how to install kaspersky mdm & ksm for i os v6

1

How to install Kaspersky MDM for iOS & Kaspersky Security for Mobile


How it works .................................................................................................................. 2

Kaspersky MDM for iOS .............................................................................................................................................. 2 Kaspersky Security 10 for Mobile (for iOS) ................................................................................................................. 2

How to install Kaspersky MDM for iOS .......................................................................... 2

Preparing the Environment ........................................................................................................................................... 2

1. Network configuration ............................................................................................................................ 2 2. Kaspersky Security Center ...................................................................................................................... 3

Installing Kaspersky MDM for iOS Server .................................................................................................................. 3 Getting APNs Certificate .............................................................................................................................................. 4

1. Create a request ....................................................................................................................................... 4 2. Sign the certificate request on the Kaspersky Lab website...................................................................... 5 3. Register it at the APNs ............................................................................................................................ 7 4. Get the .pfx file ........................................................................................................................................ 7

Installing APNs Certificate ........................................................................................................................................... 8 Installing iOS MDM profile ......................................................................................................................................... 8

1. Select a user account ............................................................................................................................... 8 2. Send the iOS MDM profile ..................................................................................................................... 8 3. Install the iOS MDM profile ................................................................................................................... 9

When iOS MDM profile is Installed Successfully ...................................................................................................... 10

1. On the mobile device ............................................................................................................................. 10 2. On the server side .................................................................................................................................. 10

How to install Kaspersky Security 10 for Mobile ........................................................ 11

Preparing the Environment ......................................................................................................................................... 11

1. Network Configuration .......................................................................................................................... 11 2. Kaspersky Security Center .................................................................................................................... 11

Preparing the Distribution ........................................................................................................................................... 11

1. Get .ipa .................................................................................................................................................. 11 2. Publish .ipa ............................................................................................................................................ 11 3. Create .plist ............................................................................................................................................ 12

Installing the Kaspersky Security 10 for Mobile ........................................................................................................ 12

1. Add Kaspersky Security for Mobile to the manageable applications list .............................................. 12 2. Launch the installation .......................................................................................................................... 13 3. Complete the installation ....................................................................................................................... 13 4. Install a license key ............................................................................................................................... 14

When Kaspersky Security 10 for Mobile is Installed Successfully ............................................................................ 15

1. On the mobile device ............................................................................................................................. 15 2. On the server side .................................................................................................................................. 15 FOR

INTE

RNAL

USE

ONL

Y

2


How it works Kaspersky Lab product line includes two products for iOS:

1. Kaspersky MDM for iOS 2. Kaspersky Security 10 for Mobile (for iOS)

They both can be remotely managed via Kaspersky Security Center 10, and can be used on a mobile device simultaneously.

Kaspersky MDM for iOS

Agentless solution providing remote management of mobile devices: applies configuration parameters, policies for passcodes, locks and wipes devices remotely, installs and removes apps.

See http://images.apple.com/iphone/business/docs/iOS_6_MDM_Sep12.pdf for more details.

Kaspersky Security 10 for Mobile (for iOS)

Endpoint solution providing security for mobile devices: via containers for apps, web protection, jailbreak detection, but no anti-virus. Can be managed remotely via KSC.

How to install Kaspersky MDM for iOS

Preparing the Environment

1. Network configuration

1. iOS MDM Server:

Windows 7 or 2008 OS Accessible from the Internet (real IP or other means) at port TCP 443 (the port can be changed during the

installation)

KSC Administration Server Kaspersky

Security for Mobile

APNs

Built-in connector to KSC

Inst

alla

tion

Kaspersky MDM for iOS

KSC Network Agent

FOR

INTE

RNAL

USE

ONL

Y

http://images.apple.com/iphone/business/docs/iOS_6_MDM_Sep12.pdf

3


Have access to the APNs servers at ports TCP 2195 and 2196. See http://support.apple.com/kb/TS4264 for more details

2. KSC Administration Server: accessible from the Internet at ports TCP 8060 and 8061 (the ports can be changed in the properties of the Administration Server)

3. Mobile devices: access to the APNs servers at port TCP 5223. See http://support.apple.com/kb/TS4264 for more details

When performing internal tests it is enough to have access from the mobile devices to the iOS MDM Server and KSC Administration Server via LAN (e.g. internal Wi-Fi).

2. Kaspersky Security Center

4. KSC Administration Server preinstalled, and no additional components are required

5. KSC Administration Console: install the Plug-in for management of mobile iOS devices (\Server\Plugins\ MDM4IOS\klcfginst.msi inside the KSC distribution archive ksc10.0.xxxxen.exe)

6. KSC settings:

Setup the Administration Server email notification settings: open the properties of the Reports and notifications node, and fill in the form

Install a license key allowing using the MDM features

Display the MDM interface

7. iOS MDM Server: Network Agent connected to the KSC Administration Server

Installing Kaspersky MDM for iOS Server

1. Copy the \Server\MDM4IOS\ folder from the KSC distribution (ksc10.0.xxxxen.exe) to the iOS MDM Server, and run setup.exe

2. In the installation wizard specify the ports:

FOR

INTE

RNAL

USE

ONL

Y

http://support.apple.com/kb/TS4264

http://support.apple.com/kb/TS4264

4


3. And the external URL of the iOS MDM Server—it must be accessible by this URL from the mobile devices

4. After that you should find the iOS MDM mobile device server in the Mobile devices / Mobile devices servers node

Getting APNs Certificate

This document describes how to generate an APNs certificate using OpenSSL. For some details about other methods please see http://support.kaspersky.com/9245.

The following steps can be done on any computer running Windows.

1. Create a request

1. Install the Microsoft Visual C++ 2008 Redistributable Package:

http://www.microsoft.com/en-us/download/details.aspx?id=15336 (for x64) http://www.microsoft.com/en-us/download/details.aspx?id=29 (for x86)

2. Install the OpenSSL:

http://slproweb.com/download/Win64OpenSSL-1_0_1e.exe (for x64) http://slproweb.com/download/Win32OpenSSL-1_0_0k.exe (for x86)

3. During the installation keep all the default settings, and remember the installation folder. In all later steps we assume you’ve used C:\OpenSSL-Win64\, which is default for x64

4. Open the command line, type in

set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg

FOR

INTE

RNAL

USE

ONL

Y

http://support.kaspersky.com/9245

http://www.microsoft.com/en-us/download/details.aspx?id=15336

http://www.microsoft.com/en-us/download/details.aspx?id=29

http://slproweb.com/download/Win64OpenSSL-1_0_1e.exe

http://slproweb.com/download/Win32OpenSSL-1_0_0k.exe

5


and press Enter

5. Type in

C:\OpenSSL-Win64\bin\openssl req -new -newkey rsa:2048 -nodes -out Name.csr -keyout Name.key -subj "/C=Country/ST=State/L=City/O=Company/OU=Department/CN=ServerName"

and press Enter. Here,

Name — some name for the key

ServerName — the domain name or IP address that clients will use to reach the iOS MDM Server. You can use * to cover all subdomains

Country — put the country name common 2-letter abbreviation (US for the USA, UK for the UK, etc.)

State, City, Company, Department — state or province, city, company and department correspondingly. Multiple-word names are accepted, and no quotes needed

6. As a result, you’ll find both .csr and .key files in the user’s home folder

2. Sign the certificate request on the Kaspersky Lab website

7. Go to the https://companyaccount.kaspersky.com. To make it work you’ll need Adobe Flash Player, enabled popups, etc. So it makes sense to do this on some desktop

8. Login, or register, if you haven’t registered yet. You’ll need to provide a proper commercial license key, and some not @kaspersky.com email address

9. Click Submit request, then SCR Signing, Browse, and navigate to the mycert.csr you’ve got on the step 6

FOR

INTE

RNAL

USE

ONL

Y

https://companyaccount.kaspersky.com/

6


10. Click Sign CSR

11. Click OK and go to Inactive

12. Select the last request (it is selected by default), and press View Files/Details

13. Select mycert.plist and click Save to Disk

14. As a result you’ll get the mycert.plist file

FOR

INTE

RNAL

USE

ONL

Y

7


3. Register it at the APNs

15. Go to the https://identity.apple.com/pushcert/

16. Login using any Apple ID, or register (https://appleid.apple.com/), if you haven’t registered yet. All you need is just some valid email address

17. Click Create a certificate

18. Browse to mycert.plist and click Upload

19. Then click Download

20. As a result you’ll get the MDM_ Laboratoriya Kasperskogo ZAO_Certificate.pem file

21. Rename in to something shorter, e. g. mycert.pem

22. Copy mycert.pem to the computer where you initially created the request for the certificate and put it into the user’s home folder, next to the mycert.key and mycert.csr

4. Get the .pfx file

23. At this point you should have three files—mycert.key, mycert.csr, and mycert.pem

24. Open the command line, and run the command

C:\OpenSSL-Win64\bin\openssl pkcs12 -export -out mycert.pfx -in mycert.pem -inkey mycert.key -name "My Certificate"

You’ll be asked to enter a password, and then verify it. Type in e.g. Ka5per5Ky

25. As a result next to mycert.* you’ll find mycert.pfx

FOR

INTE

RNAL

USE

ONL

Y

https://identity.apple.com/pushcert/

https://appleid.apple.com/

8


Installing APNs Certificate

1. In the KSC Administration Console go to the Mobile devices / Mobile devices servers node

2. Find the iOS MDM mobile devices server and open its properties

3. Switch to the Certificates tab and click the upper Install

4. Browse to mycert.pfx and install it. You’ll be asked to type in the password put on the step 24 of the “Getting the APNs Certificate” section

If next time you deploy an iOS MDM profile you get the certificate missing error, then you have installed not the latest build of Kaspersky MDM for iOS. Check the version of the Control Panel\ Programs\ Programs and Features \ Kaspersky iOS MDM mobile device server. If it is older than 10.0.3368.0, then download a newer one and reinstall it, or do the following:

Run the Kaspersky Security Center Remote Diagnostics Utility (Start / All Programs / Kaspersky Security Center), and connect it to the Administration Server

Enable the Network Agent tracing, keep the default tracing level

Install the certificate

Disable the Network Agent tracing

Installing iOS MDM profile

1. Select a user account

Select the user account you want to send the iOS MDM profile to, or create a new one.

1. In the KSC Administration Console go to the Users Accounts node

2. Find the user account you want to use (with a proper email address), or create a new one

2. Send the iOS MDM profile

3. Select the user account(s) you want to use

4. Click Install iOS MDM profile to user’s mobile device. It’s a link in the bottom right of the window

FOR

INTE

RNAL

USE

ONL

Y

9


5. Select the server you want to use (just click it), clear the By SMS checkbox (unless you want to deliver it by SMS and have already set it up), and click OK

3. Install the iOS MDM profile

Now you need to retrieve the link to the iOS MDM profile from the message you’ve send. You can either receive it directly on the mobile device or get it on your desktop and then use the QR-code. Let’s say we have the email account preconfigured directly on the mobile device.

6. Receive the email and click the link. It points to the KSC built-in web-server. If the specified name is unreachable from the mobile device, you can modify it right in the browser window. Until CF1 there is no way to preconfigure it on the Administration Server

7. In the Cannot Verify Server Identity window click Continue, and then Install (twice)

FOR

INTE

RNAL

USE

ONL

Y

10


8. Enter the passcode if you’ve setup one, and click Done

When iOS MDM profile is Installed Successfully

1. On the mobile device

1. Go to the Settings / General, then scroll down to the Profile group. Tap it

2. Find the Kaspersky mdm profile here

2. On the server side

3. In the KSC Administration Console go to the Mobile devices / iOS MDM mobile devices node.

4. You should find the device here:

5. And be able to send commands to it. E.g. try to Block device. It should be applied almost immediately FOR

INTE

RNAL

USE

ONL

Y

11


How to install Kaspersky Security 10 for Mobile

Preparing the Environment

1. Network Configuration

The same as for Kaspersky MDM for iOS.

Plus, KSC Administration Server must be accessible from the mobile devices at ports TCP 13292 and 17100 (can be changed in the properties of the Administration Server).

2. Kaspersky Security Center

1. KSC Administration Server—add the Mobile devices support component: under the Control Panel\ Programs\ Programs and Features find Kaspersky Security Center Administration Server, and click Uninstall/Change

2. KSC Administration Console—install the Kaspersky Security 10 for Mobile plug-in (ksc10.0.xxxxen.exe\Server\ Plugins\KES4Mobile\klcfginst.msi)

3. KSC settings—open ports for mobile devices: in the KSC Administration Console open the properties of the Administration Server, go to the Settings tab, enable Open port for mobile devices

4. iOS MDM Server—install Kaspersky MDM for iOS and deploy its MDM profile to the mobile device

Preparing the Distribution

Kaspersky Security 10 for Mobile (iOS) is distributed in form of an unsigned application. This is the Apple policy—you cannot install just any application. It should be either available on the official AppStore or distributed using your iOS Developer Account. So, as far as Kaspersky Security is not available at the AppStore, we need an iOS Developer Account.

Technically it means the Kaspersky Security for Mobile is distributed as KES.app but to start deployment you need an .ipa plus .plist files.

1. Get .ipa

How to sign the distribution is not covered in this version of the document. See http://support.kaspersky.com/9614 for some details.

Let’s say we already have the kes.ipa file.

2. Publish .ipa

First, you need to publish kes.ipa on some webserver. Let’s use KSC built-in webserver.

1. Copy kes.ipa to the KLShare folder. By default it is the %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Share

2. If you put kes.ipa right in the root of the KLShare, the link to it will look like http://<server-address>:8060/kes.ipa FOR

INTE

RNAL

USE

ONL

Y

http://support.kaspersky.com/9614

12


3. Create .plist

It’s an XML-file pointing to the kes.ipa. You can create it using some XML-editor, or Notepad. Anyway, it should contain the following data:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>items</key> <array> <dict> <key>assets</key> <array> <dict> <key>kind</key> <string>software-package</string> <key>url</key> <string>http://security-center.abc.lab:8060/kes.ipa</string> </dict> </array> <key>metadata</key> <dict> <key>bundle-identifier</key> <string>ksm.com.kaspersky.KES</string> <key>bundle-version</key> <string>10.0.32</string> <key>kind</key> <string>software</string> <key>title</key> <string>KESM</string> </dict> </dict> </array> </dict> </plist>

Here, http://security-center.abc.lab:8060/kes.ipa —a link to the published package you got on the step 2.

3. Create the kes.plist file as described above, and put it in the KLShare folder, next to kes.ipa

Installing the Kaspersky Security 10 for Mobile

You can do this either via Kaspersky MDM for iOS (or some other MDM), or connect a device to some desktop and use iTunes. This document is about installation through Kaspersky MDM for iOS.

1. Add Kaspersky Security for Mobile to the manageable applications list

1. Open the KSC Administration Console and go to the Mobile devices / Mobile devices servers node

2. Double-click the iOS MDM mobile devices server and switch to the Managed applications tab

3. Click Add, type in e.g. “Kaspersky Security 10 for Mobile”

4. In the second field specify the link which points to kes.plist. This URL should be accessible from the mobile device at the port TCP 6081

5. The other two checkboxes are optional

FOR

INTE

RNAL

USE

ONL

Y

http://security-center.abc.lab:8060/kes.ipa

13


2. Launch the installation

6. Go to the Mobile devices / iOS MDM mobile devices, and find the device you want to install KSM to

7. Select it and click Install application to device. It’s a link on the right pane

8. Select the package you want to install and click OK

3. Complete the installation

9. Go to the mobile device and wait till a notification appears. It should happen almost immediately

10. Click Install

11. As a result you should find the Browser app among the installed applications

FOR

INTE

RNAL

USE

ONL

Y

14


12. Launch it, fill in the configuration details: the KSC Administration Server address and port 13292, and click Done

13. Click , then start Synchronization, and wait till it’s finished

4. Install a license key

14. In the KSC Administration Console go to the Unassigned computers / Domains node

15. Find the KSM10 folder (unless you haven’t changed it two steps above), and the mobile device in it. Move it to Managed computers

16. Go to the mobile device and start the synchronization once more (repeat the step 13)

FOR

INTE

RNAL

USE

ONL

Y

15


When Kaspersky Security 10 for Mobile is Installed Successfully

1. On the mobile device

The Browser app can be found among installed applications, and in the Settings / General / Profile you’ll find a new provisioning profile.

2. On the server side

1. Go to the Mobile devices / iOS MDM mobile devices, and find the device

2. Double-click it and switch to the Applications folder. You should find the ksm.com.kaspersky.KES here

3. Modify the policy for Kaspersky Security for Mobile: on the Network tab click Categories, and block the Social network category

4. Go to the mobile device, open the Brower app, and synchronize it

5. Try to open facebook.com, but get an error message

FOR

INTE

RNAL

USE

ONL

Y

how to install kaspersky mdm & ksm for i os v6

Technology

kaspersky mdm

ios kaspersky security

kaspersky security center

ios mdm profile

ios server

kaspersky lab website

mobile device

apns certificate