed addresses for guest devices. Click OK.

139 . Select this option if you want to use an edited version of the Kaspersky Lab page or your own version. Select this option if you want to use the default page on the authorization portal. In the Managed computers folder of the console tree go to the Policies tab. Start configuring NAC using one of the following methods:  Click the Change policy settings link in the Actions menu to open the properties window of Kaspersky Security Center Network Agent. NAC) 4.  Custom.  Use links in the Network Access Control (NAC) group of settings in the Actions menu. and select the Network Access Control (NAC) section. CONFIGURING NAC IN A NETWORK AGENT POLICY To configure NAC in a Network Agent policy: 1. click the Save to file button and save the authorization page to a file for further editing. Click OK. 2. To edit the default page. 5. Click the Select button and specify the path to an authorization page file. In the Authorization page group of settings select the authorization page to which network access requests will be redirected.  Default. M A NA GING DE VICE S ACC E SS T O A N OR GA NIZA T ION ' S NE T WORK (N E TW OR K A CC ES S C ONTR OL .

............. In the workspace of the Hardware folder click the Add device link to open the New device window......... Kaspersky Security Center allows writing off equipment........ IN THIS SECTION: Adding information about new devices . 2............. in the Type drop-down list select a device type that you want to add........ 140 Configuring criteria used to define enterprise devices......... You can allow or prohibit network connection of equipment by the "Enterprise equipment" attribute. The device properties window opens on the General section.. In the New device window.............. The list of detected equipment may contain the following types of devices:  Computers  Mobile devices  Network devices  Virtual devices  OEM components  Computer peripherals  Connected devices  VoIP phones  Network storages Equipment detected during a network poll is displayed in the Repositories subfolder of the Hardware folder of the console tree.............................. 3. 4...... Inventory covers all equipment connected to the organization's network.... The administrator can add new devices to the equipment list manually or edit information about equipment that already exists on the network..... 141 ADDING INFORMATION ABOUT NEW DEVICES To add information about new devices on the network: 1.... or the administrator can specify criteria for the attribute to be assigned automatically.INVENTORY OF EQUIPMENT DETECTED ON THE NETWORK Kaspersky Security Center retrieves information about the equipment detected during the network poll........... To do this......................... In the properties of a device you can view and edit detailed information about that device... the "Enterprise equipment" attribute is assigned by device type......... 140 ....... In the Repositories folder of the console tree select the Hardware subfolder.. select the Device is written off check box in the properties of a device.... The New device window opens.... The administrator can assign the "Enterprise equipment" attribute to detected devices. This attribute can be assigned manually in the properties of a device................................ Click OK.... Such device is not displayed on the equipment list..... Information about the equipment is updated after each new network poll.. In this case.

CONFIGURING CRITERIA USED TO DEFINE ENTERPRISE DEVICES To configure criteria of detection for enterprise devices: 1. In the By device type block of settings specify device types to which the application will automatically assign the "Enterprise" attribute. The new device will be displayed in the workspace of the Hardware folder. Select the check box if you do not want the device to be displayed on the list of devices in the Hardware folder. 6. Click Apply. in the Enterprise devices section select a mode of assigning the "Enterprise" attribute to the device:  Set the "Enterprise" attribute manually. Using this attribute. In the Repositories folder of the console tree select the Hardware subfolder. INVENTORY OF EQUIPMENT D ETEC TED ON THE NETWOR K 5. 3. In the hardware properties window. 141 .  Set the "Enterprise" attribute automatically. 2.  Device is written off. In the workspace of the Hardware folder click the Configure criteria for corporate devices link to open the hardware properties window. Click Apply. you can search for devices in the Hardware folder. The General section lists the following settings:  Corporate device. In the General section fill in the entry fields with data on the device. The "Enterprise equipment" attribute is assigned to the device manually in the device properties window. Select the check box if you want to assign the "Enterprise" attribute to the device. 4. in the General section.

...... The repository of the virtual Administration Server displays updates downloaded to the master Administration Server... This starts the New Task Wizard............................................................................................... You can configure the updates to be verified for performance and errors before they are distributed to client computers..................................UPDATING DATABASES AND SOFTWARE MODULES This section describes how to download and distribute updates of databases and software modules using Kaspersky Security Center.................... 145 Rolling back installed updates ................................. 142 .................... 147 CREATING THE TASK OF DOWNLOADING UPDATES TO THE REPOSITORY The Download updates to the repository task is created automatically by Kaspersky Security Center Quick Start Wizard... In the console tree........... To create a task for downloading updates to the repository: 1.... The Download updates to the repository task is not available on virtual Administration Servers................................................................................................ IN THIS SECTION: Creating the task of downloading updates to the repository .............................. select the Administration Server tasks folder.................................. Updates are distributed to client computers and slave Administration Servers from the shared folder................. the Download updates to the repository task of the Administration Server is used......  Click the Create a task link in the workspace......... In the Task type wizard window............................................ updates to databases and software modules of applications are downloaded from the updates source and stored in the shared folder.............. 144 Viewing downloaded updates ............ managed through Kaspersky Security Center....................................... Follow the Wizard's instructions........................................ you should timely update the databases and Kaspersky Lab application modules............................... As a result...... 2........... To update databases and Kaspersky Lab application modules that are managed through Kaspersky Security Center............. select Download updates to the repository..................... in the Administration Server tasks folder context menu........................... 142 Configuring the task of downloading updates to the repository .. the Download updates to the repository task will be created in the list of Administration Server tasks........... the databases and application modules are downloaded from the update source........ 143 Configuring test policies and auxiliary tasks .... select Create  Task..... 143 Verifying downloaded updates ..... You can create only one task for downloading updates to the repository......... When an Administration Server performs the Download updates to the repository task...................................... Start creating the task in one of the following ways:  In the console tree......... After the Wizard completes............ Thai is why you can create a task for downloading updates to the repository only if such task was removed from the Administration Server tasks list................. To maintain the protection system's reliability.......... 145 Automatic distribution of updates ...........

 FTP/HTTP server or a network updates folder – an FTP server. updating is performed over the Internet from Kaspersky Lab's update servers. UPDATING DATABASES AND SOFTWARE MODULES The following resources can be used as a source of updates for the Administration Server:  Kaspersky Lab update servers – Kaspersky Lab's servers to which the updated anti-virus database and the application modules are uploaded. 4. select the Download updates to the repository task in the task list. 3. In the workspace of Administration Server tasks folder. In this window you can configure how the updates are downloaded to the Administration Server repository. In the workspace of Administration Server tasks folder. select Properties. an HTTP server. you should select an administration group that contains computers on which the task will be run. you should specify a folder on a computer with Administration Server installed. Click OK to close the properties window of the downloading updates to the repository task.  By clicking the Change task settings link in the workspace of the selected task. It is recommended to use computers with most reliable protection and most popular application configuration in the network. VERIFYING DOWNLOADED UPDATES To make Kaspersky Security Center verify downloaded updates before distributing them to client computers: 1. Source selection depends on task settings. This will open the Download updates to the repository task properties window. This starts the Update Verification Task Wizard.  Master Administration Server. If viruses are detected on the test computers. 2. the update verification task is considered unsuccessful. This approach increases the quality of scans. Computers included in this group are called test computers. you should copy to those resources the correct structure of folders with updates. 2. While creating the update verification task. Follow the Wizard's instructions. in the Updates verification section. In the task properties window that opens.  By clicking the Change task settings link in the workspace of the selected task. select the Verify updates before distributing check box and select the updates verification task in one of the following ways:  Click Select to choose an existing updates verification task. a local or a network folder added by the user and containing the latest updates. CONFIGURING THE TASK OF DOWNLOADING UPDATES TO THE REPOSITORY To configure the task for downloading updates to the repository: 1. To update Administration Server from an FTP/HTTP server or a network folder. select the Download updates to the repository task in the task list. 143 . When selecting a local folder. identical to that created when using Kaspersky Lab update servers.  Click the Create button to create an update verification task. By default. and minimizes the risk of false positives and the probability of virus detection during scans. Open the task properties window in one of the following ways:  From the context menu of the task. Open the task properties window in one of the following ways:  From the context menu of the task. select Properties.

Using the events of these types. 4. the updates will be copied from the temporary storage to the Administration Server shared folder (<Installation folder Kaspersky Security Center\Share\Updates) and distributed to all client computers for which the Administration Server is the source of updates. it must be performed immediately.  An infected object has been detected while running the scan task. In the tab workspace select a policy or a task.  The real-time protection status of the anti-virus application has changed after applying updates. the updates verification task is performed with the task of downloading updates to the repository. In the group workspace. it is impossible to test this type of updates. either.  In the settings of test policies and auxiliary tasks: If a computer restart is required after the installation of updates to software modules. select Properties.  By clicking the Change policy settings (Change task settings) link in the workspace of the selected policy (task). In the console tree. the following restrictions should be imposed on the modification of test policies and auxiliary tasks:  In the auxiliary task settings:  Save all tasks with the Critical event and Functional failure severity levels on Administration Server. and iStream scanning acceleration technologies. 144 . A set of updates is considered to be incorrect if one of the following conditions is met on at least one test computer:  Update task error has occurred. whose settings you want to change. The Administration Server will download updates from the source.  Use Administration Server as the source of updates. the Administration Server analyzes the operation of applications. If the results of the update verification task show that updates located in the temporary storage are incorrect or if the update verification task completes with an error. If the computer is not restarted. 2. You can change the settings of text policies and auxiliary tasks. These restrictions should be disabled in the settings of test policies and auxiliary tasks. select one of the following tabs:  Policies.  Select the actions to be performed in respect of infected objects: Do not prompt / Skip / Log to report. and run the update verification task. These tasks are performed when the updates verification task is executed. auxiliary group update tasks and on-demand scan tasks.  Specify task schedule type: Manually  In the settings of test policies:  Disable the iChecker. Auxiliary group update and on-demand scan tasks take some time. To change settings of a text policy or an auxiliary task: 1. the Administration Server generates test policies. save them in temporary storage. CONFIGURING TEST POLICIES AND AUXILIARY TASKS When creating an update verification task. For some applications installation of updates that require a restart may be prohibited or configured to prompt the user for confirmation first. iSwift. the set of updates is considered to be correct and the update verification task completes successfully. The tasks that have the When new updates are downloaded to the repository schedule type are not started then. The updates verification task is performed when updates are downloaded to the repository.ADMINISTRATOR'S GUIDE As a result. 3. If the task completes successfully. if you want to edit the test policy settings  Tasks. The duration of Download updates to the repository task includes auxiliary group update and on-demand scan tasks. Open the policy (task) properties window in one of the following ways:  From the context menu of the policy (task). To verify updates correctly. These operations will be performed at the next start of the Administration Server update download task if scanning of the new updates completes successfully.  Functional error of a Kaspersky Lab application has occurred If none of the listed conditions is true for any test computer. and the Administration Server will keep the previous set of updates. select a group for which the updates verification task is created. such updates will not be copied to the shared folder. if you want to change auxiliary task settings.

................. Follow its instructions and perform the following actions: a........ select Repositories folder..... The workspace of the Updates folder shows the list of updates that are saved on the Administration Server........................ in the Scheduled start field........................................ the created update distribution task will start for selected computers each time the updates are downloaded to the Administration Server repository....... in the node of the required application select the updates deployment task.... 146 Downloading updates by Update Agents ... to automatically distribute updates to client computers in the task properties window in the Schedule section. 147 DISTRIBUTING UPDATES TO CLIENT COMPUTERS AUTOMATICALLY To distribute the updates of the selected application to client computers immediately after the updates are downloaded to the Administration Server repository: 1.... 145 Distributing updates to slave Administration Servers automatically ........ Create an update deployment task for the selected client computers in one of the following ways:  If you want to distribute updates to the client computers that belong to the selected administration group............. in the console tree..... 2................... If an updates distribution task for the required application is created for selected computers........................................... In the Task type wizard window..... 146 Creating and configuring the list of Update Agents . IN THIS SECTION: Distributing updates to client computers automatically........................... Connect to the Administration Server which manages the client computers............................ AUTOMATIC DISTRIBUTION OF UPDATES Kaspersky Security Center allows you to automatically distribute and install updates on client computers and slave Administration Servers....... The name of the updates deployment task displayed in the Task type window depends on the application for which you create this task................................................................... 146 Installing program modules for Servers and Network Agents automatically .... create a task for the selected group (see the section "Creating a group task" on page 62). in the Scheduled start field...  If you want to distribute updates to the client computers that belong to different administration groups or do not belong to administration groups at all................. create a task for specific computers (see the section "Creating a task for specific computers" on page 62).......... In the Schedule wizard window..... This starts the New Task Wizard. select the When new updates are downloaded to the repository option....... b. UPDATING DATABASES AND SOFTWARE MODULES VIEWING DOWNLOADED UPDATES To view the list of downloaded updates.......... As a result.......................................... 145 ....... select When new updates are downloaded to the repository............ the Updates subfolder.......... For detailed information about names of update tasks for the selected Kaspersky Lab application. see the corresponding Guides........

after the master Administration Server retrieves updates. select Properties. after master Administration Server retrieves updates. click the Configure link. open the Managed computers folder. select the following check boxes:  Update Administration Server modules. 5. select the Administration Server tasks folder. By default. 4. In the Settings section of the task properties window. provided that the updates of Network Agent modules are already retrieved. In the Other settings window that opens. In the settings of the task of downloading updates by the Administration Server. INSTALLING PROGRAM MODULES FOR SERVERS AND NETWORK AGENTS AUTOMATICALLY To install the updates for Administration Server and Network Agent modules automatically after they are uploaded to the Administration Server repository: 1. This opens the Other settings window. select the Force update of slave Servers check box. Open the Settings section of the selected task in one of the following ways:  From the context menu of the task. CREATING AND CONFIGURING THE LIST OF UPDATE AGENTS To create a list of Update Agents and configure them for distribution of updates to client computers within an administration group: 1. this check box is selected. select the task of downloading updates to the Administration Server repository. If you want to create a list of Update Agents for the Managed computers group. 3. click the Configure link. in the master Administration Server node. updates of Administration Server modules will be installed immediately after completion of the update download task by the Administration Server. the updates download tasks automatically start on slave Administration Servers regardless of their schedule. In the task list in the workspace. In the task list in the workspace. As a result. select the task of downloading updates to the Administration Server repository.  By clicking the Edit settings link in the workspace of the selected task. Open the Settings section of the selected task in one of the following ways:  From the context menu of the task. If this check box is selected. you will only be able to install the updates manually. select the Administration Server tasks folder. This opens the Other settings window. 4. 3. In the console tree. you can skip this step. As a result. this check box is selected. 146 . in the master Administration Server node. By default. If this check box is cleared. If this check box is cleared. you will only be able to install the updates manually. In the console tree. select the Force update of slave Servers check box. select the Other settings subsection. select Properties. the updates of Network Agent modules will be installed after completion of the update download task by the Administration Server. 2. If this check box is selected. select the Other settings subsection. on the Settings tab of the task properties window. In the console tree. 2. In the Other settings window that opens. In the Settings section of the task properties window.  Update Network Agent modules.ADMINISTRATOR'S GUIDE DISTRIBUTING UPDATES TO SLAVE ADMINISTRATION SERVERS AUTOMATICALLY To distribute the updates of the selected application to slave Administration Servers immediately after the updates are downloaded to the Administration Server repository: 1.  By clicking the Edit settings link in the workspace of the selected task. In the Managed computers folder select an administration group for which you want to create a list of Update Agents. all selected program modules are installed automatically. 2. 5.

In the workspace of the Software updates folder. UPDATING DATABASES AND SOFTWARE MODULES 3. For each Update Agent in the list. you can skip this step. To configure the retrieval of updates for a group through Update Agents: 1. select the Software updates subfolder. Open the group properties window in one of the following ways:  From the context menu of the group. In the group properties window. Open the group properties window in one of the following ways:  From the context menu of the group. 2. the task type is Download updates to the repository. create a list of computers that will act as Update Agents in the administration groups.  Click the New task button to create the updates download task for the Update Agent. 5. The task of updates download by Update Agent is a Network Agent task. In the Application management folder of the console tree. Select the Use update download task check box and select the update download task in one of the following ways:  Click Select to choose an existing updates download task. 147 . the update installed on the client computer is rolled back and its status changed to Not installed. 3.  By clicking the Configure Update Agents for group link. in the group properties window. by using the Add and Remove buttons.  By clicking the Configure Update Agents for group link. select Properties. in the Update Agents section. select Delete update files. The task of update download by an update agent is a local task: it should be created individually for each computer that acts as an update agent. If you have already selected the Managed computers group. DOWNLOADING UPDATES BY UPDATE AGENTS Kaspersky Security Center allows distributing updates to client computers included in the administration groups not only through the Administration Server. 2. 5. In the Managed computers folder select the required group. you can click Properties to open the properties window and customize its settings. 4. ROLLING BACK INSTALLED UPDATES To roll back the updates that have been installed: 1. Click the Properties button to open the properties of this Update Agent and select the Updates source section. 4. select the update that you want to roll back. In the console tree. select Properties. In the context menu of the update. 6. open the Managed computers folder. When this task is completed. Run the update task (see the section "Automatic installation of updates on client computers" on page 104). select a computer that will act as Update Agent for client computers included in the group. 3. In the Update Agents section. but also through the Update Agents of these groups. 4.

............ Based on this information................................. corresponding to the type of use:  – information about the key is received from a client computer connected to the Administration Server........... the settings of the key are saved on Administration Server.................. select the Kaspersky Lab licenses subfolder... and renew licenses.... the workspace will display a list of keys used on client computers.............. 149 Automatic deployment of a key .............. 150 VIEWING INFORMATION ABOUT KEYS IN USE To view information about keys in use............................ This will start the Add Key Wizard........ the application generates a report on the use of keys and notifies the administrator of expiry of licenses and violation of license restrictions implied by the settings of keys... Kaspersky Security Center allows you to perform centralized distribution of keys for Kaspersky Lab applications on client computers.................... Next to each of the keys an icon is displayed..... You can view information about which keys are applied to the application on a client computer by opening the application properties window from the Applications section of the client computer properties window.... 149 Creating and viewing a key usage report ....... 148 Adding a key to the Administration Server repository ........................................ in the Application management folder............ in the console tree.............WORKING WITH APPLICATION KEYS This section describes the features of Kaspersky Security Center related to handling keys of managed Kaspersky Lab applications......... Start the key adding task using one of the following methods:  from the context menu of the list of keys select Add key............... Follow the Wizard's instructions......................................... Automatic distribution is enabled for this key............................ The file of this key is stored outside of the Administration Server..........................................................................  – the key file is stored in the Administration Server repository............. select the Kaspersky Lab licenses subfolder............ As a result........  – the key file is stored in the Administration Server repository.................................................. 2................................................. ADDING A KEY TO THE ADMINISTRATION SERVER REPOSITORY To add a key to the Administration Server repository: 1................. 149 Deploying a key to client computers .......... Automatic distribution is disabled for this key....................... monitor their use.........  by clicking the Add key link in the workspace of the list of keys........... In the console tree........ When adding a key using Kaspersky Security Center................ in the Application management folder...... 148 .............. 148 Deleting an Administration Server key ...... You can configure notifications of the use of keys within the Administration Server settings............................... IN THIS SECTION: Viewing information about keys in use .......................

In the console tree. 4. You can also create a group or local key distribution task using the Task Creation Wizard for an administration group and for a client computer. in the Application management folder.  click the Show key properties window link in the workspace of the selected key. 2. 149 . WORKING WITH A PPLICATION KEYS DELETING AN ADMINISTRATION SERVER KEY To delete an Administration Server key: 1. select the Kaspersky Lab licenses subfolder. This starts the Key Distribution Task Creation Wizard. In the key properties window that opens. the key will be automatically distributed to client computers on which the application has been installed without an active key. in the Application management folder. select the Keys section. Run the key distribution task using one of the following methods:  from the context menu of the list of keys select Deploy a key. DEPLOYING A KEY TO CLIENT COMPUTERS Kaspersky Security Center allows distributing the key to client computers using the key distribution task. If a reserve key has been added. Follow the Wizard's instructions. such features as Systems Management (see the section "Kaspersky Security Center licensing options" on page 33) and Mobile devices management (see the section "Kaspersky Security Center licensing options" on page 33) become unavailable for Administration Server. As a result. You can add (see the section "Adding a key to the Administration Server repository" on page 148) a key that has been deleted. select Properties. 3.  click the Deploy key to managed computers link in the workspace of the list of keys. When distributing a key. select the Kaspersky Lab licenses subfolder. To distribute a key to client computers: 1. In the Administration Server properties window that opens. No additional key distribution tasks are created for the application. Select the key that you want to distribute. To distribute a key to client computers automatically: 1. Tasks created using the Key Distribution Task Creation Wizard are tasks for specific computers stored in the Tasks for specific computers folder of the console tree. 3. 2. Open the properties window of the selected key using one of the following methods:  from the context menu of the key select Properties. the license limit specified in its settings is also taken into account. Key distribution is performed by means of the Network Agent. 2. select the Automatically deployed key check box. This deletes the key. AUTOMATIC DISTRIBUTION OF A KEY Kaspersky Security Center allows automatic distribution of keys to client computers if they are located in the keys repository on the Administration Server. after the active key is deleted the reserve key automatically becomes the active key. Close the key properties window. the key will not be distributed on any client computers. In the console tree. If the limit is reached. or add a different key. The key is added as an active one. After the active key is deleted. Delete the active or reserve key by clicking the Delete button. In the context menu of the Administration Server.

in the console tree. the workspace of the report on the use of keys displays information about active and additional keys used on the client computers. or create a new report template of the same type. The report also contains information about computers on which the keys are used.ADMINISTRATOR'S GUIDE CREATING AND VIEWING A KEY USAGE REPORT To create a report on the use of keys on client computers. in the Reports and notifications folder select the report template named Key usage report. and about restrictions specified in the settings of the keys. 150 . As a result.

......................... To export the list of objects from the repository to a text file: 1........... 151 Quarantine and Backup ................................................  files quarantined on client computers by anti-virus applications........................ The Repositories folder contains the following objects:  the updates downloaded by the Administration Server that are distributed to client computers (see the section "Viewing downloaded updates" on page 145).................. select Repositories folder.............. in which you can specify the name of text file and path to the folder where it was placed.. In the console tree................................. 151 Installation packages ............  files assigned for scanning later by anti-virus applications........................................ 2......... 152 Unprocessed files .... 154 EXPORTING A LIST OF REPOSITORY OBJECTS TO A TEXT FILE You can export the list of objects from the repository to a text file..... 151 ...................................... For detailed information on installation packages......................  keys that were found on client computers (see the section "Working with application keys" on page 148).......... the Installation packages subfolder..........................................  list of hardware items detected in the network....... select Export list......DATA STORAGES This section provides information about data stored on the Administration Server and used for tracking the condition of client computers and servicing them.... INSTALLATION PACKAGES Kaspersky Security Center places installation packages of applications by Kaspersky Lab and third-party vendors to data storage areas.. see Kaspersky Security Center Implementation Guide. you should create an installation package for that application (see the section "Creating installation packages of applications” on page 110) or use an existing one....... IN THIS SECTION: Exporting a list of repository objects to a text file ........ The data used to track the status of client computers are displayed in Repositories folder of the console tree.............................. An installation package contains the setup settings and initial configuration of the application being installed......................................... If you want to install an application to a client computer.............. In the repository subfolder...  files placed into repositories on client computers... An installation package is a set of files required to install an application...... The list of created installation packages is stored in the Remote installation folder of the console tree...................................................... This will open the Export list window....... the necessary subfolder.......

....................... In the console tree..... select the Repositories folder..... You can use Administration Console to view the properties of files in repositories on client computers..........  Click the Show object properties link in the workspace of the selected file.................... VIEWING PROPERTIES OF A FILE PLACED IN REPOSITORY To view properties of a file in Quarantine or Backup: 1........... 152 ............0 or later of Kaspersky Anti-Virus for Windows Workstations and Kaspersky Anti-Virus for Windows Servers........ as well as for Kaspersky Endpoint Security 10 for Windows..................... for which you want to enable remote management for files in the repository....................................... Operations with Quarantine and Backup are supported for versions 6. the Quarantine or Backup subfolder.............................................. Kaspersky Security Center creates a list of files placed into Quarantine or Backup by Kaspersky Lab application on client computers......ADMINISTRATOR'S GUIDE QUARANTINE AND BACKUP The Kaspersky Lab anti-virus applications installed on client computers can quarantine objects or place them to backup during computer scan.............................. In the group workspace.......... 153 Restoring files from repositories .... run anti-virus scanning of those repositories....................... 2........ 2................ In the workspace of the Quarantine (Backup) folder.. you cannot manage files placed in the repositories on client computers..... In the console tree...... IN THIS SECTION: Enabling remote management for files in the repositories ............................................ 153 Saving a file from repositories to disk ................ 3...... 152 Viewing properties of a file placed in repository.......... select a file whose properties you want to view................... Open the file properties window in one of the following ways:  From the context menu of the file.............................. You can restore files only on a computer where an anti-virus application that placed the file into the repository is installed........ Backup storage is designed for storing backup copies of files that have been deleted or modified during the disinfection process........... 3....... Kaspersky Security Center does not copy files from repositories to Administration Server............................ The Network Agents on client computers transfer information about the files in Quarantine and Backup to the Administration Server........ To enable remote management for files in the repositories on client computers: 1.... On the Policies tab select the policy of an anti-virus application that places files to the repositories on client computers..................................................................................... The location of Inform Administration Server settings group in the policy properties window and the names of check boxes depend on selected anti-virus application..... select the check boxes corresponding to the repositories for which you want to enable the remote management.... 153 ENABLING REMOTE MANAGEMENT FOR FILES IN THE REPOSITORIES By default... 153 Scanning files in Quarantine ... select Properties...... and delete the stored files....................... In the policy settings window in the Inform Administration Server group of settings................................... open the Policies tab............................................ 4................ select an administration group.. Quarantine is a special area storing files probably infected with viruses and files that cannot be disinfected at the time when they are detected.. All files are stored in the repositories on client computers. 152 Removing files from repositories ...

In the console tree. As a result. select the Repositories folder. to the specified folder. the Quarantine or Backup subfolder.  By clicking the Restore link in the workspace of the selected files. select a file that you want to copy to the hard drive. 3. Start the file scanning process in one of the following ways:  Select Scan Quarantined Files from the context menu of the file. Delete the files in one of the following ways:  From the context menu of the files select Remove. the Quarantine subfolder. In the console tree. select Restore.  Click the Save to Disk link in the workspace of the selected file. will restore files to their initial folders. The files are copied to the computer on which Kaspersky Security Center is installed. Start files restoration in one of the following ways:  From the context menu of the files. In the workspace of the Quarantine (Backup) folder select the files that you want to delete by using the Shift and Ctrl keys. In the workspace of the Quarantine folder select the files that you want to scan by using the Shift and Ctrl keys. 153 . 2. 3. DATA STORAGES REMOVING FILES FROM REPOSITORIES To delete a file from Quarantine or Backup: 1. select the Repositories folder. As a result. SCANNING FILES IN QUARANTINE To scan quarantined files: 1. 2. select the Repositories folder. select the Repositories folder. the anti-virus applications that placed files in repositories on client computers. 3. In the console tree. the anti-virus application that placed the file in Quarantine on client computer will save a copy of file to hard drive. the Quarantine or Backup subfolder. To save a copy of file from Quarantine or Backup to hard drive: 1.  By clicking the Scan link in the workspace of the selected files. In the console tree. As a result. In the workspace of the Quarantine (Backup) folder select the files that you want to restore by using the Shift and Ctrl keys. the application runs the on-demand scan task for anti-virus applications that have placed files to Quarantine on computers where the selected files are stored. the Quarantine or Backup subfolder. Start copying the files in one of the following ways:  In the context menu of the file.  Click the Delete objects (Delete object if you want to delete one file) in the workspace of the selected files. select the Save to Disk item. will delete files from these repositories. SAVING A FILE FROM REPOSITORIES TO DISK Kaspersky Security Center allows you to save to disk the copies of files that were placed by an anti-virus application in Quarantine or Backup on client computer. RESTORING FILES FROM REPOSITORIES To restore a file from Quarantine or Backup: 1. the anti-virus applications that placed files in repositories on client computers. 2. In the workspace of the Quarantine (Backup) folder. 2. 3. As a result.

3. 2. the Unprocessed files subfolder. select the Repositories folder. the Unprocessed files subfolder. To save a copy of an unprocessed file to disk: 1. In the workspace of the Unprocessed files folder. Start copying the files in one of the following ways:  In the context menu of the file. In the workspace of the Unprocessed files folder select the files that you want to delete by using the Shift and Ctrl keys. The attempt to disinfect this file is then performed. As a result. In the console tree. select a file that you want to disinfect. the Unprocessed files subfolder. select the Repositories folder. SAVING AN UNPROCESSED FILE TO DISK Kaspersky Security Center allows saving to disk the copies of unprocessed files found on client computers. POSTPONED FILE DISINFECTION To start postponed file disinfection: 1. select Disinfect. 2. The record about the file is removed from list in the Unprocessed files folder. You can configure the postponed processing. Delete the files in one of the following ways:  From the context menu of the files select Remove. The records about files are removed from list in the Unprocessed files folder. the anti-virus application installed on client computer restores it to its initial location. anti-virus application installed on client computer removes the file from the computer. 3. the Unprocessed files subfolder. select files that you want to copy on the hard drive. In the workspace of the Unprocessed files folder. DELETING FILES FROM THE UNPROCESSED FILES FOLDER To delete a file from the Unprocessed files folder: 1.ADMINISTRATOR'S GUIDE UNPROCESSED FILES The information about unprocessed files found on client computers is stored in the Repositories folder. The record about the file is removed from list in the Unprocessed files folder. select the Repositories folder. Start disinfecting the file in one of the following ways:  From the context menu of the file. 3.  Click the Delete objects (Delete object if you want to delete one file) in the workspace of the selected files.  By clicking the Disinfect link in the workspace of the selected file. If a file has been disinfected. The files are copied to the computer on which Kaspersky Security Center is installed. In the console tree. 2. will save a file copy to the specified folder. Postponed processing and disinfection by an anti-virus application are performed upon request or after a specified event. select the Save to Disk item. an anti-virus application installed on client computer on which an unprocessed file has been found. 154 . If file disinfection is not possible.  Click the Save to Disk link in the workspace of the selected file. In the console tree. will delete files from these repositories. As a result. the anti-virus applications that placed files in repositories on client computers. to the specified folder.

 Computer ID and version of Network Agent used on it. If you cancel your participation in Kaspersky Security Network program. thus reducing the workload on the outbound channel and the time period spent for waiting for information requested by a client computer. you agree to send to Kaspersky Lab in automatic mode information about the operation of Kaspersky Lab applications (see the section "About data provision" on page 155) installed on client computers that are managed by Kaspersky Security Center. The section provides the details on KSN. Information is transferred in accordance with the current KSN access settings (see the section "Setting up access to KSN" on page 156). By participating in KSN. The general statistical data is generated automatically based on originally retrieved information and does not contain any personal details or other confidential information. improves the effectiveness of some protection components. You can configure KSN Proxy in the KSN proxy server section of the Administration Server properties window (see the section "Setting up access to KSN" on page 156).  KSN Proxy caches processed data.KASPERSKY SECURITY NETWORK (KSN) This section describes how to use an infrastructure of online services named Kaspersky Security Network (KSN). you agree to send to Kaspersky Lab in automatic mode the following information retrieved by Kaspersky Security Center on your computer:  Name. such as the ID's of operations executed and the codes of results for those operations. The use of data from Kaspersky Security Network ensures faster response by Kaspersky Lab applications to unknown threats. you agree to send to Kaspersky Lab in automatic mode information about the operation of Kaspersky Lab applications installed on client computers that are managed by Kaspersky Security Center. The originally retrieved information is stored in encrypted form and erased as it is accumulated (two times per year). If you participate in Kaspersky Security Network program. The application prompts you to join KSN when installing the application and when running the Quick Start Wizard (see the section "Kaspersky Security Center Quick Start Wizard" on page 36). ABOUT KSN Kaspersky Security Network (KSN) is an infrastructure of online services that provides access to the online Knowledge Base of Kaspersky Lab. The storage term of general statistical data is unlimited. the above-listed details will not be sent to Kaspersky Lab/ Retrieved information is protected by Kaspersky Lab pursuant to the requirements of the current legislation and the existing rules of Kaspersky Lab. Kaspersky Lab uses retrieved information in non-personalized form only and as general statistics. in accordance with the KSN Statement. and language of the software product for which the update is to be installed. 155 .  Result of the update installation. as well as instructions on how to enable KSN. web resources. KSN allows using Kaspersky Lab's reputation databases to retrieve information about applications installed on client computers. ABOUT DATA PROVISION By participating in Kaspersky Security Network program. which contains information about the reputation of files. Client computers managed by Administration Server interact with KSN through the KSN Proxy service. and software. configure access to KSN. and view the statistics of the use of KSN proxy server. Kaspersky Lab specialists use information retrieved from client computers in order to fix problems in Kaspersky Lab applications or to modify some of their features.  Version of the update database that is used by the software during installation. You can start or stop using KSN at any moment when using the application (see the section "Enabling and disabling KSN" on page 156).  Software settings used when installing updates. version. The use of the KSN Proxy service provides you with the following options:  Client computers can send requests to KSN and transfer information to KSN even if they do not have direct access to the Internet. and reduces the risk of false positives.

7. select the Use UDP port check box and specify the port number in the UDP port field. In the context menu of the Administration Server. 4. 6. select Properties. no data will be sent to KSN from Administration Server and from client computers via Kaspersky Security Center. in accordance with their settings. In the Administration Server properties window. Select the Use Administration Server as proxy server. 3. this check box is cleared. select the Administration Server for which you need to configure the access to KSN. The data provision feature can be enabled or disabled at any moment in the application settings window (see the section "Interaction of Administration Server with the KSN Proxy service" on page 49). SETTING UP THE ACCESS TO KSN To set up Administration Server's access to KSN: 1. 156 . Data are sent from client computers to KSN in accordance with the policy of Kaspersky Endpoint Security. If this check box is cleared. After the settings are downloaded. In the context menu of the Administration Server. for instance. Select the Send Kaspersky Security Center statistics to KSN. Click OK. pem). as well as the creation date of the file with the settings of Private KSN. and UDP port 15111 is used for connecting to KSN Proxy. By default. As a result. Configure Administration Server's connection to the KSN Proxy service:  In the TCP port entry field. in the KSN proxy server section. you can specify the number of the TCP port that will be used for connecting to KSN Proxy. As a result. select the Configure Private KSN check box and click the Select file with KSN settings button to download the settings of Private KSN (files with the extensions pkcs7. select Properties. The default port to connect to KSN Proxy is 13111. within the Internet provider's network). In the console tree. you should read and accept the terms of the KSN Statement. select the Administration Server for which you need to enable KSN. In the Administration Server properties window. the KSN Proxy service will be enabled. 2. the KSN access settings will be saved. If this check box is cleared. client computers will send patch installation results to Kaspersky Lab. 2.ADMINISTRATOR'S GUIDE Provision of data is accepted on a voluntary basis. 5.  If you want Administration Server to be connected to KSN Proxy via a UDP port. 3. 4. Select the Use Administration Server as proxy server check box to enable the KSN Proxy service. When selecting this check box. client computers send data allowed by the policy of Kaspersky Endpoint Security for Windows. ENABLING AND DISABLING KSN To enable KSN: 1. the interface displays the provider's name and contacts. select the KSN proxy server settings subsection. However. Private KSN is supported by Kaspersky Security Center 10 Service Pack 1 and Kaspersky Endpoint Security 10 Service Pack 1. in the KSN proxy server section. select the KSN proxy server settings subsection. which is active on those client computers. If you are using Private KSN (the infrastructure of KSN is located not on Kaspersky Lab servers but. In the console tree. client computers can send data to KSN directly. If this check box is selected.

In the context menu of the Administration Server. 6. Clear the Use Administration Server as proxy server check box to disable the KSN Proxy service. or clear the Send Kaspersky Security Center statistics to KSN check box. In the console tree. As a result. client computers will send no patch installation results to Kaspersky Lab. select Properties. 157 . When selecting this check box. 2. Click OK. KASPERSKY SECUR ITY NETWOR K (KSN) 5. 3. select the KSN proxy server statistics subsection. If you are using Private KSN. refresh the statistics by clicking the Refresh button and export the statistical data to a CSV file by clicking the Export to file button. you should read and accept the terms of the KSN Statement. 2. clear the Configure Private KSN check box. in the KSN proxy server section. If this check box is selected. This section displays the statistics of the operation of KSN proxy server. If this check box is cleared. Select the Send Kaspersky Security Center statistics to KSN. To disable KSN: 1. If necessary. in the KSN proxy server section. 3. VIEWING THE KSN PROXY SERVER STATISTICS The application allows viewing the statistical information about the use of KSN proxy server. To view the statistics of KSN proxy server: 1. In the console tree. KSN will be disabled. select the Administration Server for which you need to enable KSN. In the Administration Server properties window. select the Administration Server for which you need to view the KSN statistics. KSN will be enabled. client computers will send patch installation results to Kaspersky Lab. In the Administration Server properties window. As a result. select the KSN proxy server settings subsection. select Properties. 5. Click OK. 4. In the context menu of the Administration Server.

........................ IN THIS SECTION: About technical support . it is recommended to read the support rules (http://support. 158 Technical support by phone ........... The Kaspersky CompanyAccount web service lets you monitor the progress of electronic request processing by Kaspersky Lab specialists and store a history of electronic requests.......... You can register all of your organization's employees under a single account on Kaspersky CompanyAccount......... 158 . Technical Support specialists will answer your questions about installing and using the application..........kaspersky. Technical support is only available to users who purchased the commercial license... 158 ABOUT TECHNICAL SUPPORT If you do not find a solution to your problem in the documentation or in one of the sources of information about the application (see the section "Sources of information about the application" on page 12)...................... as well as the data that a support specialist will need to help you................kaspersky....com/support/contacts)......................com) is a web service for companies that use Kaspersky Lab applications........ The Kaspersky CompanyAccount web service is designed to facilitate interaction between users and Kaspersky Lab specialists via online requests....... you can phone specialists at Technical Support of Kaspersky Lab (http://support.......................  By sending a request to Technical Support through the Kaspersky CompanyAccount web service......................... TECHNICAL SUPPORT VIA KASPERSKY COMPANYACCOUNT Kaspersky CompanyAccount (https://companyaccount. 158 Technical Support via Kaspersky CompanyAccount....................com/support/rules)..kaspersky.................. Before contacting Technical Support..........com/support/rules).................................................. Before contacting Technical Support. please read the support rules (http://support..........kaspersky... we recommend that you contact Kaspersky Lab Technical Support..................... A single account lets you centrally manage electronic requests from registered employees to Kaspersky Lab and also manage the privileges of these employees via Kaspersky CompanyAccount........... These rules provide information about the hours open for calls at Kaspersky Lab Technical Support.. Users who have received a trial license are not entitled to technical support........................... TECHNICAL SUPPORT BY PHONE If an urgent issue arises.....CONTACTING TECHNICAL SUPPORT SERVICE This section provides information about the ways and conditions for providing you support......... You can contact Technical Support in one of the following ways:  By calling Kaspersky Lab Technical Support.........

 German.  Japanese. 159 . CONTACTING TEC HNICA L SUPPORT SERV ICE The Kaspersky CompanyAccount web service is available in the following languages:  English. please visit the Technical Support website (http://support. To learn more about Kaspersky CompanyAccount.com/faq/companyaccount_help).kaspersky.  Russian.  Spanish.  French.  Portuguese.  Italian.  Polish.

ADMI NIS TRAT I ON GR OUP A set of computers grouped together in accordance with the performed functions and the Kaspersky Lab applications installed on those machines. D DEMILITARIZED ZONE (DMZ) Demilitarized zone is a segment of a local network that contains servers. server. The anti-virus databases are created by Kaspersky Lab specialists and updated hourly. access to the LAN from the demilitarized zone is protected with a firewall. or workstation on which Network Agent and managed Kaspersky Lab applications are running. AUT HE NTICA TI ON A GE NT An interface for passing the authentication process to access encrypted hard drives and load the operating system after the system hard drive has been encrypted. AVAILABLE UPDATE A package of updates for the modules of a Kaspersky Lab application including a set of urgent patches released during a certain time interval. ADDITI ONA L KE Y A key that certifies the right to use the application but is not currently being used. Computers are grouped for convenience of management as one single entity. ADMI NIS TRAT I ON SERV ER CLIENT (CLIENT C OMP UT ER) A computer. 160 . A group can include other groups. In order to ensure the security of an organization's local network.GLOSSARY A ACTIVE KEY Key that is used at the moment to work with the application. and modifications to the application architecture. Records that are contained in anti-virus databases allow detecting malicious code in scanned objects. ADMI NIS TRAT OR RIGHTS The level of the user's rights and privileges required for administration of Exchange objects within an Exchange organization. which respond to requests from the global Web. C CONFI GURATI ON PROFILE Policy that contains a collection of settings and restrictions for an iOS MDM mobile device. ANTI-VIR US DATABASES Databases that contain information about computer security threats that are known to Kaspersky Lab at the time of release of the anti-virus databases. A group can contain group policies for each application installed in it and appropriate group tasks. ADMI NIS TRAT I ON C ONS OLE A Kaspersky Security Center component that provides a user interface for the administrative services of Administration Server and Network Agent.

GLOSSARY E EAS DEVICE A mobile device connected to Administration Server over Exchange ActiveSync® protocol. 161 . GROUP OF LICE NS ED APP LICA TI ONS A group of applications created on the basis of criteria set by the administrator (for example. IOS MDM PR OFI LE Collection of settings for connection of iOS mobile devices to Administration Server. I INSTA LLATI ON PAC KA GE A set of files created for remote installation of a Kaspersky Lab application by using the Kaspersky Security Center remote administration system. the administrator of a virtual Administration Server can start Kaspersky Security Center Web Console to check the anti-virus security status of a network. G GENERAL CERTIFICATE A certificate intended for identifying the user's mobile device. GROUP TASK A task defined for an administration group and performed on all client computers within this group. and Windows Phone® operating systems can be connected and managed over Exchange ActiveSync protocol. INTER NAL USERS The accounts of internal users are used to work with virtual Administration Servers. EXC HA NGE ACTIV ESY NC MOBILE D EVIC E SERVE R A component of Kaspersky Security Center that is installed in a client computer.kud extensions included in the application distribution kit. Devices running on iOS operating system can be connected and managed over iOS MDM protocol. The installation package is created using files with the . Android™. by vendor).kpd and . Parameter values correspond to application defaults. Kaspersky Security Center grants the rights of real users to internal users of the application. Under the account of an internal user. No data on internal users is transferred to the operating system. The accounts of internal users are created and used only within Kaspersky Security Center. Devices on iOS. The user installs an iOS MDM profile to a mobile device. for which statistics of installations to client computers are maintained. after which this mobile device connects to Administration Server. installed to a client computer and allowing connection of iOS mobile devices to Administration Server and management of iOS mobile devices through Apple Push Notifications (APNs) service. The installation package contains a range of settings needed to install the application and get it running immediately after installation. Kaspersky Security Center authenticates internal users. allowing Exchange ActiveSync mobile devices to connect to Administration Server. IOS MDM MOBI LE DEV ICE SERV ER A component of Kaspersky Security Center. IOS MDM DEVICE A mobile device that is connected to the iOS MDM Mobile Device Server over iOS MDM protocol.

L LOCA L TASK A task defined and running on a single client computer. 162 . N NETWOR K A GE NT A Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky Lab applications that are installed on a specific network node (workstation or server). and reduces the risk of false positives. Application settings can differ in various groups. KASPER S KY SEC UR ITY NET WOR K (KSN) An infrastructure of online services that provides access to the online Knowledge Base of Kaspersky Lab which contains information about the reputation of files. A policy includes the settings for complete configuration of all application features. P POLICY A set of application settings in an administration group managed through Kaspersky Security Center. Different application settings are used to manage different types of mobile devices.ADMINISTRATOR'S GUIDE K KES DEVICE A mobile device that is connected to Administration Server and managed through Kaspersky Endpoint Security for Android. This component is common for all of the company's products for Windows. iOS MDM profiles. web resources. Separate versions of Network Agent exist for Kaspersky Lab products developed for Novell®. Unix® and Mac. KASPER S KY SEC UR ITY CE NTER AD MI NI ST RAT OR The person managing the application operations through the Kaspersky Security Center system of remote centralized administration. Web Server is designed for transfer of standalone installation packages. M MDM POLI CY A collection of application settings used for managing mobile devices through Kaspersky Security Center. A specific policy is defined for each application. and files from the shared folder over the network. and software. A policy includes the settings for complete configuration of all application features. The use of data from Kaspersky Security Network ensures faster response by Kaspersky Lab applications to unknown threats. improves the effectiveness of some protection components. KASPER S KY SEC UR ITY CE NTER WEB SER VER A component of Kaspersky Security Center installed together with Administration Server. MOBI LE DEVICE SERVER A component of Kaspersky Security Center that provides access to mobile devices and allows managing them through Administration Console.

GLOSSARY

PR OFI LE
A collection of settings of Exchange ActiveSync mobile devices that define their behavior when connected to a Microsoft
Exchange server.

PR OVIS I ONI NG PR OFILE

Collection of settings for applications’ operation on iOS mobile devices. A provisioning profile contains information about
the license; it is linked to a specific application.

R
REST ORAT I ON
Relocation of the original object from Quarantine or Backup to its original folder where the object had been stored before
it was quarantined, disinfected or deleted, or to a user-defined folder.

REST ORAT I ON OF AD MI NIS TRAT I ON SERV ER DATA

Restoration of Administration Server data from the information saved in Backup by using the backup utility. The utility can
restore:
 Information database of the Administration Server (policies, tasks, application settings, events saved on the
Administration Server)
 Configuration information about the structure of administration groups and client computers
 Repository of the installation files for remote installation of applications (content of the folders: Packages,
Uninstall Updates)
 Administration Server certificate

ROLE GR OUP

A group of users of Exchange ActiveSync mobile devices who are granted identical administrator rights (see section
"Administrator rights" on page 160).

T
TASK
Functions performed by a Kaspersky Lab application are implemented as tasks, for example: Real-time protection, Full
Scan, Database update.

TASK FOR SPE CIFIC C OMP UTER S

A task assigned for a set of client computers from arbitrary administration groups and performed on those hosts.

U
UPDATE AGE NT
A computer within an administration group that acts as an intermediary node of communication between the computers
in the same group and the Administration Server.
An Update Agent can perform the following functions:
 Manage updates and installation packages received from the Administration Server by distributing them to client
computers in the group (including such method as multicasting via UDP).
This feature accelerates the distribution of updates and allows freeing up Administration Server resources.
 Distribute policies and group tasks through multicasting via UDP.
 Act as a connection gateway to the Administration Server for computers in the group.
If direct connection between managed computers in the group and the Administration Server cannot be
established, the Update Agent can be used as a connection gateway to the Administration Server for this group.
In this case, managed computers will be connected to the connection gateway, which, in its turn, will be
connected to the Administration Server.

163

ADMINISTRATOR'S GUIDE

The availability of an Update Agent that operates as the connection gateway does not block the option of direct
connection between managed computers and the Administration Server. If the connection gateway is not
available, but direct connection with the Administration Server is technically possible, managed computers will
be connected to the Server directly.
 Poll the computer network in which it is located.
 Perform remote installation of the application through Microsoft Windows tools, including installation on client
computers without Network Agent.
This feature allows remotely transfer installation packages of Network Agent to client computers located on
networks to which the Administration Server has no direct access.
You can view the full list of Update Agents for specified administration groups by creating a report on the list of Update
Agents.
The scope of an Update Agent is the administration group to which it has been assigned, as well as its subgroups of all
levels of embedding. If several Update Agents have been assigned in the hierarchy of administration groups, the
Network Agent of the managed computer connects to the hierarchically closest Update Agent.

V
VIRTUAL ADMINISTRATION SERVER
A component of Kaspersky Security Center, designed for management of the protection system of a client organization's
network.
Virtual Administration Server is a particular case of a slave Administration Server and has the following restrictions as
compared with physical Administration Server:
 Virtual Administration Server can be created only on master Administration Server.
 Virtual Administration Server uses the database of the master Administration Server in its operation: data
backup tasks, data recovery tasks, update check tasks, and update download tasks are not supported on the
virtual Server. These tasks exist only on master Administration Server.
 Virtual Server does not support creation of slave Administration Servers (including virtual Servers).

VIRUS OUTB REA K

A series of deliberate attempts to infect a computer with a virus.

VULNERABI LIT Y
A flaw in an operating system or an application that may be exploited by malware makers to penetrate into the operating
system or the application and corrupt its integrity. A large number of vulnerabilities in an operating system makes it
unreliable, because viruses that have penetrated into the operating system may cause operation failures in the operating
system itself and in installed applications.

W
WIND OWS SE RVER UPDA TE SERV ICE S (WSUS)
An application used for distribution of updates for Microsoft applications on users' computers in an organization's
network.

164

KASPERSKY LAB ZAO
Kaspersky Lab software is internationally renowned for its protection: against viruses, malware, spam, network and
hacker attacks, and other threats.
In 2008, Kaspersky Lab was rated among the world’s top four leading vendors of information security software solutions
for end users (IDC Worldwide Endpoint Security Revenue by Vendor). Kaspersky Lab is the preferred developer of
computer protection systems among home users in Russia, according to the COMCON survey "TGI-Russia 2009".
Kaspersky Lab was founded in Russia in 1997. Today, it is an international group of companies headquartered in
Moscow with five regional divisions that manage the company's activity in Russia, Western and Eastern Europe, the
Middle East, Africa, North and South America, Japan, China, and other countries in the Asia-Pacific region. The
company employs more than 2000 qualified specialists.
PRODUCTS. Kaspersky Lab’s products provide protection for all systems—from home computers to large corporate
networks.
The personal product range includes anti-virus applications for desktop, laptop, and tablet computers, as well as for
smartphones and other mobile devices.
Kaspersky Lab delivers applications and services to protect workstations, file and web servers, mail gateways, and
firewalls. Used in conjunction with Kaspersky Lab’s centralized management system, these solutions ensure effective
automated protection for companies and organizations against computer threats. Kaspersky Lab's products are certified
by the major test laboratories, are compatible with the software of many suppliers of computer applications, and are
optimized to run on many hardware platforms.
Kaspersky Lab’s virus analysts work around the clock. Every day they uncover hundreds of new computer threats, create
tools to detect and disinfect them, and include them in the databases used by Kaspersky Lab applications. Kaspersky
Lab anti-virus database is updated hourly, Anti-Spam database – every 5 minutes.
TECHNOLOGIES. Many technologies that are now part and parcel of modern anti-virus tools were originally developed
by Kaspersky Lab. It is no coincidence that many other developers use the Kaspersky Anti-Virus kernel in their products,
including: SafeNet (USA), Alt-N Technologies (USA), Blue Coat Systems (USA), Check Point Software Technologies
(Israel), Clearswift (UK), CommuniGate Systems (USA), Openwave Messaging (Ireland), D-Link (Taiwan), M86 Security
(USA), GFI Software (Malta), IBM (USA), Juniper Networks (USA), LANDesk (USA), Microsoft (USA), Netasq+Arkoon
(France), NETGEAR (USA), Parallels (USA), SonicWALL (USA), WatchGuard Technologies (USA), and ZyXEL
Communications (Taiwan). Many of the company’s innovative technologies are patented.
ACHIEVEMENTS. Over the years, Kaspersky Lab has won hundreds of awards for its services in combating computer
threats. For example, in 2010 Kaspersky Anti-Virus received a few top Advanced+ awards in a test held by AV-
Comparatives, an acknowledged Austrian anti-virus laboratory. But Kaspersky Lab's main achievement is the loyalty of
its users worldwide. The company’s products and technologies protect more than 300 million users, and its corporate
clients number more than 200,000.

Kaspersky Lab official site: http://www.kaspersky.com
Virus encyclopedia: http://www.securelist.com
Anti-Virus Lab: newvirus@kaspersky.com (only for sending probably infected files
in archives)
Kaspersky Lab web forum: http://forum.kaspersky.com

165

166 .INFORMATION ABOUT THIRD-PARTY CODE Information about third-party code is contained in a file named legal_notices.txt and stored in the application installation folder.

Please note that the use of this security Software within networks can affect provisions of data protection law at the EU level and/or at EU member state level.  (f) not to attempt to gain unauthorized access to computer systems or networks associated with the Software. 167 . files or programs.  (e) not to carry out any acts interfering with or interrupting the operation of the server or networks associated with the software. Moreover.ABOUT NAC/ARP ENFORCEMENT TECHNOLOGY The NAC Solution/ARP Enforcement technology is legal technology dedicated to securing and regulating access to a corporate network by ensuring device compliance to corporate security policies. The user is restricted to using the software as intended and within the specific legal framework conditions in their country. national. without obtaining beforehand the consent prescribed by law of the owner of the data to the data transmission. state.  (d) not to transmit material containing software viruses or any other harmful computer codes. international.  (b) not to transmit or store material that infringes intellectual property rights or any other rights of third parties or is illegal. in operational use also provisions of collective labor law may have to be observed. unauthorized.  (c) not to transmit or store data owned by third parties. and supranational laws and regulations as well as the specifications mentioned in the documentation or the related transfer documents of the authorized dealer from whom the user purchased the Software and  (a) not to use the Software for illegal purposes. User behavior and user obligations The user agrees to comply with the applicable local. defamatory or offensive or invades the privacy of third parties.

ENHANCED PROTECTION WITH KASPERSKY SECURITY NETWORK Kaspersky Lab offers an extra layer of protection to users through the Kaspersky Security Network. This protection method is designed to combat advanced persistent threats and zero-day attacks. Integrated cloud technologies and the expertise of Kaspersky Lab virus analysts make Kaspersky Endpoint Security the unsurpassed choice for protection against the most sophisticated network threats. Details on enhanced protection in Kaspersky Endpoint Security are available on the Kaspersky Lab website. 168 .

Windows. Data Access. UNIX is a trademark registered in the U. Windows Server and Windows Vista are trademarks of Microsoft Corporation registered in the United States and elsewhere.TRADEMARK NOTICE The registered trademarks and service marks are the property of their owners.S. SQL Server. Microsoft. Mac. and / or its affiliates in the United States and certain other countries. iPhone. Cisco is a registered trademark or trademark of Cisco Systems. Apple. 169 . and elsewhere. Inc. Apache and the Apache feather logo are trademarks owned by the Apache Software Foundation. and registered in the United States and elsewhere. Internet Explorer. Linux is a trademark owned by Linus Torvalds and registered in the U. and elsewhere. use under license from X/Open Company Limited. and iTunes are registered trademarks of Apple Inc. Novell is a trademark owned by Novell. Active Directory.S. Inc. Mac OS.

............................................ 88 settings ............................ 75 Console tree ............................................................ 63 Groups Structure .. 100 Group tasks Filter .............................................................................................................................................................................................................................. 58 Tasks........... 30 E Encryption ............................................................................................................................................................................................................................................................... 82.......................................... 118 Export Policies ............................................................................................................................. 21 Context menu .................................................................................................................................... 57 Tasks................................ 131 Event selections Create ........................... 82........................ 93............................................................................................................................................. 33................................... 116 mail ...................................................................................................................................................................... 87 Viewing log ....................................................................................................................... 66 Inheritance .............................................................................................................................. 148 170 .................................................................................................................................. 120 IP subnet Change .....................................................................INDEX A Adding Administration Server .................. 53 I Image........................................................................................................................... 94 K Kaspersky Lab ZAO................................ 165 Key . 108 Import Policies ......................................................................................... 37 Administration Server...................................................................... 73 Administration groups ...... 39 Connecting to Administration Server ........... 116 Cisco Network Admission Control........................................................................................ 49 Client computers..................... 94 Create ........................................................................................................................................................................................................................ 37 Administration Server certificate ................................................................................................................................................................................................. 69 Message to user................ 47 Client computer .............................................................................................................................................................................................................................................................................................................. 46 C Certificate general .................................................................................................................................................................................................................................................................................... 116 VPN ................................................................................................................................................................................... 82....................................................................................................................................... 82.............................................................................................. 87 Exchange ActiveSync mobile device ............................................................... 64 iOS MDM mobile device........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 64 G Group of licensed applications .................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 118 Exchange ActiveSync mobile device server ............................ 116 installing a certificate for a user .............................................................................................................................................................................................................................

........................................................................................................................................................................................................................................................................................................................................................................... 41 Adding key ................................................................. 47 Policy........................................................................ 149 Report ........... 86 Storages Applications registry ................................................................................ 150 L Limiting traffic ............................ 93 Windows network ..................................................................................................................................................................................................... 84 Reports Create .......................................................................................... 57 Policy ................................................................................................................................................................................................................................................................. 92 Notifications..................................................................... 74 Initial setup ......................................................................................................................................................... 148 T Task...................................................................................................................................................................................................................................................................................... 148 Removal ...................... 148 Policies ................................................................................................ 149 Installation ........................................................................................................................................................................................................... 65 Policies Copying ............................. 150 View ................................................................................................. 148 171 ......................... 61 Polling Active Directory groups ................................................................................................................................ 59 Removal ....................... 85 Keys ............................................................................................................................................................................................................................................................................................ 93 R Remove Administration Server ....................................................................................................................................................................................................... 49 M Manage Client computer ................................................................................................................................................... 55 N Network discovery ................................................................................................................................................................................................................................................................................................................................................................................................... 100 Installation packages ....... 57 Policies Import ........................................................................................................ INDEX distribution .............................................................................................................................................................................................................. 55 Managing the application ............................................................................................................................................................ 41 Policy profile............................................................................................................................. 151 Keys ....................................................... 85 S Statistics ......................................................................................... 36 Keys ........................................................................................................................................................................................ 57 Report template Create .................................................................................................................................................................. 86 P Policies Activation..................................................................................................................... 56 Policies and tasks conversion wizard............................................................................................................................................................................................................................................................ 85 Delivery ...................................................................................................................... 58 Policies Removal ......................................................................... 57 Policies Create ................................................. 93 IP subnets.......................................................................................... 56 Policies Export.................................................................................................................. 58................................................................................................................................................................................................................................................................................................. 58 Policy profile Create ..............................................................................................................................................................................................................................................................................................................

............................................................................................................................................................................................................................................... 64 Local............................................................................................................................. 146 Retrieval ..................................................................................................................................................................................................... 145...... 143 View ....................... 63 Managing client computers ....................................................................................................................................................... 85 Viewing results .......................................................................................... 102 User role add ........................................................................................................................................................................................................................................................................................ 142 Scan ............................................. 101 172 ............................................................................... 146 Updating the application........................... 74 Execution........................... 145 Update Agents......................................................................................................................................................... 74 Reports delivery ............................................................................................................................ 117 User roles............................................................................................................................................................................................................................. 66 U Update distribution ................................................................ 64 Group ................................... 38 Vulnerability............................................ 81 assign........................................................................ 81 User role add...............................................................................................................................................................................................................................................ADMINISTRATOR'S GUIDE Tasks Changing the Administration Server ................................................................................................................................................................................................................................................. 62 Import .................................................................................................................................................................................................................. 66 Export ............................................................................................................................................................................................................................................................................................................................. 81 V Virtual Administration Server .............................................................................................