Kaspersky Endpoint Security 8 for Smartphone
Implementation guide
PROGRAM VERSION: 8.0
2
Dear User!
Thank you for choosing our product. We hope that this documentation will help you in your work and will provide answers
regarding this software product.
Note! This document is the property of Kaspersky Lab ZAO (herein also referred to as Kaspersky Lab): all rights to this
document are reserved by the copyright laws of the Russian Federation, and by international treaties. Illegal reproduction
and distribution of this document or parts hereof will result in civil, administrative or criminal liability by applicable law.
Reproduction or distribution of any materials in any format, including translations, is only allowed with the written
permission of Kaspersky Lab.
This document, and graphic images related to it, may be used exclusively for informational, non-commercial, and
personal purposes.
Kaspersky Lab reserves the right to amend this document without additional notification. You can find the latest version
of this document at the Kaspersky Lab website, at http://www.kaspersky.com/docs.
Kaspersky Lab shall not be liable for the content, quality, relevance, or accuracy of any materials used in this document
for which the rights are held by third parties, or for any potential or actual losses associated with the use of these
materials.
Document last revised on: February 8, 2012
© 2012 Kaspersky Lab ZAO. All Rights Reserved.
http://www.kaspersky.com
http://support.kaspersky.com
3
TABLE OF CONTENTS
ABOUT THIS HELP ....................................................................................................................................................... 6
In this document ....................................................................................................................................................... 6
Document conventions ............................................................................................................................................. 7
ADDITIONAL SOURCES OF INFORMATION ............................................................................................................... 8
Information sources for further research ................................................................................................................... 8
Discussion of Kaspersky Lab applications on the Web forum .................................................................................. 9
Contacting the User Documentation Development Group ........................................................................................ 9
KASPERSKY ENDPOINT SECURITY 8 FOR SMARTPHONE ................................................................................... 10
What's new ............................................................................................................................................................. 11
Distribution kit ......................................................................................................................................................... 12
Hardware and software requirements ..................................................................................................................... 14
ABOUT KASPERSKY ENDPOINT SECURITY 8 FOR SMARTPHONE COMPONENTS ........................................... 15
Anti-Virus ................................................................................................................................................................ 15
Protection .......................................................................................................................................................... 16
On-demand scans ............................................................................................................................................. 16
Update .............................................................................................................................................................. 17
Anti-Theft ................................................................................................................................................................ 17
Block ................................................................................................................................................................. 18
Data Wipe ......................................................................................................................................................... 18
SIM Watch ........................................................................................................................................................ 18
GPS Find .......................................................................................................................................................... 19
Privacy Protection ................................................................................................................................................... 19
Anti-Spam ............................................................................................................................................................... 19
Firewall ................................................................................................................................................................... 20
Encryption ............................................................................................................................................................... 20
MANAGING LICENSES ................................................................................................................................ ............... 21
About the License Agreement ................................................................................................................................ 21
About Kaspersky Endpoint Security 8 for Smartphone licenses ............................................................................. 21
A bout Kaspersky Endpoint Security 8 for Smartphone key file .............................................................................. 22
Activating the application ........................................................................................................................................ 23
DEPLOYING THE APPLICATION THROUGH KASPERSKY SECURITY CENTER ................................................... 24
Framework for managing the application through Kaspersky Security Center ....................................................... 24
Schemes of deployment through Kaspersky Security Center ................................................................................. 25
Deploying the application through a workstation ............................................................................................... 26
Scheme for deploying the application by sending an email .............................................................................. 26
Preparing to deploy the application through Kaspersky Security Center ................................................................ 27
Installing the Administration Server ................................................................................................................... 28
Updating the Administration Server component ................................................................................................ 28
Configuring Administration Server settings ....................................................................................................... 29
Installing the plug-in for managing Kaspersky Endpoint Security 8 for Smartphone ......................................... 30
Placing the application distribution package on the ftp/http server. ................................................................... 30
Installing the application through a workstation ...................................................................................................... 30
Creating an installation package. ...................................................................................................................... 31
Configuration of installation package settings ................................................................................................... 32
I M P L E M E N T A T I O N G U I D E
4
Creating a deployment task .............................................................................................................................. 34
Delivering the application distribution package to a mobile device through a workstation ................................ 41
Installing the application on a mobile device through a workstation .................................................................. 42
Installing the application by sending an email......................................................................................................... 42
Creating a message with the application distribution package .......................................................................... 42
Installing the application on a mobile device after receiving an email message................................................ 44
Installing a license through Kaspersky Security Center .......................................................................................... 44
Using policies ......................................................................................................................................................... 44
Creating a policy ............................................................................................................................................... 45
Configuring policy settings ................................................................................................................................ 54
Applying a policy ............................................................................................................................................... 54
Allocating devices to the Managed computers group ............................................................................................. 54
Allocating devices to a group manually ............................................................................................................. 55
Configuring automatic allocation of devices to a group ..................................................................................... 56
Configuring local application settings ..................................................................................................................... 58
Settings of Kaspersky Endpoint Security 8 for Smartphone ................................................................................... 59
Settings for Scan on request ............................................................................................................................. 60
Settings for Protection ................................................................................................................................ ....... 61
Settings for Update ........................................................................................................................................... 63
Settings for Anti-Theft ....................................................................................................................................... 65
Settings for Firewall .......................................................................................................................................... 70
Settings for synchronization of devices with the Administration Server ............................................................ 71
Settings for Anti-Spam and Privacy Protection ................................................................................................. 72
Settings for Encryption ...................................................................................................................................... 73
Uninstalling the application ..................................................................................................................................... 74
DEPLOYING THE APPLICATION THROUGH MS SCMDM ........................................................................................ 75
Framework for managing the application through MDM ......................................................................................... 76
Scheme of application deployment through MDM .................................................................................................. 77
Preparing for deployment of the application through MDM ..................................................................................... 78
A bout the administrative template .................................................................................................................... 78
Installing the administrative template ................................................................................................................ 78
Configuring the administrative template ............................................................................................................ 79
Activating the application ................................................................................................................................ 102
Installation and deletion of the application on mobile devices .............................................................................. 103
Creating an installation package. .................................................................................................................... 103
Installing the application on mobile devices .................................................................................................... 114
Deleting the application from mobile devices .................................................................................................. 115
DEPLOYING THE APPLICATION THROUGH SYBASE AFARIA ............................................................................. 116
Framework for managing the application through Sybase Afaria ......................................................................... 116
Scheme for deploying the application through Sybase Afaria............................................................................... 117
Preparing to deploy Kaspersky Endpoint Security 8 for Smartphone ................................................................... 118
Installing the policy administration utility ............................................................................................................... 119
Creating a policy. Configuring settings for Kaspersky Endpoint Security 8 for Smartphone ................................. 119
Configuring the settings for the Protection option ........................................................................................... 121
Configuring the settings for the Scan on request option ................................................................................. 122
Configuring the settings for updating the anti-virus databases ....................................................................... 124
Configuring the settings for the Anti-Theft component .................................................................................... 125
Configuring the settings for the Firewall component ....................................................................................... 132
T A B L E O F C O N T E N T S
5
Configuring the settings for the Encryption component ................................................................................... 133
Configuring the settings for the Anti-Spam component ................................................................................... 134
Configuring the settings for the Privacy Protection component ....................................................................... 135
Configuring the settings for the license ........................................................................................................... 135
Adding a license through Sybase Afaria ............................................................................................................... 136
Editing a policy ..................................................................................................................................................... 137
Installing the application ....................................................................................................................................... 137
Creating a channel containing an application policy for devices with Microsoft Windows Mobile and Symbian OS
........................................................................................................................................................................ 138
Creating a channel containing a distribution package for devices with Microsoft Windows Mobile and Symbian OS
........................................................................................................................................................................ 139
Associating channels to install the application on devices with Microsoft Windows Mobile and Symbian OS 140
Creating a channel for devices with BlackBerry OS ........................................................................................ 141
Installing the application on mobile devices .................................................................................................... 143
Uninstalling the application ................................................................................................................................... 143
CONTACTING THE TECHNICAL SUPPORT SERVICE ........................................................................................... 144
GLOSSARY ............................................................................................................................................................... 145
KASPERSKY LAB ZAO ............................................................................................................................................. 149
INFORMATION ABOUT THIRD-PARTY CODE ........................................................................................................ 150
Distributed program code ..................................................................................................................................... 150
ADB ................................................................................................................................................................ 150
ADBWINAPI.DLL ............................................................................................................................................ 150
ADBWINUSBAPI.DLL ..................................................................................................................................... 150
Other information .................................................................................................................................................. 152
TRADEMARK NOTICE .............................................................................................................................................. 153
INDEX ........................................................................................................................................................................ 154
6
ABOUT THIS HELP
IN THIS SECTION
In this document ................................................................................................................................................................ 6
Document conventions ...................................................................................................................................................... 7
Thank you for using our product. We hope that the information provided in this guide will help you to use Kaspersky
Endpoint Security 8 for Smartphone.
The guide is aimed at company network administrators. It contains information on how to install and configure the
application on users' mobile devices through the following platforms:
Kaspersky Security Center;
Microsoft System Center Mobile Device Manager;
Sybase Afaria.
Information on using Kaspersky Anti-Virus on mobile devices with various operating systems is provided in the
Kaspersky Endpoint Security 8 for Smartphone User Guide for each individual operating system.
If you do not find the answer to your question about Kaspersky Endpoint Security 8 for Smartphone in this document, you
can refer to other data sources (see "Additional data sources" on page 8).
IN THIS DOCUMENT
The following sections are included in the document:
Additional sources of information (on page 8). This section includes information on where, other than in the set
of documents included in the distribution kit, you can obtain information about the application and how to
approach Kaspersky Lab for information should the need arise.
Managing licenses (on page 21). This section includes detailed information on the main concepts regarding the
licensing of Kaspersky Endpoint Security 8 for Smartphone, and on how to install and delete the license for
Kaspersky Endpoint Security 8 for Smartphone on users' mobile devices.
Kaspersky Endpoint Security 8 for Smartphone (on page 10). This section lists the main functions of Kaspersky
Endpoint Security 8 for Smartphone, the differences between Kaspersky Endpoint Security 8 for Smartphone
and previous versions of the application, and the hardware and software requirements of users' mobile devices
and the administrative system.
About the components of Kaspersky Endpoint Security 8 for Smartphone (on page 15). This section includes,
for each component, a description of its purpose and operational procedure, and information about the
operating systems supported by this component and the functions included in it.
Deploying the application through Kaspersky Security Center (on page 24). This section describes the process
of deploying Kaspersky Endpoint Security 8 for Smartphone through Kaspersky Security Center.
Deploying the application through MS SCMDM (on page 75). This section describes the process of deploying
Kaspersky Endpoint Security 8 for Smartphone through Mobile Device Manager.
A B O U T T H I S H E L P
7
SAMPLE TEXT
DOCUMENT CONVENTIONS DESCRIPTION
Please note that...
Warnings are highlighted in red and enclosed in frames. Warnings contain
important information, for example, on safety-critical computer operations.
It is recommended to use...
Notes are enclosed in frames. Notes contain additional and reference
information.
Example:
...
Examples are given by section, on a yellow background, and under the heading
"Example".
Update means...
New terms are marked by italics.
ALT+F4
Names of keyboard keys appear in a bold typeface and are capitalized.
Names of the keys followed by a "plus" sign indicate the use of a key
combination.
Enable
Names of interface elements, for example, input fields, menu commands,
buttons, etc., are marked in a bold typeface.
To configure a task schedule:
Instructions are marked by the arrow symbol.
Instruction introductory phrases are marked in italics.
help
Texts in the command line or texts of messages displayed on the screen have a
special font.
<IP address of your computer>
Variables are enclosed in angle brackets. Instead of the variables the
corresponding values are placed in each case, and the angle brackets are
omitted.
Deploying the application through Sybase Afaria (on page 116). This section describes the process of deploying
Kaspersky Endpoint Security 8 for Smartphone through Sybase Afaria.
Contacting the Technical Support service. The section describes the rules of getting technical support.
Glossary. This section lists the terms used in this guide.
ZAO Kaspersky Lab (see page 149). This section presents information about Kaspersky Lab.
Information about the use of third-party code. This section gives you information on third-party code used in the
application.
Index. This section enables you to quickly find the required information in the document.
DOCUMENT CONVENTIONS
Document conventions described in the table below are used in this Guide.
Таблица 1. Document conventions
8
ADDITIONAL SOURCES OF INFORMATION
IN THIS SECTION
Information sources for further research ........................................................................................................................... 8
Discussion of Kaspersky Lab applications on the Web forum ........................................................................................... 9
Contacting the User Documentation Development Group ................................................................................................ 9
If you have any questions regarding the selection, purchase, installation or use of Kaspersky Endpoint Security 8 for
Smartphone, you can find answers to them through various sources of information. You can choose the most suitable
source according to how important or urgent your request is.
INFORMATION SOURCES FOR FURTHER RESEARCH
You can view the following sources of information about the application:
the Kaspersky Lab application website;
the application Knowledge Base page at the Technical Support Service website;
the Help system;
documentation.
Page on Kaspersky Lab website
http://www.kaspersky.com/endpoint-security-smartphone
Use this page to obtain general information about Kaspersky Endpoint Security 8 for Smartphone features and
options. You can purchase Kaspersky Endpoint Security 8 for Smartphone or extend your license at our eStore.
The application page at the Technical Support Service website (Knowledge Base)
http://support.kaspersky.com/kes8m
This page contains articles written by experts from the Technical Support Service.
These articles contain useful information, recommendations, and the Frequently Asked Questions (FAQ) page, and
cover purchasing, installing and using Kaspersky Endpoint Security 8 for Smartphone. They are arranged in topics,
such as "Working with key files", "Database updates" and "Troubleshooting". The articles aim to answer questions
about this Kaspersky Endpoint Security 8 for Smartphone, as well as other Kaspersky Lab products. They may also
contain news from the Technical Support Service.
A D D I T I O N A L S O U R C E S O F I N F O R M A T I O N
9
The Help system
The Help system installed with Kaspersky Endpoint Security 8 for Smartphone includes context help for the plug-in
for managing the application through Kaspersky Security Center, as well as context help sections for mobile devices
with the following operating systems:
Microsoft Windows Mobile.
Symbian.
BlackBerry.
Android.
The context help contains information about the application's individual windows and tabs.
Documentation
The set of documentation for Kaspersky Endpoint Security 8 for Smartphone contains most of the information
needed in order to work with it. The set includes the following documents::
User Guide. Guides for using the application on Windows Mobile, Symbian, BlackBerry and Android mobile
devices. Each user guide contains information to enable the user to independently install, configure and activate
the application on a mobile device.
Implementation Guide. The implementation guide enables the administrator to install and configure the
application on users' mobile devices through the following platforms:
Kaspersky Security Center;
Microsoft System Center Mobile Device Manager.
Sybase Afaria.
DISCUSSION OF KASPERSKY LAB APPLICATIONS ON THE WEB FORUM
If your question does not require an immediate answer, you can discuss it with Kaspersky Lab experts and other users in
our forum at http://forum.kaspersky.com/index.php?showforum=5.
In the forum you can view existing discussions, leave your comments, and create new topics, or use the search engine
for specific enquiries.
CONTACTING THE USER DOCUMENTATION DEVELOPMENT GROUP
If you have any questions about the documentation, or you have found an error in it, or would like to leave a comment,
please contact our Technical Documentation Development group. To contact the Documentation Development Group
send an email to docfeedback@kaspersky.com. Use the subject line: "Kaspersky Help Feedback: Kaspersky Endpoint
Security 8".
10
KASPERSKY ENDPOINT SECURITY 8 FOR SMARTPHONE
Kaspersky Endpoint Security 8 for Smartphone protects mobile devices working with the operating systems Symbian,
Microsoft Windows Mobile, BlackBerry and Android from known and new threats, and unwanted calls and SMS
messages. The application allows monitoring outgoing SMS messages, network activity, and protect confidential
information against unauthorized access. Every type of threat is processed in separate components of the program. This
allows to fine-tune the application settings depending on user needs.
Kaspersky Endpoint Security 8 for Smartphone supports these remote administration systems: Kaspersky Security
Center, MS SCMDM and Sybase Afaria. The network administrator can use these systems' features to remotely:
install the application on mobile devices;
delete the application from devices through MS SCMDM;
configure application settings, either for several devices at the same time, or for each individual device
separately;
create in Kaspersky Security Center reports on the operation of the application components installed on mobile
devices.
Kaspersky Endpoint Security 8 for Smartphone includes the following protection components:
Protection. Protects the mobile device's file system against infections. The Protection component is initiated
when starting the operating system, it is always in the device's operating memory and verifies all open, saved
and started files on the device, including on memory cards. Furthermore, the Protection verifies all incoming
files for the existence of known viruses. You can continue working with file if the object is not infected or has
been successfully disinfected.
Scanning the device. Helps detect and neutralize malicious objects on the mobile device. It is essential to scan
the device regularly to prevent the spread of any malicious objects that have not been detected by Protection.
Anti-Spam. Scans all incoming SMS messages and calls for spam. The component allows blocking all SMS
messages and calls, which are regarded as unsolicited. Filtering of messages and calls is carried out by using a
Black List and/or White List of numbers. All SMS messages and calls from numbers included in the Black List
are blocked. SMS and calls from numbers included in the White List are always delivered to the mobile device.
The component also allows you to configure the application's reaction to SMS messages from non-numeric
numbers, and to calls and SMS messages from numbers that are not in Contacts.
Anti-Theft folder. Protects the information on the device from unauthorized access, when it is lost or stolen.
This component allows the blocking of the device in the event of theft or loss, deletes confidential information
and controls SIM card usage and determines the geographical coordinates of the device (if a mobile device is
equipped with a GPS receiver).
Privacy Protection. Hides confidential user information when the device is used by other persons. The
component allows the displaying or hiding of all information related to specified subscriber numbers, for instance
details in the Contact list, SMS correspondence or entries in the calls log. The component also allows you to
hide the delivery of incoming calls and SMS messages from specified numbers.
Firewall folder. Checks the network connections on the mobile device. The component allows you to specify
connections to be allowed or blocked.
Encryption folder. Protects information from being viewed by third parties even if access to the device is
achieved. The component encrypts any amount of non-system folders which are in the device's onboard
memory or on a storage card. The data in the folder become available only after the secret code is entered.
Furthermore, the application contains a set of service features. They are designed to keep the application up-to-date,
enhance its performance and help users.
K A S P E R S K Y E N D P O I N T S E C U R I T Y 8 F O R S M A R T P H O N E
11
IN THIS SECTION
What's new ...................................................................................................................................................................... 11
Distribution kit .................................................................................................................................................................. 12
Hardware and software requirements ............................................................................................................................. 14
Updating the application's databases. This function keeps Kaspersky Endpoint Security 8 for Smartphone
databases up-to-date. Updates can be started by the device's user manually, or in accordance with a schedule,
which is set in the application settings.
Protection status. The status of the program components is displayed on screen. On the basis of the information
presented, users can assess the current protection status of their device.
Events log. Each of the application's components has its own events log, which contains information on the
component's operation (for instance, completed operation, data on a blocked object, scan report, updates).
License tab. When you purchase Kaspersky Endpoint Security 8 for Smartphone, a license agreement is made
between your company and Kaspersky Lab, according to which the company's employees can use the
application and access application database updates and the Technical Support Service for a specified period
of time. The terms of use and other information required for full-feature application operation are indicated in the
license.
Kaspersky Endpoint Security 8 for Smartphone does not back up and subsequently restore data.
WHAT'S NEW
The differences between Kaspersky Endpoint Security 8 for Smartphone and previous versions of the application are:
Support for new platforms: Sybase Afaria and Microsoft System Center Mobile Device Manager (MS SCMDM).
Installation of the application on devices by the delivery of email messages.
Access to the application is protected by a secret code.
The list of executable files scanned by the application in the event of a restriction of the type of files scanned by
Protection and Scan is extended. The application's executable files of the following formats are scanned: EXE,
DLL, MDL, APP, RDL, PRT, PXT, LDD, PDD, CLASS. If the archive scan function is enabled, the application
unpacks and scans archives in the following formats: ZIP, JAR, JAD, SIS, SISX, RAR and CAB.
Privacy Protection can hide the following information for confidential contacts: entries in Contacts, SMS
correspondence and new incoming SMS messages and incoming calls. Confidential information is accessible
for viewing for hiding is disabled.
Encryption allows encrypting folders saved in the device's memory or on a memory card. The component
protects confidential data in encrypted mode and allows access to encrypted information only when the
application secret code is entered.
A new function GPS Find is enabled in the updated Anti-Theft: if the device is lost or stolen, its geographical
coordinates can be picked up on a telephone number or indicated email address. Also, in Anti-Theft, an updated
function Data Wipe can remotely delete not just the user's personal information kept in the memory of the
telephone or on the storage card, but also files from the list of folders to be deleted.
To economize on traffic, an option has been added to automatically disable application database updates when
the mobile device is in a roaming zone.
I M P L E M E N T A T I O N G U I D E
12
A new service function has been added, called Display prompts: Kaspersky Endpoint Security 8 for Smartphone
shows a short description of a component before configuration of its settings.
Support for Android OS devices has been added.
DISTRIBUTION KIT
You can purchase Kaspersky Endpoint Security 8 for Smartphone from one of our partners or an Internet shop (e.g.
http://www.kaspersky.com, eStore section). In addition, Kaspersky Endpoint Security 8 for Smartphone is supplied as
part of all products from the Kaspersky Open Space Security product line.
When purchasing Kaspersky Endpoint Security 8 for Smartphone at eStore, you make an order. On purchasing, you
receive an information message by email, which contains a key file for activating the application and a URL that you can
use to download the application installation package. For detailed information about purchasing the application and
receiving the distribution kit, please contact our sales department at sales@kaspersky.com.
If your organization is using Kaspersky Security Center to deploy Kaspersky Endpoint Security 8 for Smartphone, the
distribution package will include klcfginst.exe (installer file for the plug-in enabling administration of Kaspersky Endpoint
Security 8 for Smartphone via Kaspersky Security Center) and the self-extracting archive KES8_forAdminKit_ru.exe,
which contains the following files necessary to install the application on mobile devices:
endpoint_8_0_x_xx_en.cab – application installation file for the Microsoft Windows Mobile operating system;
endpoint8_mobile_8_x_xx_eu4_signed.sis – application installation file for the Symbian operating system;
Endpoint8_Mobile_8_x_xx_release.zip – application installation file for the BlackBerry operating system;
Endpoint8_8_x_xx_release.apk – application installation file for the Android operating system;
AdbWinUsbApi.dll, AdbWinApi.dll, adb.exe – set of files required to install the application on devices with the
Android operating system;
installer.ini – configuration file containing the settings for connection to the Administration Server;
kmlisten.ini – configuration file containing the settings for the utility delivering the installation package;
kmlisten.kpd – the application description file;
kmlisten.exe – utility delivering the installation package to a mobile device through a workstation;
Documentation:
Implementation Guide for Kaspersky Endpoint Security 8 for Smartphone;
User Guide for Kaspersky Endpoint Security 8 for Smartphone for Microsoft Windows Mobile;
User Guide for Kaspersky Endpoint Security 8 for Smartphone for Symbian OS;
User Guide for Kaspersky Endpoint Security 8 for Smartphone for BlackBerry OS;
User Guide for Kaspersky Endpoint Security 8 for Smartphone for Android OS;
Context help for the plug-in for managing Kaspersky Endpoint Security 8 for Smartphone;
Context help for the application for Microsoft Windows Mobile;
Context help for the application for Symbian OS;
Context help for the application for BlackBerry OS;
Context help for the application for Android OS;
K A S P E R S K Y E N D P O I N T S E C U R I T Y 8 F O R S M A R T P H O N E
13
If your organization is using Mobile Device Manager to deploy Kaspersky Endpoint Security 8 for Smartphone, the
distribution package will include the self-extracting archive KES8_forMicrosoftMDM_en.exe, which contains the following
files that are necessary to install the application on mobile devices:
endpoint_MDM_Afaria_8_0_x_xx_en.cab – application installation file for the Microsoft Windows Mobile
operating system;
endpoint8_en.adm – administrative template file for managing policies, which contains their settings;
endpoint8_ca.cer – certification center's certificate file;
endpoint8_cert.cer – certificate file used to sign the application installation file;
kes2mdm.exe – utility for converting the application key file;
kl.pbv, licensing.dll, oper.pbv – set of auxiliary files required for the kes2mdm.exe utility;
Documentation:
Implementation Guide for Kaspersky Endpoint Security 8 for Smartphone;
User Guide for Kaspersky Endpoint Security 8 for Smartphone for Microsoft Windows Mobile;
Context help for the application for Microsoft Windows Mobile;
If your organization is using Sybase Afaria to deploy Kaspersky Endpoint Security 8 for Smartphone, the distribution
package will include the self-extracting archive KES8_forSybaseAfaria_en.exe, which contains the following files that are
necessary to install the application on mobile devices:
endpoint_MDM_Afaria_8_0_x_xx_en.cab – application installation file for the Microsoft Windows Mobile
operating system;
endpoint8_mobile_8_x_xx_eu4.sisx – application installation file for the Symbian operating system;
Endpoint8_Mobile_Installer.cod – application installation file for the BlackBerry operating system;
KES2Afaria.exe – utility for managing the policy for Kaspersky Endpoint Security 8 for Smartphone;
kl.pbv, licensing.dll, oper.pbv – set of required auxiliary files included with the KES2Afaria.exe utility;
Documentation:
Implementation Guide for Kaspersky Endpoint Security 8 for Smartphone;
User Guide for Kaspersky Endpoint Security 8 for Smartphone for Microsoft Windows Mobile;
User Guide for Kaspersky Endpoint Security 8 for Smartphone for Symbian OS;
User Guide for Kaspersky Endpoint Security 8 for Smartphone for BlackBerry OS;
Context help for the application for Microsoft Windows Mobile;
Context help for the application for Symbian OS;
Context help for the application for BlackBerry OS;
I M P L E M E N T A T I O N G U I D E
14
HARDWARE AND SOFTWARE REQUIREMENTS
For Kaspersky Endpoint Security 8 for Smartphone to function correctly, the users' mobile devices must fulfill the
following requirements.
Hardware requirements:
Symbian OS 9.1, 9.2, 9.3, 9.4 Series 60 UI, Symbian^3 (only for Nokia mobile devices), Symbian Belle;
Windows Mobile 5.0, 6.0, 6.1, 6.5.
BlackBerry 4.5, 4.6, 4.7, 5.0, 6.0.
Android 1.6, 2.0, 2.1, 2.2, 2.3, 3.x, 4.0.
To deploy Kaspersky Endpoint Security 8 for Smartphone on a network, the remote administration system must fulfill the
following minimum requirements:
Software requirements:
Kaspersky Security Center 9.0.
Mobile Device Manager Software Distribution Microsoft Corporation Version: 1.0.4050.0000 (SP).
System Center Mobile Device Manager Microsoft Corporation Version: 1.0.4050.0000.
Sybase Afaria 6.50.4607.0.
15
ABOUT KASPERSKY ENDPOINT SECURITY
IN THIS SECTION
Anti-Virus ......................................................................................................................................................................... 15
Anti-Theft ......................................................................................................................................................................... 17
Privacy Protection ........................................................................................................................................................... 19
Anti-Spam ....................................................................................................................................................................... 19
Firewall ............................................................................................................................................................................ 20
Encryption ....................................................................................................................................................................... 20
IN THIS SECTION
Protection ................................................................ ........................................................................................................ 16
On-demand scans ........................................................................................................................................................... 16
Update............................................................................................................................................................................. 17
8 FOR SMARTPHONE COMPONENTS
Kaspersky Endpoint Security 8 for Smartphone includes the following components:
Anti-Virus (on page 15).
Anti-Theft (on page 17).
Privacy Protection (on page 19).
Anti-Spam (on page 19).
Firewall (on page 20).
Encryption (on page 20).
This section includes, for each component, a description of its purpose and operational procedure, and information about
the operating systems supported by this component and the functions included in it.
ANTI-VIRUS
The Anti-Virus component provides anti-virus protection for mobile devices. It includes the following functions: Protection
(see page 16), Scan on request (see page 16), Update (see page 17).
I M P L E M E N T A T I O N G U I D E
16
PROTECTION
Protection scans all running processes in the file system, monitors events on the device, and scans all new, opened and
modified files (including ones located on the memory card), and installed applications for malicious code immediately
before they are called by the user.
Protection operates as follows:
1. Protection launches when the operating system starts up.
2. Protection scans files of the selected types when the user attempts to access them. Protection works on the
basis of the application's anti-virus databases.
3. Based on the results of the analysis, Protection performs an action in accordance with the operating system.
For the Symbian and Microsoft Windows Mobile operating systems, Protection can behave in the following
ways:
If malicious code is detected in the file, Protection blocks the file, performs an action in accordance with the
settings applied, informs the user about the malicious object's detection, and records the information in the
application's log;
If no malicious code is discovered in the file, it will be immediately restored.
For the Android operating system, Protection can behave in the following ways:
If malicious code was detected in the file, the Protection performs the action specified in the settings;
If no malicious code is discovered in the file, it will be immediately restored.
4. Protection writes information about events and user actions to the events log (for the Symbian and Microsoft
Windows Mobile operating systems).
Reports on events and user actions are not available in Kaspersky Endpoint Security 8 for Smartphone for the
Android operating system.
Protection is not supported in the BlackBerry operating system .
ON-DEMAND SCANS
Scan on request scans the mobile device's file system for the presence of malicious objects. Kaspersky Endpoint
Security 8 for Smartphone can perform either a full scan of the device's file system or a partial scan – i.e. scan only the
content of the device's built-in memory or a specific folder (including those located on the storage card). A full scan can
be started manually or automatically in accordance with a schedule. A partial scan can only be started manually by the
user directly from the application installed on the mobile device.
The device is scanned as follows:
1. Kaspersky Endpoint Security 8 for Smartphone scans files of the types selected in the scan settings.
2. During the scan, Kaspersky Endpoint Security 8 for Smartphone analyses the file for the presence of malicious
objects. Malicious objects are detected by comparison with the application's anti-virus databases.
3. Based on the results of the analysis, the application performs an action depending on the host operating
system.
For the Symbian and Microsoft Windows Mobile operating systems, Kaspersky Endpoint Security 8 for
Smartphone can behave in the following ways:
If malicious code is detected in the file, Kaspersky Endpoint Security 8 for Smartphone blocks access to the
file, performs the selected action in accordance with the specified settings, and notifies the user.
A B O U T K A S P E R S K Y E N D P O I N T S E C U R I T Y 8 F O R S M A R T P H O N E C O M P O N E N T S
17
For the Android operating system, if malicious code is detected during the file analysis, the application
performs the action selected in accordance with the settings.
If no malicious code is detected, the file immediately becomes accessible for operation.
4. Information about the progress of the scan and events are saved in the events log (for the Symbian and
Microsoft Windows Mobile operating systems).
Scan reports are not available in Kaspersky Endpoint Security 8 for Smartphone for the Android operating
system.
Scan on request functionality is not supported for the BlackBerry operating system.
The settings applied by the administrator through the remote administration system are used for both full and partial
scans of the device.
The administrator can also configure automatic starting of device scans in accordance with a schedule. It is not possible
to start a partial scan through the remote administration system.
UPDATE
Protection and Scan on request work on the basis of the anti-virus databases, which contain descriptions of all currently
known malicious programs and methods for neutralizing them, as well as descriptions of other unwanted objects. It is
extremely important to keep your anti-virus databases up-to-date. An update can be started manually or automatically in
accordance with a schedule. To ensure that the anti-virus protection system is reliable, the anti-virus databases should
be updated regularly.
Application anti-virus databases are updated according to the following algorithm:
1. The application establishes an Internet connection, or uses the current one.
2. The application antivirus databases installed on the mobile device are compared with those located on the
specified update server.
3. Kaspersky Endpoint Security 8 for Smartphone performs one of the following:
If the installed application databases are up-to-date, the update will be cancelled. The application notifies
the user if the anti-virus databases are up-to-date.
If the installed databases are different, a new update package is downloaded and installed.
When the update process is completed, the connection is automatically closed. If the connection was
established before the update started, it will remain open for further use.
4. Information about the update is recorded in the events log.
Update functionality is not supported for the BlackBerry operating system.
ANTI-THEFT
Anti-Theft protects information stored on the mobile device from unauthorized access.
Anti-Theft includes the following functions:
Block (see page 18).
Data Wipe (see page 18).
SIM Watch (see page 18).
GPS Find (see page 18).
I M P L E M E N T A T I O N G U I D E
18
Kaspersky Endpoint Security 8 for Smartphone allows the user to remotely start the Anti-Theft functions by sending an
IN THIS SECTION
Block ............................................................................................................................................................................... 18
Data Wipe ....................................................................................................................................................................... 18
SIM Watch ....................................................................................................................................................................... 18
GPS Find ......................................................................................................................................................................... 18
SMS command from another mobile device. The SMS command is sent in the form of an encrypted SMS and also
contains the application secret code set on the device receiving the command. Receipt of the SMS command will be
unnoticed on the device receiving the SMS command. Delivery of the SMS is paid for at the rate set by the network
operator that provides the connection to the device from which the SMS command is sent.
Anti-Theft supports all operating systems.
BLOCK
Block allows you to remotely block the device and set the text to be displayed on the screen of the blocked device.
DATA WIPE
Data Wipe allows you to remotely delete the user's personal data from the device (entries in Contacts, messages, picture
gallery, calendar, logs, Internet connection settings), as well as information from memory cards, and folders selected by
the administrator and user for deletion. The user cannot restore this data!
The administrator can specify folders for deletion in the policy. The administrator can select folders stored in a memory
card or in the device's onboard memory. For Android OS devices, the administrator can select for deletion only folders
stored in a memory card. Folders stored in the device's onboard memory cannot be selected for deletion.
Users cannot cancel the deletion of folders set by the administrator, but can indicate additional folders for deletion on
their mobile device through the application's local interface (see the User Guide for the corresponding operating system).
If the administrator has not set folders for deletion, only folders set by the user will be deleted.
SIM WATCH
SIM Watch allows you to obtain the current phone number in the event that the SIM card is replaced, as well as block the
device in the event that the SIM card is replaced or the device is activated without a SIM card. Information about a new
phone number is sent as a message to the phone number and / or email that you specified. Furthermore, SIM Watch
allows you block the device in the event of changing the SIM card or when switching on the device without it.
A B O U T K A S P E R S K Y E N D P O I N T S E C U R I T Y 8 F O R S M A R T P H O N E C O M P O N E N T S
19
GPS FIND
GPS Find allows you to locate a device. The geographical coordinates of the device are sent as a message to a phone
number from which a special SMS command has been sent, and to a specified email address.
Depending on the operating system, GPS Find works as follows:
For the Symbian, Microsoft Windows Mobile and BlackBerry operating systems, the function works only on
devices with a built-in GPS receiver. The GPS receiver is enabled automatically after the device receives a
special SMS command. If the device is within the satellites signal coverage, the GPS Find function receives and
sends the geographical coordinates of the device. If the satellites are unavailable at the time of the query, GPS
Find periodically attempts to find them and send device location results.
For the Android operating system, the built-in GPS receiver, if the device has one, is enabled automatically after
the device receives a special SMS command. If GPS Find cannot receive the device's coordinates, it
determines the approximate coordinates of the device using base stations.
PRIVACY PROTECTION
Privacy Protection hides private data on the basis of your Contact List, which lists private numbers. For confidential
numbers, Privacy Protection hides Contacts entries, incoming, drafts, and sent SMS as well as call history entries.
Privacy Protection suppresses the new SMS signal and hides the message itself in the inbox. Privacy Protection blocks
incoming calls from private numbers and does not display incoming call information on the screen. As a result, the caller
receives a busy signal. To view incoming calls and SMS for the period of time when Privacy Protection was enabled,
disable Privacy Protection. On the repeat enabling of Privacy Protection, the information is not displayed.
Privacy Protection is not supported for the BlackBerry operating system.
ANTI-SPAM
Anti-Spam blocks unwanted calls and SMS based on the user-defined White and Black Lists.
The lists consist of entries. An entry in either list contains the following information:
The phone number, information from which Anti-Spam blocks for the Black List and delivers for the White List.
The type of events that Anti-Spam blocks for the Black List and allows for the White List. The following types of
communications are available: calls and SMS, calls only, and SMS only.
Key phrase used by Anti-Spam to recognize wanted and unwanted SMS. For the Black List, Anti-Spam blocks
SMS messages, which contain this phrase, while delivering the ones, which do not contain it. For the White List,
Anti-Spam allows SMS, where this phrase is found and blocks SMS, which do not contain it.
Anti-Spam filters incoming SMS messages and calls in accordance with the mode selected by the user. The following
Anti-Spam modes are available:
Off - all incoming calls and SMS are allowed in.
Black List – all calls and SMS are allowed in except for those originating from numbers on the Black List.
White List – only calls and SMS originating from numbers on the White List are allowed in.
Both lists – incoming calls and SMS from White List numbers are allowed while those from Black List numbers
are blocked. Following a conversation or arrival of an SMS message from a number on neither list, Anti-Spam
will prompt the user to add the number to one of the lists.
I M P L E M E N T A T I O N G U I D E
20
According to the mode settings, Anti-Spam scans every incoming SMS or call and then determines whether this SMS or
call is wanted or unwanted (spam). As soon as Anti-Spam assigns the wanted or unwanted status to an SMS or call, the
scan is finished.
Information about blocked SMS messages and calls is registered in the events log.
Anti-Spam functionality is supported for all operating systems.
FIREWALL
Firewall monitors the device's network connections in accordance with the selected mode. The following Firewall modes
are available:
Disabled – any network activity allowed.
Minimum protection: incoming connections only are blocked. Outgoing connections are allowed.
Maximum protection: all incoming connections are blocked. The user can check e-mails, view websites and
download files. Outgoing connections can only be established using SSH, HTTP, IMAP, SMTP, POP3 ports
only.
Block all – block any network activity except anti-virus database update and connection to the remote
administration system.
Depending on the mode, the Firewall allows you to establish connections that are allowed, and to block connections that
are prohibited. Information about blocked connections is recorded in the events log. Firewall also allows configuration of
notifications to the user about blocked connections.
Firewall is not supported in BlackBerry and Android operating systems.
ENCRYPTION
Encryption encrypts information in folders specified by the administrator and the user. Encryption works on the basis of
the action of the function of the same name that is built into the device's operating system.
The administrator can specify folders for encryption in the policy. Users cannot cancel deletion of folders set by the
administrator, but can indicate additional folders for deletion on their mobile device through the application's local
interface (see User Guide). If the administrator has not set folders for encryption, only folders set by the user will be
encrypted.
The Encryption function allows the encryption of any type of folder with the exception of system folders. There is support
for encryption of folders stored either in the device's memory or on a memory card. Encrypted information is accessible
to the user after entering the application secret code, which was set by the user when the application was first run.
Encryption allows you to set a time period, upon the expiry of which, access to encrypted folders will be blocked and use
of them will require entry of the application secret code. The function becomes activated after the device switches to
power-saving mode.
Encryption is not supported in BlackBerry and Android operating systems.
21
MANAGING LICENSES
IN THIS SECTION
About the License Agreement ......................................................................................................................................... 21
About Kaspersky Endpoint Security 8 for Smartphone licenses ...................................................................................... 21
A bout Kaspersky Endpoint Security 8 for Smartphone key file ...................................................................................... 22
Activating the application................................................................................................................................................. 23
In the context of licensing Kaspersky Lab applications, it is important to know these terms below:
License Agreement;
license;
key file;
activating the application.
These terms are inseparably interlinked and constitute a single licensing pattern. Let us have a closer look at every term.
ABOUT THE LICENSE AGREEMENT
The License Agreement is an agreement between a private individual or a legal entity which legally owns a copy of
Kaspersky Endpoint Security and Kaspersky Lab. The License Agreement is included with each Kaspersky Lab
application. It provides detailed information on rights and limitations regarding the use of Kaspersky Endpoint Security.
In accordance with the License Agreement, when purchasing and installing a Kaspersky Lab application, you obtain the
unlimited right to owning its copy.
Kaspersky Lab is also pleased to offer the following services:
technical support
Kaspersky Endpoint Security database updates
To obtain these, you need to purchase a license and activate the application.
ABOUT KASPERSKY ENDPOINT SECURITY 8 FOR SMARTPHONE LICENSES
A license is the right to use Kaspersky Endpoint Security 8 for Smartphone on one or more mobile devices and the
additional services associated with it as provided by Kaspersky Lab or its partners.
Every license has a validity period and type.
The license validity period is the period of time during which you are provided with additional services. The scope of
services provided depends on the license type.
I M P L E M E N T A T I O N G U I D E
22
The following license types are available:
Trial – a free license with a limited validity period, e.g. 30 days, offered to allow you to get acquainted with
Kaspersky Endpoint Security 8 for Smartphone.
A trial license can be used only once, and cannot be used following the use of a commercial license!
It is delivered with the trial version of the application. Whilst using a trial license, you cannot contact the
Technical Support Service. Upon expiration of its validity period, Kaspersky Endpoint Security 8 for Smartphone
stops performing all of its functions. When this happens, only the following actions are available:
disabling the Encryption and Privacy Protection components;
administrators can decrypt folders previously selected by them for encryption;
users can decrypt folders previously selected by them for encryption;
viewing the application's help system;
synchronization with the remote administration system.
Commercial – a paid license with a limited validity period (e.g. one year), provided upon purchase of Kaspersky
Endpoint Security 8 for Smartphone. This license extends with the license restriction, for instance, to the
number of protected mobile devices.
During the commercial license's period of validity, all functions of the application and additional services are
accessible.
On termination of the commercial license's term of validity, the functions of Kaspersky Endpoint Security 8 for
Smartphone are restricted. You can continue to use the Anti-Spam and Firewall components, perform an anti-virus scan
of the mobile device and use protection components, but only on the basis of anti-virus databases that are up to date on
the date of the license terminates. Anti-virus databases are not updated. For the other components, only the following
actions are accessible:
disabling of the Encryption, Anti-Spam, and Privacy Protection components;
administrators can decrypt folders previously selected by them for encryption;
users can decrypt folders previously selected by them for encryption;
viewing the application's help system;
synchronization with the remote administration system.
In order to use the application and additional services, a commercial license must be purchased and activated.
The application is activated by installing the key file associated with the license.
A BOUT KASPERSKY ENDPOINT SECURITY 8 FOR SMARTPHONE KEY FILE
Key file – The key file is a piece of technical equipment that allows you to install a license and activate the application,
and, in addition, constitutes your right to use the application and additional services.
The key file is included in the application's distribution kit if it is purchased from a Kaspersky Lab distributor, or is sent to
you by email if the application is purchased through an Internet shop.
M A N A G I N G L I C E N S E S
23
Example:
License validity period: 300 days.
Key file issue date: Sep. 01, 2010.
Key file lifetime: 300 days.
Date of installation of the key file: 10.09.2010, i.e. 9 days after the date of its subscription.
Result:
Calculated validity period of the license: 300 days – 9 days = 291 days.
SEE ALSO
Installing a license through Kaspersky Security Center .................................................................................................. 44
Activating the application............................................................................................................................................... 102
Adding a license through Sybase Afaria........................................................................................................................ 136
The key file includes the following information:
License validity period.
License type (trial, commercial).
License limitations (e.g. on the number of mobile devices to which the license is distributed).
Technical Support contacts.
Lifetime of the key file.
Key file lifetime is actually the shelf life of a key assigned when it is issued. Once that period expires, the key becomes
invalid and can no longer be used to activate the corresponding product license.
Let us look at an example of how the key file validity period is linked to the validity period of the license.
ACTIVATING THE APPLICATION
After installation on a mobile device, Kaspersky Endpoint Security 8 for Smartphone works for three days without
activation in full functionality mode.
If after a period of three days the license is not activated, the application automatically switches to limited functionality
mode. In this mode, most of the components of Kaspersky Endpoint Security 8 for Smartphone are disabled (see "About
Kaspersky Endpoint Security 8 for Smartphone licenses" on page 21).
The application is activated by installing the license on the mobile device. The license is delivered to the device along
with the policy that is created in the remote administration system. During the three days following installation of the
application, the device automatically establishes a connection with the remote administration system every six hours.
The administrator must add the license to the policy within this period. As soon as the policy is transferred to a device,
the application installed on the device will be activated.
24
DEPLOYING THE APPLICATION THROUGH
IN THIS SECTION
Framework for managing the application through Kaspersky Security Center ................................................................ 24
Schemes of deployment through Kaspersky Security Center ......................................................................................... 25
Preparing to deploy the application through Kaspersky Security Center ......................................................................... 27
Installing the application through a workstation ............................................................................................................... 30
Installing the application by sending an email ................................................................................................................. 42
Installing a license through Kaspersky Security Center .................................................................................................. 44
Using policies .................................................................................................................................................................. 44
Allocating devices to the Managed computers group ...................................................................................................... 54
Configuring local application settings .............................................................................................................................. 58
Settings of Kaspersky Endpoint Security 8 for Smartphone ............................................................................................ 59
Uninstalling the application .............................................................................................................................................. 74
KASPERSKY SECURITY CENTER
This section describes the process of deploying Kaspersky Endpoint Security 8 for Smartphone through Kaspersky
Security Center.
FRAMEWORK FOR MANAGING THE APPLICATION THROUGH KASPERSKY SECURITY CENTER
Kaspersky Endpoint Security 8 for Smartphone supports management through the centralized remote administration
system of Kaspersky Security Center. Management of mobile devices and their respective instances of Kaspersky
Endpoint Security 8 for Smartphone is carried out in exactly the same way as the management of client computers and
their installations of Kaspersky Lab applications (see the Administrator Guide for Kaspersky Security Center).
The administrator creates groups, to which the mobile devices are added, and then creates a policy for Kaspersky
Endpoint Security 8 for Smartphone. The policy is a set of settings relating to the application's operation. You can use
policies to set up common values for the settings relating to the application's operation for all mobile devices included in
the group. For more details on policies and administration groups, read the Administrator Guide for Kaspersky Security
Center.
One feature of Kaspersky Endpoint Security 8 for Smartphone is that there is no creation of tasks for this application. All
of the application's settings, including the license, scheduling of application database updates, and scheduling of device
scans, are defined through a policy (see "Using policies" on page 44) or local application settings (see "Configuring local
application settings" on page 58).
If there is an intention to install and use Kaspersky Endpoint Security 8 for Smartphone on the company network, the
administrator must take this into account at the stage of planning the structure of administration groups and during
installation of the application components of Kaspersky Security Center.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
25
IN THIS SECTION
Deploying the application through a workstation ............................................................................................................. 25
Scheme for deploying the application by sending an email ............................................................................................. 26
When installing the Administration Server, you must install the component to enable management of the mobile devices
through Kaspersky Security Center (see "Installing the Administration Server" on page 28). During installation of this
component, the Administration Server for mobile devices certificate is created. This is used for authentication of the
mobile devices when exchanging data with the Administration Server. Without the mobile devices certificate, it is not
possible to establish a connection between the Administration Server and the mobile devices.
Interaction between the mobile devices and the Administration Server occurs during synchronization of the devices with
the Administration Server. This functionality is performed by Kaspersky Endpoint Security 8 for Smartphone, so there is
no need to install the Network Agent on the mobile devices.
Data exchanges between mobile devices and the Administration Server occur through an Internet connection. Incoming
and outgoing traffic is paid for by the users of the mobile devices at the rates set by their mobile service providers. The
average volume of data transferred during a single synchronization is 20-40 kB. The volume of data depends on the
quantity of reports transferred. The less frequently that synchronization occurs, the greater the number of reports that will
be transferred to the Administration Server.
To manage the protection of mobile devices, you are advised to create in the Managed computers node a separate
group or groups (in accordance with the number of different operating systems installed on the devices), and if the
application is also installed through user workstations, it is recommended to create a separate group for these
computers, too.
SCHEMES OF DEPLOYMENT THROUGH KASPERSKY SECURITY CENTER
The scheme of deployment for Kaspersky Endpoint Security 8 for Smartphone depends on the method chosen by the
administrator for installing the application on the mobile devices. The application can be installed in the following ways:
through workstations, to which the users connect their mobile devices (see "Installing the application through a
workstation" on page 30);
by sending the users an email with the application distribution package or with instructions on how to download
it (see "Installing the application by sending an email" on page 42).
The administrator ensures the preparation of the distribution package for installation on the users' mobile devices.
Copying of the distribution package to the mobile devices and installation of the application on mobile devices are carried
out by users independently. After the application is installed, the administrator must include the mobile devices in the
Managed computers group and create a policy to transfer the license and the application's settings to the mobile devices.
In the same way, when managing the application through Kaspersky Security Center, the administrator can use the
following deployment schemes: deploy the application through workstations (see "Deploying the application through
workstations" on page 25) and deploy the application by sending an email (see "Scheme for deploying the application by
sending an email" on page 26).
Before deploying the application, the administrator must ensure that the installed version of Kaspersky Security Center
supports protection management on mobile devices.
I M P L E M E N T A T I O N G U I D E
26
DEPLOYING THE APPLICATION THROUGH A WORKSTATION
Deployment of the application through a workstation is used when the users will be connecting the mobile devices to
their computers, and consists of the following stages:
1. Configuration of the management of mobile devices through Kaspersky Security Center. This stage enables
connection of the mobile devices to the Security Center (see "Preparing to deploy the application through
Kaspersky Security Center" on page 27).
2. Creation of the administration groups to which to allocate mobile devices and any workstations through which
the Kaspersky Endpoint Security 8 for Smartphone distribution package will be delivered to mobile devices.
3. Creation of the installation package for the Kaspersky Endpoint Security 8 for Smartphone remote installation
task.
4. Creation of the installation package for the Kaspersky Endpoint Security 8 for Smartphone remote installation
task.
5. Creation of the remote installation task, through which the Kaspersky Endpoint Security 8 for Smartphone
distribution package will be delivered to users' workstations and the utility for delivering the distribution package
to mobile devices will be installed on them.
6. Delivery of the application distribution package to the mobile device. At this stage, the user copies the
application distribution package to the mobile device by using the utility kmlisten.exe.
7. Installing the application on the mobile device. At this stage, the user installs the application on the mobile
device.
8. Creating a policy for managing the settings of Kaspersky Endpoint Security 8 for Smartphone.
SCHEME FOR DEPLOYING THE APPLICATION BY SENDING AN EMAIL
The application can be deployed by sending an email if, for any reason, installation of the application through a
workstation is impossible or inconvenient. For instance, the method may be used if the user workstation is running Mac
OS. This scheme consists of the following stages:
1. Configuration of the management of mobile devices through Kaspersky Security Center.
2. Placing the application distribution package on an FTP / HTTP server. At this stage, the administrator places the
application distribution package on an FTP / HTTP server and configures access to it via the Internet. Later,
when writing the email message to be sent to the users of the mobile devices, the administrator will be able to
indicate the link to this distribution package. If the administrator is planning to include the distribution package in
the message as an attachment, this stage is omitted.
3. Creation of the administration groups to which to allocate mobile devices and any workstations through which
the Kaspersky Endpoint Security 8 for Smartphone distribution package will be delivered to mobile devices.
4. Creating and sending the message with the application distribution package to users of the mobile devices.
5. Downloading the application distribution package to the mobile device. At this stage, the user downloads to the
mobile device the application distribution package that was attached to the message or placed by the
administrator on the FTP / HTTP server.
6. Installing the application on the mobile device.
7. Creating a policy for managing the settings of Kaspersky Endpoint Security 8 for Smartphone.
8. Allocating devices to the administration group.
9. Activating the application license on the users' mobile devices.
10. Configuring local application settings.
D E P L O Y I N G T HE A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
27
IN THIS SECTION
Installing the Administration Server ................................................................................................................................. 28
Updating the Administration Server component .............................................................................................................. 28
Configuring Administration Server settings ..................................................................................................................... 29
Installing the plug-in for managing Kaspersky Endpoint Security 8 for Smartphone ....................................................... 30
Placing the application distribution package on the ftp/http server. ................................................................................. 30
PREPARING TO DEPLOY THE APPLICATION THROUGH KASPERSKY SECURITY CENTER
Before beginning to deploy Kaspersky Endpoint Security 8 for Smartphone, the administrator must configure
management of the mobile devices through Kaspersky Security Center. To do this, perform the following actions:
1. On the network, install or ensure previous installation of the Kaspersky Security Center components:
Administration Server and Administration Console (see the Deployment Guide for Kaspersky Security Center).
2. Check that the installed components meet the application requirements for installation of Kaspersky Endpoint
Security 8 for Smartphone.
When installing the Administration Server, you must install the component to enable management of the mobile
devices through Kaspersky Security Center (see "Installing the Administration Server" on page 28). If this
component is not installed, or if the version of Administration Server does not meet the requirements for
installation of Kaspersky Endpoint Security 8 for Smartphone, the administrator should delete the old version of
the component and install the version indicated in the application requirements, after first creating a backup of
the Administration Server's data.
3. Configuring support for mobile devices in the Administration Server settings (see "Configuring Administration
Server settings" on page 29).
4. Install on the administrator's workstation the plug-in for managing Kaspersky Endpoint Security 8 for
Smartphone.
I M P L E M E N T A T I O N G U I D E
28
INSTALLING THE ADMINISTRATION SERVER
Installation of the Administration Server is described in the Deployment Guide for Kaspersky Security Center. To manage
the protection of mobile devices through Kaspersky Security Center, at the Select Features stage, it is essential that the
Mobile devices support box is checked (see the figure below).
Figure 1. Installing the components of Kaspersky Security Center. Selection of components
When installing the component Support for mobile devices, the Administration Server for mobile devices certificate is
created. This is used for authentication of the mobile devices when exchanging data with the Administration Server. Data
is exchanged using the SSL protocol (Secure Socket Layer). Without the mobile devices certificate, it is not possible to
establish a connection between the Administration Server and the mobile devices.
The mobile devices certificate is stored in the Cert folder within the Kaspersky Security Center installation folder. During
the first synchronization of the mobile devices and the Administration Server, a copy of the certificate is delivered to the
device and stored on it in a special folder.
If the user renames the mobile devices certificate, or deletes it from the device, during the next synchronization the
Administration Server automatically sends a copy of the certificate to the device.
UPDATING THE ADMINISTRATION SERVER COMPONENT
If, during installation of the Administration Server, the Mobile devices support box was not selected, or if an old version
of Kaspersky Security Center is installed, which does not support Kaspersky Endpoint Security 8 for Smartphone, the
installed version of the Administration Server should be updated.
To update the installed version of the Administration Server component, perform the following actions:
1. Make a backup copy of the Administration Server data (see Kaspersky Security Center Help Guide).
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
29
2. Install the Administration Server version which is specified in the application requirements for installing
Kaspersky Endpoint Security 8 for Smartphone (see Section "Device and application requirements" on
page 14).
To manage the protection of mobile devices through Kaspersky Security Center, at the Selection of
components stage, it is essential that the Mobile devices support box is selected.
3. Restore the Administration Server data from the backup copy (see the Reference Guide for Kaspersky Security
Center).
CONFIGURING ADMINISTRATION SERVER SETTINGS
For synchronization of mobile devices with the Administration Server, before installing Kaspersky Endpoint Security 8 for
Smartphone, you should configure the settings for mobile device connections in the Administration Server properties.
To configure the settings for mobile device connections in the Administration Server properties, perform the following
actions:
1. In the console tree, select the Administration Server node to which the mobile devices will connect.
2. Open the context menu and select the Properties command.
3. In the Settings section of the Administration Server properties window, under the Administration Server
connection settings, select the check box Open port for mobile devices.
4. In the Port for mobile devices field, indicate the port through which the Administration Server should expect to
connect with mobile devices. Port 13292 is used by default (see figure below). If the box is not checked, or the
port is indicated incorrectly, devices will not be able to connect to the server or send and receive information.
Figure 2. Configuring the connection of mobile devices to the Administration Server
I M P L E M E N T A T I O N G U I D E
30
INSTALLING THE PLUG-IN FOR MANAGING KASPERSKY ENDPOINT SECURITY 8 FOR SMARTPHONE
To access the application management interface when using Kaspersky Security Center, the plug-in for managing
Kaspersky Endpoint Security 8 for Smartphone must be installed on the administrator's workstation.
To install the plug-in for managing Kaspersky Endpoint Security 8 for Smartphone,
copy the installation file for the plug-in from the distribution package and run it on the administrator's workstation.
You can check whether the plug-in is installed by viewing the list of plug-ins in the Administrator Server properties.
For details please see the Reference Guide for Kaspersky Security Center.
PLACING THE APPLICATION DISTRIBUTION PACKAGE ON THE
FTP/HTTP SERVER.
If installation by sending an email was selected as the method for installing the application (see "Installing the application
by sending an email" on page 42), you can place the installation file, which will be used for installing the application on
mobile devices, on an FTP / HTTP server. Access via the Internet must be configured for the folder on the FTP / HTTP
server where the application installation file will be placed. If different operating systems are installed on the users'
mobile devices, you can add several files, for each operating system, to the folder.
Later, when creating the email message with the distribution package for the users' mobile devices, you should include a
link to the installation file in the body of the email. The user will be able to use this link to download the installation file to
their mobile device and carry out the application installation (see "Installing the application by sending an email" on
page 42).
INSTALLING THE APPLICATION THROUGH A
WORKSTATION
For installing Kaspersky Endpoint Security 8 for Smartphone through a workstation, you should create an installation
package and create its settings, create and start a task for remote installation for those workstations to which users will
connect their mobile devices. To create a task, the administrator can use any of the methods available in Kaspersky
Security Center:
create a group task for remote installation, if workstations are included in the group;
create a task for a set of computers, if workstations are included in several groups or are in the Unassigned
computers group;
use the remote installation wizard.
As a result of executing the remote installation task, the installation package with the distribution package for Kaspersky
Endpoint Security 8 for Smartphone will be delivered to the users' workstations, and kmlisten.exe (the utility for delivering
the distribution package to mobile devices) will be installed and automatically started. The utility monitors for the
connection of mobile devices to the computer. As soon as the user plugs into the workstation any device that fulfills the
system requirements for the installation of Kaspersky Endpoint Security 8 for Smartphone, the utility displays on the
screen a notification with a prompt to install the application on the connected mobile device. If the user agrees to the
installation, the utility transfers the application distribution package to the mobile device. After the completion of loading
onto the device, the application installation wizard starts. The user follows the wizard's instructions to independently
install Kaspersky Endpoint Security 8 for Smartphone on the device.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
31
IN THIS SECTION
Creating an installation package. .................................................................................................................................... 31
Configuration of installation package settings ................................................................................................................. 32
Creating a deployment task ............................................................................................................................................. 34
Delivering the application distribution package to a mobile device through a workstation .............................................. 40
Installing the application on a mobile device through a workstation ................................................................................ 42
CREATING AN INSTALLATION PACKAGE.
The Kaspersky Endpoint Security 8 for Smartphone installation package constitutes the self-extracting archive
KES8_forAdminKit_en.exe, which includes the files that are required to install the application on mobile devices:
endpoint_8_0_x_xx_en.cab – application installation file for the Windows Mobile operating system;
endpoint8_mobile_8_x_xx_eu4_signed.sis – application installation file for the Symbian operating system;
Endpoint8_Mobile_8_x_xx_release.zip – application installation file for the BlackBerry operating system;
Endpoint8_8_x_xx_release.apk – application installation file for the Android operating system;
installer.ini – configuration file containing the settings for connection to the Administration Server;
kmlisten.ini – configuration file containing the settings for the utility delivering the installation package;
kmlisten.kpd – the application description file;
AdbWinUsbApi.dll, AdbWinApi.dll, adb.exe – set of files required to install the application on devices with the
Android operating system;
kmlisten.exe – utility delivering the installation package to a mobile device through a workstation;
To create an installation package to install Kaspersky Endpoint Security 8 for Smartphone, perform the following
actions:
1. Connect to the Administration Server.
2. In the folder tree of the console, in Repositories, select the folder Installation packages.
3. Open the context menu and select New Installation package or select the corresponding item from the
Action menu. This will start the wizard. Follow its instructions.
4. Indicate the name of the installation package.
5. Indicate the application for installation (see figure below).
In the drop-down menu, select Create Kaspersky Lab’s installation package.
I M P L E M E N T A T I O N G U I D E
32
Use the Select button to open the folder with the application distribution package and select the self-extracting
archive KES8_forAdminKit_en.exe. If the archive has already been unpacked, you can select from the archive
the file with the application description: kmlisten.kpd. The application name and version number fields will be
populated automatically.
Figure 3. Creating an installation package. Selecting the application for installation
6. This stage consists of transferring the installation package to a shared folder on the Administration Server.
When the wizard has finished, the installation package that is created will be added to the Installation packages
location and displayed in the results panel.
CONFIGURATION OF INSTALLATION PACKAGE SETTINGS
To make the installation package settings:
1. Connect to the Administration Server.
2. In the folder tree of the console, in Repositories, select the folder Installation packages.
3. Select in the results bar the installation package created, whose settings you wish to make.
4. Open the context menu and select the Properties command.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
33
5. In the Settings section indicate the settings for connections between mobile devices and the Administration
Server, and the name of the group, to which the mobile devices will automatically be added following their first
synchronization with the Administration Server (see the figure below). To do this, perform the following actions:
In the Connection to the Administration Server section, in the Server address field, indicate the address
of the Administration Server in the same format as it appears in the Administration Server properties in the
General tab, in the Address field. If the Administration Server properties section shows an IP address,
enter the same IP address in the Server address field. If the Administration Server properties section
shows a DNS name, enter the same DNS name in the Server address field. In the SSL port number field,
indicate the number of the port on the Administration Server that is open for mobile device connections.
Port 13292 is used by default.
In the Allocation of computers to groups section, in the Name of group field, enter the name of the
group, to which the mobile devices will be added following their first synchronization with the Administration
Server (by default, KES8). The specified group will be created automatically in the Unassigned computers
folder. In the Actions during installation block select the Request email address checkbox so that the
application requests from the user his corporate email address when being started for the first time after
stating the secret code. The user's email address is used to create a name for the mobile device when it is
added to the administration group. The name of the user's mobile device is created in accordance with the
following rule:
For mobile devices with the Microsoft Windows Mobile operating system:
<user_email_address (mobile device model – IMEI)>
For mobile devices with the Symbian operating system:
<user_email_address (mobile device model – IMEI)>
For mobile devices with the BlackBerry operating system:
<user_email_address (mobile device model – device pin)>
For mobile devices with the Android operating system:
<user's email address (mobile device model – device ID)>
Figure 4. Configuring the installation package
I M P L E M E N T A T I O N G U I D E
34
CREATING A DEPLOYMENT TASK
A remote installation task is created by using the remote installation task creation wizard or the remote installation
wizard. Depending on which installation method was chosen, the sequence of steps in the wizard and the settings to be
configured may vary. Pay attention to configuring settings at the following steps:
1. Selecting the task type. At this step, you will be asked to indicate the application for which the task is being
created, and the type of task. For the installation of Kaspersky Endpoint Security 8 for Smartphone, a task is
created for the application Kaspersky Security Center, and the task type is Application deployment.
2. Selecting the installation package. At this step, you will be asked to select the installation package, which will
contain the distribution package for Kaspersky Endpoint Security 8 for Smartphone. You can select a previously
created installation package for Kaspersky Endpoint Security 8 for Smartphone or create an installation package
directly at this step. If you create an installation package, you should indicate the self-extracting archive
KES8_forAdminKit_en.exe. If the archive has already been unpacked, the archive file with the application
description can be selected: kmlisten.kpd (see Section "Creating an installation package" on page 31).
3. Selecting the installation method. Remote installation of the application on workstations in Kaspersky Security
Center occurs using one of two methods: forced installation or login script-based installation. Forced installation
allows you to remotely install the software on specific workstations. Login script-based installation allows you to
start the remote installation task when a specific user(s) logs in.
For the remote installation wizard and the group task creation wizard, this step is absent, as in these cases the
installation is carried out on specific workstations and uses the forced installation method. To install Kaspersky
Endpoint Security 8 for Smartphone using a task for a set of computers, the administrator can use either
method.
For details on the methods of remote software installation, see the Kaspersky Security Center Administrator
Guide.
4. Selecting the target computers. At this step, you will be asked to create a list of the workstations through which
the application will be installed on mobile devices. You can select one of the following options:
I want to select computers using Windows Networking. Use this option if while preparing to install the
application you created an administration group in the Managed computers node and moved there all the
computers, to which mobile devices will be connected.
I want to define computer addresses (IP, DNS or NETBIOS) manually. Select this option if no group has
been created. At the next step, the wizard will ask you to create a list of computers for installation of the
application.
5. Selecting the method of transferring the installation package. At this step, you will be asked to configure the
settings for delivering the installation package to the workstations. The installation package can be delivered to
the workstations in two ways:
Using the Network Agent. Select this method if the Network Agent is installed on the workstations through
which Kaspersky Endpoint Security 8 for Smartphone is being installed, and if it is connected to the current
Administration Server.
If the Network Agent is not installed, but you plan to install it, you can use the joint installation, which is
available at the next step of the wizard.
Using Microsoft Windows resources from shared folder. Select this method if the Network Agent on the
workstations is not configured or is connected to another Administration Server. In this case, the files that
are essential for installation of the application are transferred using Windows through the shared folder.
6. Selecting an additional package for installation. At this step, you will be prompted to install the Network Agent
on the workstations. Use the joint installation if, at the previous step, you chose the installation package transfer
method Using the Network Agent, but the Network Agent is not yet installed on the workstations. In this case,
first the Network Agent is installed on the workstations, then the application installation package is delivered
using the Network Agent.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
35
Joint installation is not needed if the distribution package is being delivered to the workstations using Microsoft
Windows, or if there is already an installation of a version of the Network Agent that meets the system
requirements for installing Kaspersky Endpoint Security 8 for Smartphone.
Task creation and the operation of the installation wizard are described in detail in the Implementation Guide for
Kaspersky Security Center. We will provide a description of the creation of a remote installation group task.
To create a remote installation group task for Kaspersky Endpoint Security 8 for Smartphone, perform the following
actions:
1. Connect to the Administration Server.
2. Select the folder Tasks for collections of hosts.
3. Open the context menu and use the New Task command or the Create a task link in the task panel. A
wizard will start. Follow the wizard's instructions.
4. Specify the task name. If a task with the specified name already exists in the group, the "_1" suffix will be
automatically added to the end of the name.
5. Select the Application deployment task type for the application Administration Server of Kaspersky Security
Center (see figure below).
Figure 5. Creating a task. Selecting an application and defining task type
I M P L E M E N T A T I O N G U I D E
36
6. From the list, select the installation package that you previously created for the installation of Kaspersky
Endpoint Security 8 for Smartphone, or create a new installation package using the New button (see figure
below).
Figure 6. Creating a task. Selecting the installation package
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
37
7. Select the check box Install Network Agent along with this application, if the component is not installed on
the workstations or its installed version is not compatible with the Administration Server version (see figure
below). In this case, first the Network Agent is installed on the workstation, then the installation package for
Kaspersky Endpoint Security 8 for Smartphone is delivered to the workstation using the Network Agent.
Figure 7. Creating a task. Selecting an additional installation package for joint installation
8. Select the method for transferring the installation package (see figure below). To do this, check or uncheck the
following boxes:
Using the Network Agent. In this case, files will be delivered to workstations by the Network Agent
provided it is installed on these computers (see step 7).
Using Microsoft Windows tools via Administration Server. In this case, the files that are essential for
installation of the application are transferred to the workstations using Windows functionality through the
Administration Server. The option can be selected if a client computer has no Network Agent installed but it
is in the same network with the Administration Server.
I M P L E M E N T A T I O N G U I D E
38
Using Microsoft Windows via Update Agents. In this case, the files are transferred to the client
computers using Microsoft Windows functionality through update agents. The option can be selected if at
least one update agent is available in the network.
Figure 8. Creating a task. Configuration of settings for transferring the installation package
9. Configure the schedule for starting the task (see figure below).
In the Scheduled start drop-down list, select the necessary mode for task launch:
Every N hours.
Daily.
Weekly.
Monthly.
Once (in this case, the remote installation task will be started only once, irrespective of its results).
Manually.
Immediately (immediately after creating the task, upon completion of the wizard).
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
39
On completing another task (in this case, the remote installation task will only be started after
completion of a specified task).
In the group of fields, corresponding to the selected mode, configure the schedule settings (for more details
see the Kaspersky Security Center Administrator Guide).
Figure 9. Creating a task. Configuring the schedule for starting the task
After you finish with the wizard, the task will be added to the folder Tasks for collections of hosts. The start will start in
accordance with its schedule, although you can start the task manually.
I M P L E M E N T A T I O N G U I D E
40
To start the remote installation task manually,
select Properties in the drop-down menu for the remote installation task. In the window that opens, in the General
section, click the Start button (see figure below).
Figure 10. Starting installation of the application
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
41
DELIVERING THE APPLICATION DISTRIBUTION PACKAGE TO A
MOBILE DEVICE THROUGH A WORKSTATION
The Kaspersky Endpoint Security 8 for Smartphone distribution package is delivered to the mobile device by the utility
kmlisten.exe, which is installed on the workstation as a result of execution of the remote installation task. When a device
is connected to the computer, the utility prompts the user to install Kaspersky Endpoint Security 8 for Smartphone on the
connected mobile device.
To copy the distribution package for Kaspersky Endpoint Security 8 for Smartphone from the workstation to the
mobile device, the user must perform the following actions:
1. Connect the device to the workstation. If the device meets the system requirements for installing the application,
the KES 8 window opens automatically (see figure below).
Figure 11. The kmlisten.exe utility window
2. From the list of detected devices, select the device(s) on which you need to install the application.
3. Press the Install button. The utility puts the distribution package on the selected devices. As a result, installation
of the application will start automatically on the selected mobile devices.
The KES 8 window will specify the status of delivering the application's installation package to the device.
The KES 8 window opens every time the mobile device connects to the computer.
For the utility kmlisten.exe to not prompt the user to install the application each time a device is connected to the
computer, the user must perform the following action:
In the KES 8 window, select the check box Disable automatic start of Kaspersky Endpoint Security 8 for
Smartphone Installation Wizard.
I M P L E M E N T A T I O N G U I D E
42
INSTALLING THE APPLICATION ON A MOBILE DEVICE THROUGH A
IN THIS SECTION
Creating a message with the application distribution package ........................................................................................ 42
Installing the application on a mobile device after receiving an email message .............................................................. 44
WORKSTATION
After completion of delivery of the installation package to the mobile device, the application is installed on the device
automatically, without any participation from the user. During this time, the application installation status is not displayed
on the screen of the device.
For Symbian OS, the user needs to carry out additional actions during installation of the application. For more details on
this, see the User Guide for Symbian OS.
INSTALLING THE APPLICATION BY SENDING AN EMAIL
In the event that it is not possible to install the application through the users' workstations, the administrator can send an
email message to users with instructions on how to download the distribution package and how to connect to the
Administration Server.
The message should contain the following information:
a link to the distribution package, or the distribution package itself as an attachment;
information on the settings for the application to connect to the Administration Server, if these settings are not
included in the distribution package for Kaspersky Endpoint Security 8 for Smartphone distributed by the
administrator.
CREATING A MESSAGE WITH THE APPLICATION DISTRIBUTION
PACKAGE
To create a message with the application distribution package, perform the following actions:
1. Compose a message for all users on whose mobile devices you intend to install Kaspersky Endpoint Security 8
for Smartphone.
2. For the subject line, use "Distribution package for Kaspersky Endpoint Security 8 for Smartphone for installation
on a mobile device".
3. Copy the following template into the body of the email:
Dear mobile device user,
This message contains the distribution package for Kaspersky Endpoint Security 8 for Smartphone, as well as
information on the settings for the application to connect to the remote administration system.
To install Kaspersky Endpoint Security 8 for Smartphone, you should download the installation file <file name>
to your mobile device. (The application installation file is attached to this message. / The application installation
file can be accessed through this link: <link to installation file>).
If you received this message on your mobile device, download the installation file (attached to this message / by
using the link in this message) and save it on your device. If you received this message on your computer,
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
43
download the installation file to your device by using the application for exchanging data between the mobile
device and the computer. Then run the downloaded installation file and install the application by following the
installation wizard's instructions.
During installation, the wizard will prompt you to apply values for the following settings:
Server – enter <Administration Server address> in the address field.
Port – specify <Administration Server port number> in the port field.
Group – specify <group name> in the group field.
Your email address – enter your company email address.
The email address is used for registering the device in the remote administration system. Please keep in mind
that the email address specified during application installation cannot be changed.
Contact the administrator, if any errors occur during the installation process.
The text appearing in parentheses, separated by a slash, means that you need to choose one of the two
methods for downloading the installation file: from the email attachment or by using the link, and provide the
corresponding instructions in the message.
4. Replace the text in angle brackets with the specific values of the following settings:
<file name> is the name of the installation file for the operating system running on the user's device. For
instance, if the Microsoft Windows Mobile operating system is installed on the user device, you should
indicate the installation file with the CAB extension.
<link to installation file> is the link to the installation file for the operating system running on the user's
device. The installation file must be placed in advance on an FTP / HTTP server accessible via the Internet.
If for any reason it is not possible to place the installation file on a FTP / HTTP server, you can attach the
installation file to the message.
<Administration Server address> is the IP address or DNS name of the Administration Server to which the
mobile devices will be connected. The server address must be stated in the same format as it appears in
the Administration Server properties in the General tab and the Address field. This means that if the
Administration Server properties show an IP address, include the same IP address in the message. If the
Administration Server properties section shows a DNS name, include the same DNS name in the message.
<Administration Server port number> is the number of the port open on the Administration Server for mobile
device connections. Port 13292 is used by default.
<group name> is the name of the group to which the mobile devices will be added automatically following
their first synchronization with the Administration Server. By default, the devices are added to the group
named KES8.
If the settings for connections between mobile devices and the Administration Server are included in the
Kaspersky Endpoint Security 8 for Smartphone distribution package provided by you, then in the message you
only need to ask the user to enter their email address. It is not necessary to indicate the settings for connections
to the Administration Server.
5. Attach the installation file to the message if for any reason the file cannot be placed on an ftp/http server.
6. Send the message. After sending the message, you should ensure that it is received by all addresses.
I M P L E M E N T A T I O N G U I D E
44
INSTALLING THE APPLICATION ON A MOBILE DEVICE AFTER
RECEIVING AN EMAIL MESSAGE
After receiving a message with the distribution package from the administrator, the user downloads the distribution
package to their device by one of the methods available to them. The application distribution package contains the
installation file for the operating system installed on the user's device. The user opens the installation file, as a result of
which the application installation wizard automatically opens on the device.
During the installation process, the wizard prompts the user to set an application secret code and settings for the
application to connect to the remote administration system, if these are not included in the distribution package for
Kaspersky Endpoint Security 8 for Smartphone. After entering the required values for the settings, the application
installation closes automatically. For more details on installing the application, see the User Guide for Kaspersky
Endpoint Security 8 for Smartphone.
INSTALLING A LICENSE THROUGH KASPERSKY SECURITY CENTER
One feature of installing the license for Kaspersky Endpoint Security 8 for Smartphone is that the license is added to the
mobile device together with a policy, during synchronization of the device with the Administration Server. During the
three days following installation of the application, the device automatically closes the connection with the Administration
Server every three hours. After the policy is applied, the device synchronizes with the Administration Server in
accordance with the frequency that was indicated in the network settings during creation of the policy (see "Creating a
policy" on page 45). By default, the frequency set is every 6 hours.
In order to activate the application, the administrator must create a policy for the group to which the device belongs, and
include the license in this policy. The next time the mobile device establishes a connection with the Administration
Server, the license will be transferred to the device together with the policy, and the application installed on the device
will be activated.
When the application switches to limited functionality mode, it stops performing automatic synchronization with the
Administration Server. Therefore, if for any reason the application is not activated within three days since installation, the
user will have to carry out synchronization with the Administration Server manually (see User Guide for Kaspersky
Endpoint Security 8 for Smartphone).
You must activate the application within 3 days from the time of installation of Kaspersky Endpoint Security 8 for
Smartphone on the mobile devices. If activation does not take place, the application will automatically switch over to the
limited functionality mode. In this mode, most of the components of Kaspersky Endpoint Security 8 for Smartphone are
disabled.
USING POLICIES
All of the application's settings, including the license, scheduling of application database updates, and scheduling of
device scans, are defined through a policy or local application settings. You can use policies to set up common values for
the settings relating to the application's operation for all mobile devices included in the group. For more details on
policies and administration groups, read the Administrator Guide for Kaspersky Security Center.
Each parameter represented in a policy has a "lock" attribute, which shows if the setting is allowed for modification in the
policies of nested hierarchy levels (for nested groups and slave Administration Servers) and local application settings.
If the "lock" is applied to a setting in the policy, thereafter, once the policy is applied to the mobile devices, the values set
in the policy will be used. In that case, the user of the mobile device will not be able to change these values. For settings
that were not "locked", the settings used will be the local ones that were applied by default or by the user of the mobile
device.
Information about the application settings assigned in the policies is stored on the Administration Server and distributed
to mobile devices during synchronization. During this procedure, information on the Administration Server is updated in
its turn with local changes made on mobile devices and allowed by the policy.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
45
IN THIS SECTION
Creating a policy ............................................................................................................................................................. 45
Configuring policy settings .............................................................................................................................................. 54
Applying a policy ............................................................................................................................................................. 54
You can change the application settings on a specific mobile device by using the local application settings (see
"Configuring local application settings" on page 58), if changes to these settings are not blocked in the current policy.
CREATING A POLICY
To create a policy, perform the following actions:
1. Connect to the Administration Server.
2. In the console tree, in the Managed computers folder, select the administration group to which the mobile
devices belong.
3. In the results pane, on the Policies tab use the Create a new policy link to start the policy creation wizard and
follow its instructions.
4. Indicate the name of the policy, and select Kaspersky Endpoint Security 8 for Smartphone as the application
for which it is created.
The name is entered in the standard way. If you enter the name of a policy that already exists, it will
automatically be extended with the ending (1).
The application is selected from a drop-down list (see figure below). The drop-down list includes all applications
that have their administration plug-ins installed on the administrator's workstation.
You can only create a policy for Kaspersky Endpoint Security 8 for Smartphone if the application's
administration plug-in is installed on the administrator's workstation. If the plug-in is not installed, the name of
the application will be missing from the list of applications.
Figure 12. Selecting the application to create a policy
I M P L E M E N T A T I O N G U I D E
46
5. Specify the settings for scan on request (see "Scan on request" on page 16). When creating a policy, you can
configure the following settings (see figure below).
enable / disable scanning of executable program files;
enable / disable scanning of archives;
enable / disable disinfection of infected objects;
create a schedule according to which the application will start a full scan of the device's file system.
By default, Kaspersky Endpoint Security 8 for Smartphone scans all files stored on the device and memory
card. When an infected object is detected, the application tries to disinfect it. If the object cannot be disinfected,
the application moves it to the Quarantine folder. For a description of the settings refer to the section "Settings
for Scan on request"(see section "Settings for Scan on request" on page 60).
6. Specify the settings for Protection (on page 16). When creating a policy, you can configure the following settings
(see figure below).
enable / disable the functionality of the Protection component on users' mobile devices;
enable / disable scanning of executable program files;
select the action against infected objects.
Figure 13. Configuring the Scan on request component
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
47
By default, the Protection component is enabled and scans all types of files that the user of the device attempts
to access. When an infected object is detected, the application tries to disinfect it. If the object cannot be
disinfected, the application moves it to the Quarantine folder. For a description of the settings, see section
"Settings for Protection" (see section "Settings for Protection" on page 61).
Figure 14. Configuring the Protection component
I M P L E M E N T A T I O N G U I D E
48
7. Configure the settings for application database updates: select the source of updates and set the schedule
according to which the updates will take place (see figure below). Indicate whether updates will occur when
users' devices are in a roaming zone. By default the Kaspersky Lab update servers are used as the update
source. Updates are started manually by the mobile device user. Update in roaming does not take place. For a
description of the settings, see section "Settings for Update" (see section "Settings for Update" on page 63).
Figure 15. Selecting an update source
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
49
8. Specify the settings for Anti-Theft (on page 17). Indicate which of the component features will be available on
the users' devices, and configure the settings for the selected features (see figure below). By default, all of the
functions of Anti-Theft are disabled. For a description of the settings, see section "Settings for Anti-Theft" (see
section "Settings for Anti-Theft" on page 65).
Figure 16. Configuring the Anti-Theft component
I M P L E M E N T A T I O N G U I D E
50
9. Specify the settings for synchronization of mobile devices with the Administration Server (see figure below) and
the operation mode of the Firewall component (on page 20). By default, the mobile device initiates an attempt to
connect to the Administration Server every 6 hours. By default, the Firewall is disabled. For a description of the
settings, refer to the section "Settings for Firewall" (see section "Settings for Firewall" on page 70).
Figure 17. Network settings
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
51
10. Specify the settings for the following components: Anti-Spam (see section "Anti-Spam" on page 19), Privacy
Protection (on page 19) and Encryption (on page 20). Indicate which components will be available for use on
the users' devices, and configure the settings for the Encryption component (see figure below). By default, the
user is allowed to use Anti-Spam and Privacy Protection. Users configure the settings for Anti-Spam and
Privacy Protection independently on their devices. For a description of the settings, see sections "Settings for
Anti-Spam and Privacy Protection" (see section «Settings for Anti-Spam and Privacy Protection» on page 72),
"Settings for Encryption" (see section "Settings for Encryption" on page 73).
Figure 18. Configuring additional settings
11. Indicate the license that will be installed on the mobile devices for activation of the application (see figure
below).
I M P L E M E N T A T I O N G U I D E
52
You must activate the application within 3 days from the time of installation of Kaspersky Endpoint Security 8 for
Smartphone on the mobile devices. If activation does not take place, the application will automatically switch
over to the limited functionality mode. In this mode, most of the components of Kaspersky Endpoint Security 8
for Smartphone are disabled.
Press the Edit button, and in the window that opens, select the key file for installation of the license. Then, the
following license information is displayed in the wizard window:
license number;
license name;
license expiration date;
type of license installed, e.g. commercial, trial;
restrictions imposed on the license.
Check to make sure that the button in the top right corner displays a closed "lock" — . If the "lock" is open, the
license will not be installed on the mobile devices.
Figure 19. Selecting the key file to activate the license
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
53
12. Indicate the status of the policy (see figure below). To do this, select one of the following options:
Active policy. In this case, the policy created is stored on the Administration Server and will be used as the
active policy for the application.
Inactive policy. In this case, the policy created is stored on the Administration Server as a backup policy
and can be activated by an event. When required, an inactive policy can be made active (for more details
on policy statuses, see the Reference Guide for Kaspersky Security Center).
Policy for mobile users. The policy becomes effective when a managed computer leaves the corporate
network. Policy for mobile users is only supported in Kaspersky Anti-Virus for Workstations (in Microsoft
Windows).
Several policies can be created in a group for one application, but only one policy can be active. When a new
active policy is created, the previous active policy automatically becomes inactive.
Figure 20. Activating a policy
13. Press the Finish button for the policy creation wizard to complete its work.
When the wizard has finished, the policy for Kaspersky Endpoint Security 8 for Smartphone will appear on the Policies
tab of the results pane for the corresponding administration group.
Distribution of the policy to the mobile devices will occur during synchronization of the devices with the Administration
Server immediately after the mobile device is added to the administration group in the location Managed computers
(see "Allocating devices to the Managed computers group" on page 54).
I M P L E M E N T A T I O N G U I D E
54
CONFIGURING POLICY SETTINGS
After creating the policy, you can edit the application settings through the policy properties. To edit policy settings, you
can use the button to allow / block changes to settings on a mobile device.
To apply changes to the policy, perform the following actions:
1. Connect to the Administration Server.
2. In the console tree, in the Managed computers folder, select the administration group to which the mobile
devices belong.
3. The Policies tab of the results pane will display all policies created for a group.
4. From the policy list, select the Kaspersky Endpoint Security 8 for Smartphone policy, which you intend to
modify.
5. In the policy's context menu, select Properties. The policy configuration window consisting of several tabs will
open.
6. Specify required values for the settings of the application components in the sections Scan (see section
"Settings for Scan on request" on page 60), Protection (see section "Settings for Protection" on page 61),
Update (see section "Settings for Update" on page 63), Anti-Theft (see section "Settings for Anti-Theft" on
page 65), Network (see section "Settings for synchronization of devices with the Administration Server"
on page 71), Additional and License. The General and Events sections are standard for Kaspersky Security
Center (for details see the Administrator Guide for Kaspersky Security Center). The remaining sections contain
the settings for Kaspersky Endpoint Security 8 for Smartphone.
7. Click Apply or Ok.
APPLYING A POLICY
During synchronization of the mobile devices with the Administration Server, the application settings that were set in the
policy are transferred to all devices included in the group. The license for activating the application is copied to the
mobile devices along with the application settings.
If a "lock" is applied to any settings in the policy, the user will not be able to change the value of that setting on the
mobile device. Users can redefine all of the other application settings at their discretion.
Settings that are changed by the user are transferred to the Administration Server during the next synchronization, and
are stored on the Administration Server in the local application settings (see section "Configuring local application
settings" on page 58).
ALLOCATING DEVICES TO THE MANAGED COMPUTERS
GROUP
During the first synchronization of the mobile devices with the Administration Server, the devices are placed in the
Unassigned computers group (by default this group is called KES8). While the devices are in this group, it is not
possible to carry out centralized management of the settings for copies of Kaspersky Endpoint Security 8 for Smartphone
installed on these devices.
To make it possible to manage copies of Kaspersky Endpoint Security 8 for Smartphone installed on mobile devices, the
administrator must use the policy to allocate the devices from the Unassigned computers group to a previously created
group in the Managed computers node.
The administrator can allocate mobile devices to the Managed computers group manually, or configure automatic
allocation of devices to this group.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
55
IN THIS SECTION
Allocating devices to a group manually ........................................................................................................................... 55
Configuring automatic allocation of devices to a group ................................................................................................... 55
ALLOCATING DEVICES TO A GROUP MANUALLY
To manually allocate mobile devices to a group in the Managed computers node, perform the following:
1. Connect to the Administration Server.
2. Select the Unassigned computers folder in the console tree.
3. Select the group to which the mobile devices were automatically added during synchronization with the
Administration Server (KES8 by default).
4. From the group, select the device that needs to be allocated to the Managed computers group.
5. Open the context menu and select Move to Group. The Select group window opens (see figure below).
Figure 21. Selecting a group
6. Open Managed computers and select the group to which the device needs to be allocated. You can select a
group that you created earlier while preparing for installation, or create a new group.
To create a new group, in the Managed computers node select the group, in which the group will be created
and click the New group button. Then, enter the name of the group that has been created.
7. Press the OK button. The mobile device is allocated to the selected group.
I M P L E M E N T A T I O N G U I D E
56
CONFIGURING AUTOMATIC ALLOCATION OF DEVICES TO A GROUP
To set automatic allocation of to the Managed computers group, perform the following:
1. Select the Unassigned computers folder in the console tree.
2. Open the context menu and select the Properties command.
3. In the displayed properties window, select the section Moving the computers (see the figure below).
Figure 22. Administration Server settings
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
57
4. Create a rule for allocating mobile devices to a group. To do so, press the Add button. The New rule window
opens (see figure below).
Figure 23. General settings for allocating devices to a group
5. In the General section, perform the following steps:
Enter a name for the rule.
Press the group to which the mobile devices need to be allocated. To do this, press the Select button to the
right of the field Group to move computers to, and in the window that opens, select the group.
In the Apply rule section, select Run once for each computer.
Check the box Move only computers not added to administration groups, if devices that are already
included in an administration group are not to be allocated to another group as a result of applying the rule.
Check the Enable rule box to apply the rule.
6. Open the Applications section (see figure below) and select the type of operating system installed on the
devices that are to be allocated to this group: Windows Mobile, Symbian or BlackBerry.
I M P L E M E N T A T I O N G U I D E
58
If you want to allocate all devices to a single group, regardless of which operating system is installed on them,
compose several rules, indicating for each of them the same group for allocation of the devices.
Figure 24. Selecting the operating system of the devices
7. Press the OK button. The rule is added to the list of rules for allocation of computers (see section Computer
relocation in the Properties: Unassigned computers window).
As a result of executing this rule, all unassigned devices will be allocated from the Unassigned computers group to the
group indicated by you.
CONFIGURING LOCAL APPLICATION SETTINGS
Kaspersky Security Center allows remote management of local settings for Kaspersky Endpoint Security 8 for
Smartphone on mobile devices through the Administration Console. Local application settings can be used to apply to
the device individual values for settings, differing from the values set in the policy. If a license was installed in the policy,
and the license is calculated for a smaller number of devices than is contained in the group, then on the devices for
which there are insufficient licenses, the local application settings can be used to install another license.
If a "lock" was applied to any setting in the policy, the value set in the policy cannot be changed, either in the local
application settings or on the mobile device. The value of this setting can only be changed through the policy.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
59
If a "lock" is removed from a setting in the policy, the application will use one of the following values:
the default value, if no other value has been set by the administrator in the local application settings or by the
user on the mobile device;
the local value set by the administrator in the local application settings;
the value set by the user on the mobile device.
Values set by the administrator through the Administration Console in the local application settings are transferred to the
mobile device during synchronization of the device with the Administration Server and are stored on the device as the
active application settings. If the user sets other values on the device, next time when the device synchronizes with the
Administration Server the new values that have been set will be transferred to the server and stored in the local
application settings instead of the values set previously by the administrator.
To configure the local application settings, perform the following actions:
1. Connect to the Administration Server.
2. In the tree console, select Managed computers and open the group with the mobile devices on which
Kaspersky Endpoint Security 8 for Smartphone is installed.
3. Select the mobile device for which you are going to change the local application settings.
4. Open the device's context menu and select Properties. As a result, the <Name of device> Properties window
consisting of several sections will open.
5. Select the Applications section. It contains a table listing all Kaspersky Lab applications installed on the mobile
device and brief information about each of them.
6. Select Kaspersky Endpoint Security 8 for Smartphone and press the Properties button. As a result, the window
of Kaspersky Endpoint Security 8 for Smartphone settings opens.
7. Specify required values for the settings of the application components in the sections Scan, Protection,
Update, Anti-Theft, Network, Additional, License (see section "Description of the settings in Kaspersky
Endpoint Security 8 for Smartphone" on page 59).
8. Press the OK button. As a result, the values of the local application settings are saved on the Administration
Server and transferred to the mobile device during the next synchronization of the Administration Server with
the device.
SETTINGS OF KASPERSKY ENDPOINT SECURITY 8 FOR SMARTPHONE
Through the policy properties or the properties of a mobile device selected in the Administration Console, the
administrator can carry out remote configuration of the settings of Kaspersky Endpoint Security 8 for Smartphone,
specifically, for the components Scan, Protection, Anti-Theft, Firewall, Anti-Spam, Privacy Protection and Encryption.
Furthermore, it is essential for the administrator to configure the settings for connection of the devices to the
Administration Server and for application database updates, and also install the license. Otherwise, the application
installed on the mobile devices will not be able to exchange data with the Administration Server, and will work in limited
functionality mode.
If a local application setting is not available for editing, it means that changes to the setting are blocked in the policy
(there will be a symbol next to the setting).
Below there is a detailed description of the tabs in the Properties window and the elements of the interface which the
administrator can use to define the application settings.
I M P L E M E N T A T I O N G U I D E
60
IN THIS SECTION
Settings for Scan on request ........................................................................................................................................... 60
Settings for Protection ..................................................................................................................................................... 61
Settings for Update ......................................................................................................................................................... 63
Settings for Anti-Theft...................................................................................................................................................... 65
Settings for Firewall ......................................................................................................................................................... 70
Settings for synchronization of devices with the Administration Server ........................................................................... 71
Settings for Anti-Spam and Privacy Protection ................................................................................................................ 72
Settings for Encryption .................................................................................................................................................... 73
SETTINGS FOR SCAN ON REQUEST
Scan on request helps to detect and neutralize malicious objects (see "Scan on request" on page 16).
The settings specified by the administrator are used during full and partial scans of the device for the presence of
malicious objects. In the settings for Scan on request (see figure below), the administrator can indicate the types of files
to be scanned, select the action to be taken upon detection of an infected object, and set a schedule which the
application will use to start full scans of the file system on a device. It is not possible to set schedules to start partial
scans through the remote administration system. Scheduled partial device scans can be set by the user directly in the
application installed on the mobile device.
Scan on request cannot be used on devices with BlackBerry OS.
Figure 25. Configuring the Scan on request feature
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
61
The Scan only executable files box. If this box is checked, the application will only scan executable files of the following
formats: EXE, DLL, MDL, APP, RDL, PRT, PXT, LDD, PDD, CLASS, SO, ELF.
The Scan archives box. If the checkbox is checked, the application will scan all files, including archives. Depending on
the operating system, the application can scan archives in the following formats:
for Microsoft Windows Mobile – ZIP, JAR, JAD and CAB;
for Symbian OS – ZIP, JAR, JAD, SIS and SISX;
for Android OS – ZIP, JAR, JAD, SIS, SISX, CAB and APK.
If Scan only executable files and Scan archives are not checked, the application will scan all files except those in
archives.
The Disinfect objects if possible box. If this box is checked, the application will disinfect any disinfectable malicious
objects. If an object cannot be disinfected, the action specified for infected objects in the If disinfection fails list will be
applied to this object.
The If disinfection fails list allows you to select the action that will be performed when a malicious object is detected or
it cannot be disinfected:
Delete. Physically delete malicious objects without notifying the user.
Log event (Skip for Android™ OS). Allow malicious objects and record their information in the application log;
block attempts to access these objects (e.g. copy or open).
For Android OS devices, the application performs the Skip action and does not delete malicious objects from
the device.
Quarantine. Block the object, move the malicious object to the special quarantine folder.
Request action. When a malicious object is detected, notify the user and prompt them to select the action to be
taken against the detected object.
You can only select an action to be taken against malicious files when configuring policy settings (see "Configuring policy
settings" on page 54) and configuring local application settings (see "Configuring local application settings" on page 58).
Configuration of this setting is not possible when creating a policy (see "Creating a policy" on page 45).
The Schedule button. A window opens in which to set a schedule for full scans of the device's file system. You can
select one of the following options:
Manually. Scans will be started manually by the user.
Daily. A scan will start automatically every day. In the Time of start field group, indicate the time to start the
scan. The time is indicated in the 24-hour format HH:MM.
Weekly. A scan will start automatically once a week on the specified day. In the drop-down list, select the day of
the week on which the scan is to start, and in the Time of start field group, indicate the time to start the scan.
The time is indicated in the 24-hour format HH:MM.
SETTINGS FOR PROTECTION
Protection helps you to prevent infection of the mobile device's file system (see "Protection" on page 16). In the
Protection settings, the administrator can indicate the types of files to be scanned, and select the action to be taken upon
detection of an infected object (see figure below).
I M P L E M E N T A T I O N G U I D E
62
By default, Protection starts when the device's operating system starts, and stays resident in the device's memory,
scanning all files that are opened, saved, or executed.
Protection cannot be used on devices with BlackBerry OS.
Figure 26. Configuring the Protection feature
Enable Protection checkbox. If this box is checked, the application scans all files that are opened, executed, or saved. If
the box is not checked, Protection is disabled. Protection is enabled by default.
The Protection settings section allows you to indicate the types of files to be scanned, and select an action to be taken
upon detection of an infected object.
The Scan only executable files box. If this box is checked, the application will only scan executable files of the following
formats: EXE, MDL, APP, DLL, RDL, PRT, PXT, LDD, PDD, CLASS. If the checkbox is unchecked, the application scans
all file types.
The If disinfection fails list allows you to select an action to be taken when an infected object is detected:
Delete. Physically delete malicious objects without notifying the user.
Log event (Skip for Android™ OS). Allow malicious objects and record their information in the application log;
block attempts to access these objects (e.g. copy or open).
For Android OS devices, the application performs the Skip action and does not delete malicious objects from
the device.
Quarantine. Move malicious objects to quarantine.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
63
SETTINGS FOR UPDATE
Updating of the anti-virus databases ensures the reliability of the anti-virus system for protecting the mobile devices (see
"Update" on page 17).
The administrator can indicate the source of updates and set a schedule by which the application will automatically start
updates.
By default the Kaspersky Lab update servers are used as the update source. Updates are run manually by the mobile
device user (see figure below).
The anti-virus database update feature cannot be used on devices with BlackBerry OS.
Figure 27. Configuring the Update feature
Allow updating in roaming box. If this check box is selected, scheduled anti-virus database updates will be performed
when the device is in a roaming zone. Whichever value is set, the user can manually start an anti-virus database update.
This box is unchecked by default.
Updates in roaming mode are not supported for Android OS devices.
The Source of updates section is the place to indicate the address of the server from which updates will be copied. For
the update to occur from the Kaspersky Lab update servers, in the Update server address field, enter KLServers.
To use any other update server for anti-virus database updates, specify the HTTP server in the Source of updates
section. For example, http://domain.com/index/mobile.xml.
The folder structure in the update source must be identical to the corresponding structure of the Kaspersky Lab update
server.
I M P L E M E N T A T I O N G U I D E
64
To configure devices to update their databases from a corporate server, perform the following steps:
1. Download the mobile.xml file available at http://ftp.kaspersky.com/index/mobile.xml.
2. Create the /index folder on your server and place the mobile.xml file inside.
3. Download the database file from the server of Kaspersky Lab:
http://ftp.kaspersky.com/bases/av/avc/symbian/kms90.avc
4. Create on the server the folder /bases/av/avc/symbian and place the kms90.avc file in the folder.
5. In the policy settings, open the Update section and specify in the Update server address field the path to the
mobile.xml file: http://mycompany.com/index/mobile.xml.
6. Apply the policy.
Both the files kms90 avc and mobile.xml must be available for download through the existing communication channel.
The Schedule button. A window opens, in which to set a schedule for the application's database updates. You can
select one of the following options:
Manually. Application database updates will be started by the user manually.
Daily. An application database update will start automatically every day. In the Time of start field group,
indicate the time to start the update.
Weekly. An application database update will start automatically once a week on the specified day. In the drop-
down list, select the day of the week on which the update is to start, and in the Time of start field group,
indicate the time to start the update.
Regardless of whether the administrator sets a schedule for automatic database updates, the user can always start an
update manually.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
65
SETTINGS FOR ANTI-THEFT
The Anti-Theft component helps you to protect information stored on the users' mobile devices from unauthorized access
(see "Anti-Theft" on page 17). The administrator can enable or disable the use of Anti-Theft's functions on users' mobile
devices and configure the settings for these functions (see figure below).
Figure 28. Configuring the Anti-Theft component
Enable Data Wipe checkbox If this box is checked, remote deletion of data will be enabled, as will the selection of data
for deletion. By default, the Data Wipe function is disabled. The Settings button to the right of the checkbox opens the
Data Wipe settings window, in which you can configure the function's settings (see "Settings for Data Wipe" on
page 66).
Enable Block checkbox Checking this box enables the option to remotely block access to the device and to the data
stored on it. By default, the Block function is disabled. The Settings button located to the right of the box opens a
window, in which you can configure the function (see section "Settings for Block" on page 68).
For the Block function to work on an Android OS device (version 2.2 or higher), Kaspersky Endpoint Security 8 for
Smartphone needs to be installed with the Default Home screen.
If the application is not installed an Android OS device (version 2.2 or higher) with the Default Home screen, Kaspersky
Endpoint Security 8 for Smartphone performs an action in accordance with the following settings:
If the application settings are blocked, the Block function is enabled after the settings are transferred to the
device. Protection of the device during activation of the function cannot be guaranteed. During synchronization
with Kaspersky Security Center, the application sends the Device cannot be blocked event. Every time the
application is started or the device is synchronized with Kaspersky Security Center, application prompts the user
to install Kaspersky Endpoint Security 8 for Smartphone with the Default Home screen.
When the user installs the application with the Default Home screen, during the next synchronization with
Kaspersky Security Center, the application sends the Block enabled event.
I M P L E M E N T A T I O N G U I D E
66
If the application settings are allowed to be changed, the Block function is not enabled after the settings are
transferred to the device. When the device is synchronized with Kaspersky Security Center, the application
sends the Block disabled event.
Enable SIM Watch checkbox If the box is checked, Kaspersky Endpoint Security 8 for Smartphone blocks the mobile
device when changing the SIM card or on activation without it. The user can set a telephone number and (or) email
address to which the new telephone number will be sent and also activate device blocking when its SIM card is changed.
When configuring this feature, it is essential to set a telephone number and (or) an email address to which, in the event
that the SIM card is replaced, the new telephone number will be sent. By default, the SIM Watch function is disabled. The
Settings button to the right of the checkbox opens the SIM Watch settings window, in which you can configure the
function's settings (see Section "SIM Watch function settings" on page 68).
Enable GPS Find checkbox. If the check box is selected, Kaspersky Endpoint Security 8 for Smartphone allows
determining the geographical coordinates of the device and obtaining them in an SMS message to the requesting device
or a specified email address. When configuring this function, it is essential to set an email address to which, when an
SMS command is received, the application will send the device's geographical coordinates. By default, the application
sends the device's coordinates in an SMS to the telephone number from which the special SMS command was sent. By
default, the GPS Find function is disabled. The Settings button to the right of the checkbox opens a window in which you
can configure the settings for the GPS Find function.
SETTINGS FOR THE DATA WIPE OPTION
The settings for the Data Wipe function are configured in the Data Wipe settings window (see figure below).
Figure 29. Configuring the Data Wipe feature
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
67
The Delete personal data box. For devices with the Microsoft Windows Mobile and Symbian operating systems, the
application allows deletion of the following information: entries in Contacts and on SIM card, SMS messages, gallery,
calendar, Internet connection settings. For devices running BlackBerry OS the application deletes the following personal
information: entries in Contacts, calendar, email messages, call log. For devices running Android operating system the
application deletes the following private data: entries in Contacts and on the SIM card, SMS messages, call log,
calendar, Internet connection settings, and user accounts, except for the Google account. The function is activated
when a special SMS command is received by the device.
If the checkbox is checked, personal data will be wiped once a special SMS command is received. If the checkbox is
unchecked, personal data will not be wiped after a special SMS command is received.
By default, the Delete personal data box is checked.
Deleting folders section (see figure above). The application allows you to configure the deletion of folders on the mobile
device in the event that the mobile device receives a special SMS command.
When configuring the policy settings, the settings for the deletion of folders are defined for each operating system
separately, and the Deleting folders section contains the following checkboxes:
Delete folders on devices with Microsoft Windows Mobile OS. Deletion of folders set by the administrator
and the user on devices running Microsoft Windows Mobile.
Delete folders on devices with Symbian OS. Deletion of folders set by the administrator and the user on
devices running Symbian.
Delete folders on devices with BlackBerry OS. Deletion of folders set by the administrator and the user on
devices with BlackBerry.
Delete folders on devices with Android OS. Deletion of folders set by the administrator and the user on
devices running Android.
If the box is checked, when the mobile device receives a special SMS command, the folders set by both the
administrator and the user will be deleted. If the box is unchecked, the folders will not be deleted.
Below each checkbox there is a field for creating a list of folders for deletion. The button to the
right of the field opens a window in which the administrator can create the list of folders for deletion. Folders located
in the device memory and on the memory card can be specified for that purpose. By default, the list of folders for
deletion is empty.
When compiling a list of folders, the administrator can use the following macros:
For mobile devices with the Microsoft Windows Mobile operating system:
%DOCS% – My Documents folder (the exact name depends on the device's localization).
%CARD% - all available memory cards in the system.
For mobile devices with the Symbian operating system:
%DOCS% – the C:\Data folder;
%CARD% - all available memory cards in the system.
For mobile devices with the BlackBerry operating system:
%DOCS% – the folder \store\home\user\documents;
%CARD% – the memory card (\SDCard).
For devices running Android, %CARD% - the memory card (\SDCard).
I M P L E M E N T A T I O N G U I D E
68
When configuring the local application settings through the Administration Console, the Data Wipe settings window
displays the settings specifying data for deletion on the individual device, so the Deleting folders section displays
only one Delete folders checkbox and field for entering a list of folders for deletion (see figure above). In this case,
the list of folders for deletion is only accessible for viewing. The administrator can only change the list of folders for
deletion in the policy settings.
Note! To cancel the deletion of previously selected folders, the administrator must delete all information from the input
field under the option to Delete folders on devices with Microsoft Windows Mobile OS / Delete folders on devices
with Symbian OS / Delete folders on devices with BlackBerry OS / Delete folder on devices running Android OS,
and transfer the settings to the user mobile devices. To do this, in the policy settings configuration window, on the Anti-
Theft tab, in the Data Wipe section, the "lock" must be set.
SETTINGS FOR BLOCK
The settings for the Block function are configured in the Settings for Block window (see figure below).
Figure 30. Configuring the Block feature
Text when blocked. The text of the message that will be displayed on the screen of a blocked device. A standard
message is displayed by default.
SETTINGS FOR THE SIM WATCH OPTION
The settings for the SIM Watch function are configured in the SIM Watch Settings window (see figure below).
Figure 31. Configuring SIM Watch
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
69
SMS to phone number. This field indicates the number to which, if the SIM card is replaced, the application will send an
SMS with the new phone number. The phone number may start with a digit or with a "+", and must contain digits only. It
is recommended to indicate the number in the format used by your cellular operator.
Message to email. This field indicates the email address to which, if the SIM card is replaced, the application will send a
message with the new phone number.
Block device. Block device if the SIM card is replaced or if the device is activated without a SIM card. If the checkbox is
checked, SIM Watch will block the device if the SIM card is replaced. To unlock the device, the user of the device will
have to enter the application secret code. If the checkbox is unchecked, SIM Watch will not block the device if the SIM
card is replaced. You can also specify the text to be displayed on the screen of the device while it is blocked. A standard
message is displayed by default.
SETTINGS FOR GPS FIND
The settings for the GPS Find function are configured in the GPS Find settings window (see figure below).
Figure 32. Configuring GPS Find
Message to email. The email address to which the application will send the device's geographical coordinates if the
device receives an SMS command. By default, the application sends the device's coordinates in an SMS to the
telephone number from which the special SMS command was sent.
I M P L E M E N T A T I O N G U I D E
70
SETTINGS FOR FIREWALL
The Firewall manages the network connections on users' mobile devices (see "Firewall" on page 20). The administrator
can set the Firewall protection level to be applied on the users' mobile devices. The Firewall settings are displayed in the
Network section (see figure below).
Figure.33 Adjusting the Firewall configuration and the settings for synchronization with the Administration Server
The Firewall component is not used on devices with the BlackBerry and Android operating systems.
The Firewall (not suitable for BlackBerry and Android OS) section allows you to configure the Firewall component:
The Firewall mode drop-down list allows you to choose one of the following modes:
Off – any network activity allowed. The Firewall is switched off.
Minimum protection: incoming connections only are blocked. Outgoing connections are allowed.
Maximum protection: all incoming connections are blocked. The user can check e-mails, view websites
and download files. Outgoing connections can only be established using SSH, HTTP, HTTPS, IMAP,
SMTP, POP3 ports.
Block all: blocks any network activity except anti-virus database updates and connections to the
Administration Server.
By default, the Firewall is not used; the Firewall mode setting is set to Off.
The Notifications of the blocking of connections box. If the checkbox is checked, the program informs on the
blocking of connections. If the checkbox is unchecked, the application blocks connection without informing the
user according to the selected mode.
By default, Firewall notifications are disabled.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
71
SETTINGS FOR SYNCHRONIZATION OF DEVICES WITH THE ADMINISTRATION SERVER
Synchronization of devices with the Administration Server enables management of mobile devices through Kaspersky
Security Center (see section "Framework for managing the application through Kaspersky Security Center" on page 24).
The administrator can configure the settings for synchronization of the devices with the Administration Server in the
Network section (see figure below).
Figure.34 Adjusting the Firewall configuration and the settings for synchronization with the Administration Server
The Connection to the Administration Server section allows configuration of the following synchronization settings:
Synchronization period. This field indicates the frequency of synchronization between the mobile devices and
the Administration Server.
By default, synchronization occurs every 6 hours.
The No synchronizing in roaming box. If the checkbox is checked, automatic synchronization with the
Administration Server will be automatically disallowed when the device is in a roaming zone. At this time, the
user can carry out synchronization manually.
By default, automatic synchronization of the mobile devices with the Administration Server in roaming is
allowed; the box is unchecked.
Synchronization in roaming mode cannot not blocked for devices running Android OS.
I M P L E M E N T A T I O N G U I D E
72
SETTINGS FOR ANTI-SPAM AND PRIVACY PROTECTION
The Anti-Spam component prevents delivery of unwanted calls and SMS messages on the basis of user-compiled Black
and White Lists (see section "Anti-Spam" on page 19). The Privacy Protection component hides confidential user
information: entries in Contacts, incoming, outgoing and sent SMS messages, and entries in the call log (see "Privacy
Protection" on page 19).
The administrator can configure the accessibility of the Anti-Spam and Privacy Protection components for the users of
mobile devices in the Additional section (see figure below). If use of these components is allowed, the user configures
the settings for them independently.
Figure 35. Adjusting the settings of the Anti-Spam, Privacy Protection, and Encryption components
The settings for the Anti-Spam and Privacy Protection components appear in the Additional section:
The Enable use of Anti-Spam box. If the checkbox is checked, the user can use Anti-Spam on his mobile
device and configure its settings. If the use of Anti-Spam is not allowed, the component will not be accessible to
the user on the device.
By default, use of the Anti-Spam component is allowed.
The Enable use of Privacy Protection box. If this box is checked, the user will be allowed to use the Privacy
Protection component on their mobile device and configure the settings. If the use of Privacy Protection is not
allowed, the component will not be accessible to the user on the device.
By default, use of the Privacy Protection component is allowed.
The Privacy Protection component is not supported on devices with the BlackBerry OS.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H K A S P E R S K Y S E C U R I T Y C E N T E R
73
SETTINGS FOR ENCRYPTION
The Encryption component encrypts information from the specified list of folders for encryption (see "Encryption" on
page 20).
The administrator can set a time period after which, once the device has switched to power-saving mode, access to
encrypted folders is blocked; the administrator can specify which folders will be encrypted. The encryption settings are
configured on the Additional tab (see figure below).
Figure 36. Adjusting the settings of the Anti-Spam, Privacy Protection, and Encryption components
The Encryption component is not supported on devices running BlackBerry and Android OS.
The Encryption (not suitable for BlackBerry® and Android™ OS) section allows you to configure the Encryption
component:
Block access to folders. From the list, select the time period after which access to encrypted folders in use will
be blocked. This functionality is activated when the device switches to power-saving mode.
By default, access to encrypted folders in use is blocked immediately after switching to power-saving mode. For
the Block access to folders setting, no delay is selected.
Encrypt folders on devices with Microsoft Windows Mobile OS. This field contains a list of folders selected
by the administrator for encryption on devices running Microsoft Windows Mobile. The button to the right of
the field opens a window in which the administrator can create the list of folders for encryption.
Encrypt folders on devices with Symbian OS. This field contains a list of folders selected by the administrator
for encryption on devices running Symbian. The button to the right of the field opens a window in which the
administrator can create the list of folders for encryption.
I M P L E M E N T A T I O N G UIDE
74
When compiling a list of folders, the administrator can use the following macros:
For mobile devices with the Microsoft Windows Mobile operating system:
%DOCS% – the My Documents folder (the exact name depends on the device's localization).
%CARD% - all available memory cards in the system.
For mobile devices with the Symbian operating system:
%DOCS% – the C:\Data folder;
%CARD% - all available memory cards in the system.
Users cannot cancel the encryption of folders set by the administrator, but can indicate additional folders for
encryption on their mobile device through the application's local interface. If the administrator has not set folders for
encryption, only folders set by the user will be encrypted.
When editing the local application settings through the Administration Console, the list of folders for encryption is
only available for viewing. The administrator can only change the list of folders for encryption in the policy settings.
To cancel encryption of previously set folders, the administrator must delete all of the information located in the entry
field under the checkbox Encrypt folders on devices with Microsoft Windows Mobile OS / Encrypt folders on
devices with Symbian OS, and ensure that the settings are transferred to the users' mobile devices. To do so, in the
Encryption (applicable for Blackberry and Android operating systems) section on the Additional tab in the policy
settings window, the "lock" must be set.
UNINSTALLING THE APPLICATION
The application is uninstalled manually by the user on the mobile device.
For Microsoft Windows Mobile and Symbian OS, before uninstalling the application, hiding of confidential information will
be automatically disabled on the device, and all information encrypted earlier will be decrypted. In BlackBerry and
Android operating systems users have to disable hiding of confidential information manually before removal of the
application from their devices.
For more details on uninstalling the application, see the User Guide for Kaspersky Endpoint Security 8 for Smartphone.
75
DEPLOYING THE APPLICATION THROUGH
IN THIS SECTION
Framework for managing the application through MDM .................................................................................................. 76
Scheme of application deployment through MDM ........................................................................................................... 77
Preparing for deployment of the application through MDM ............................................................................................. 78
Installation and deletion of the application on mobile devices ................................ ....................................................... 103
MS SCMDM
This section describes the process of deploying Kaspersky Endpoint Security 8 for Smartphone through Mobile Device
Manager.
76
FRAMEWORK FOR MANAGING THE APPLICATION THROUGH MDM
The administrative template file endpoint8_en.adm enables management of the settings of Kaspersky Endpoint Security
8 for Smartphone through the MDM server. This is included in the distribution package (see "Scheme of application
deployment through MDM" on page 77). For each of the application's components (see "About the components of
Kaspersky Endpoint Security 8 for Smartphone" on page 15), there is a set of policies providing configuration of settings
for this component included in the administrative template. By default, after installation of the administrative template, no
policies are preset and the user can configure the application's settings independently.
For the Anti-Virus component (on page 15), the following policies are suggested:
Protection. This policy provides the setting of protection of mobile devices from malicious objects (see
"Protection" on page 16).
On-demand scans. This policy provides the setting of scanning of mobile devices for malicious objects (see
"Scan on request" on page 16).
Scheduled scans. This policy enables the launch of scans of mobile devices according to the specified
schedule.
Updating by schedule. This policy enables the launch of automatic updating of the application database
according to the specified schedule (see "Update" on page 17).
Updates blocked when roaming. This policy disables the launch of automatic updating of the application
database when users' mobile devices are in a roaming zone.
Source of update. This policy enables the indication of the source of updates from which update packages will
be downloaded to mobile devices.
For the Anti-Theft component (on page 17), the following policies are suggested:
Block. This policy enables configuration of the Block function (on page 18).
Displaying text when blocking the device. This policy enables indication of the text that will be displayed on
the screen of blocked mobile devices.
Data Wipe. This policy enables configuration of the Data Wipe function (on page 18).
List of folders to be deleted. This policy enables the creation of a list of folders for remote deletion from mobile
devices.
GPS Find. This policy enables configuration of the GPS Find function (on page 18).
SIM Watch. This policy enables configuration of the SIM Watch function (on page 18).
For the Anti-Spam component (see section "Anti-Spam" on page 19), the Blocking use of Anti-Spam policy is
suggested, which can be used to enable or disable user access to the functionality of this component. If the use of AntiSpam is allowed, the user configures the settings for this component on the mobile device independently.
For the Privacy Protection component (on page 19), the Blocking use of Privacy Protection policy is suggested,
through which it is possible to prohibit or allow the use of this component by users. If the use of Privacy Protection is
allowed, the user configures the settings for this component on the mobile device independently.
For the Encryption component (on page 20), the following policies are suggested:
Blocking access to encrypted data. This policy enables blocking of access to encrypted data.
List of folders for encryption. This policy enables the creation of a list of folders for encryption.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
77
For the Firewall component (on page 20), the following policies are suggested:
Firewall mode. This policy enables configuration of the Firewall's security level.
Firewall mode notifications. This policy allows the enabling or disabling of notifications to the user about the
blocking of prohibited connections.
Installation of the license on users' mobile devices is carried out through the administrative template by using the
License policy.
By means of the policies, the administrator configures the settings of Kaspersky Endpoint Security 8 for Smartphone
before installing the application, and can change the values of the settings after installing the application.
Note that the period of synchronization of the mobile devices with the MDM server may be different to the period of
application of the policies!
SCHEME OF APPLICATION DEPLOYMENT THROUGH MDM
The Kaspersky Endpoint Security 8 for Smartphone distribution package includes the self-extracting archive
KES8_forMicrosoftMDM_en.exe, which contains the following files that are needed in order to install the application on
mobile devices:
endpoint_MDM_Afaria_8_0_x_xx_en.cab – application installation file for the Microsoft Windows Mobile
operating system;
endpoint8_en.adm – administrative template file for managing policies, which contains their settings;
endpoint8_ca.cer – certification center's certificate file;
endpoint8_cert.cer – certificate file signed by the application installation file;
kes2mdm.exe – utility for converting the application key file;
kl.pbv, licensing.dll, oper.pbv – set of files that enable the kes2mdm.exe utility to work.
Kaspersky Endpoint Security 8 for Smartphone is deployed in accordance with the standard software deployment
scheme through Mobile Device Manager. First, it is necessary to create a group policy object to store the application
settings and manage the mobile devices. The policy object is created for the Active Directory group of registered
devices on which the application needs to be installed. Then, the administrative template is installed in the policy object
that has been created. After installing the template, all required application settings are configured and the license is
installed. To distribute the application to the users' mobile devices, the installation package is created in the Mobile
Device Manager Software Distribution console. The installation package is copied to the mobile devices when they
synchronize with the MDM server. After copying is complete, installation of the application on the mobile devices starts
automatically, without requiring any intervention by the user.
So, installation of Kaspersky Endpoint Security 8 for Smartphone through Mobile Device Manager consists of the
following steps:
1. Installing the administrative template in the group policy object.
2. Configuring the application settings.
3. Installing the license using the utility to convert the key file.
4. Creating the installation package and subsequently distributing it to the users' mobile devices.
5. Installing the application on the mobile devices.
I M P L E M E N T A T I O N G U I D E
78
PREPARING FOR DEPLOYMENT OF THE APPLICATION
IN THIS SECTION
A bout the administrative template .................................................................................................................................. 78
Installing the administrative template .............................................................................................................................. 78
Configuring the administrative template .......................................................................................................................... 79
Activating the application............................................................................................................................................... 102
THROUGH MDM
Before deploying Kaspersky Endpoint Security 8 for Smartphone through Mobile Device Manager, the administrator must
ensure that the following conditions are fulfilled:
1. Microsoft Security Center Mobile Device Manager has been deployed and configured on the network.
2. All of the users' mobile devices are included on the network and registered to the domain.
3. Windows Server Update Services 3.0 SP1 has been installed and configured on the MDM server.
A BOUT THE ADMINISTRATIVE TEMPLATE
The Kaspersky Endpoint Security 8 for Smartphone administrative template enables configuration of the policies for
managing the application. It consists of a text file containing all of the application's essential settings. This file
(endpoint8_en.adm) is included in the application's distribution package.
For the deployment of Kaspersky Endpoint Security 8 for Smartphone through Mobile Device Manager, the application's
administrative template must be added to the group policy object created in the administration console. The template is
installed on the administrator's workstation, which has the right to manage policies on the domain controller.
The language of the administrative template must be the same as that of the operating system installed on the
administrator's workstation!
You can configure the settings of the policies for all application components (see "Configuring the administrative
template" on page 79).
INSTALLING THE ADMINISTRATIVE TEMPLATE
To install the Kaspersky Endpoint Security 8 for Smartphone administrative template:
1. Create the group policy object in the administration console (MMC).
2. In the folder structure of the console, at the location of the policy object created, select the location Computer
configuration, then the Administrative templates group.
3. In the shortcut menu, select Add / remove templates.
4. The Add / remove templates window opens; press the Add button.
5. In the window that opens, select the endpoint8_en.adm template file stored on the administrator's workstation.
6. Press the Close button on the Add and remove templates window.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
79
As a result, the Settings for Kaspersky Endpoint Security 8 for Smartphone group, containing the groups of
settings for each of the application's components, will be added to the Administrative templates group (see
figure below).
Figure 37. Administrative template
CONFIGURING THE ADMINISTRATIVE TEMPLATE
All of the settings for Kaspersky Endpoint Security 8 for Smartphone, including license activation, are defined through
policies. Information about the application settings assigned in the policies is stored on the MDM server and distributed to
mobile devices during synchronization.
To configure the administrative template:
1. In the folder structure of the administration console, select the group policy object for which you want to
configure the Kaspersky Endpoint Security 8 for Smartphone settings.
2. Select the location Computer configuration.
3. Select the folder Administrative templates, and in there the folder Settings for Kaspersky Endpoint
Security 8 for Smartphone.
4. Select the folder with the name of the application component for which you want to configure the settings (see
"About Kaspersky Endpoint Security 8 for Smartphone components" on page 15).
As a result, the right side of the administration console window will show the policies enabling configuration of
the selected component (see "Framework for managing the application through MDM" on page 76).
The next sections provide more detailed procedures for configuring the policies for each of the application's components.
I M P L E M E N T A T I O N G U I D E
80
IN THIS SECTION
Configuring the Protection policy ..................................................................................................................................... 80
Configuring the Scan on request policy ........................................................................................................................... 82
Configuring the Scheduled scan policy ........................................................................................................................... 83
Configuring the Scheduled updates policy ...................................................................................................................... 85
Configuring the Updates blocked when roaming policy ................................................................................................... 86
Configuring the Source of updates policy ........................................................................................................................ 87
Configuring the Block policy ............................................................................................................................................ 88
Configuring the Display of text when device is blocked policy ......................................................................................... 89
Configuring the Data Wipe policy .................................................................................................................................... 90
Configuring the List of folders for deletion policy ............................................................................................................. 91
Configuring the GPS Find policy ..................................................................................................................................... 92
Configuring the SIM Watch policy ................................................................................................................................... 93
Configuring the Blocking use of Anti-Spam policy ........................................................................................................... 94
Configuring the Blocking use of Privacy Protection policy ............................................................................................... 95
Configuring the blocking access to encrypted data policy ............................................................................................... 96
Configuring the List of folders for encryption policy ......................................................................................................... 97
Configuring the Firewall mode policy .............................................................................................................................. 99
Configuring the Firewall notifications policy................................................................................................................... 100
Configuring the License policy ...................................................................................................................................... 101
CONFIGURING THE PROTECTION POLICY
To configure the Protection policy:
1. In the folder structure of the administration console, select the Anti-Virus folder.
2. In the right hand side of the administration console window, select the Protection policy.
3. In the policy's shortcut menu, select Properties.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
81
As a result, the Protection Properties window opens (see figure below).
Figure 38. The Protection Properties window
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
5. In the Scanned file types drop-down list, select the file types that Kaspersky Endpoint Security 8 for
Smartphone will scan. Available values:
All files. All types of files are scanned.
Only executable files. Only executable files of the following formats are scanned: EXE, DLL, MDL, APP,
RDL, PRT, PXT, LDD, PDD, CLASS.
6. In the Action on threat detection drop-down list, select the action to be carried out when a malicious object is
identified. Available values:
I M P L E M E N T A T I O N G U I D E
82
Delete. Malicious objects are deleted without informing the user.
Log event. Malicious objects remain unchanged, while the information on their detection is entered in the
program's log. When attempting to use the object (e.g. attempt to copy or open it), access to it is blocked.
CONFIGURING THE SCAN ON REQUEST POLICY
To configure the Scan on request policy:
1. In the folder structure of the administration console, select the Anti-Virus folder.
2. In the right hand side of the administration console window, select the Scan on request policy.
3. In the policy's shortcut menu, select Properties.
As a result, the Scan on request Properties window opens (see figure below).
Quarantine. Objects detected are placed in quarantine.
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Figure 39.The Scan on request Properties window
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
83
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
5. In the Scanned file types drop-down list, select the file types that Kaspersky Endpoint Security 8 for
Smartphone will scan. Available values:
All files. All types of files are scanned.
Only executable files. Only executable files of the following formats are scanned: EXE, DLL, MDL, APP,
RDL, PRT, PXT, LDD, PDD, CLASS. Furthermore, archives are not unpacked and scanned.
6. Check the Scan archives box if you want Kaspersky Endpoint Security 8 for Smartphone to scan files packed
in an archive. The application scans the following archive formats: ZIP, JAR, JAD, and CAB.
If the Scan archives box is not checked and the All files option is selected in the Scanned file types dropdown list, the application will scan all files except those packed in archives.
7. Check the Disinfect infected, if possible box for the application to correct malicious objects. If correction is not
possible, the application carries out the action selected in the Action on threat detection drop-down list.
8. In the Action on threat detection drop-down list, select the action to be carried out when a malicious object is
identified. Available values:
Delete. Malicious objects are deleted without informing the user.
Log event. Malicious objects remain unchanged, while the information on their detection is entered in the
program's log. When attempting to handle an object (e.g. copying or opening), access to it is blocked.
Quarantine. Objects detected are placed in quarantine. This action is selected by default.
Request action. When detecting a malicious object, a notification is provided in which a selection of one of
the following actions is suggested:
Skip.
Quarantine.
Delete.
Try to disinfect.
CONFIGURING THE SCHEDULED SCAN POLICY
To configure the Scheduled scan policy:
1. In the folder structure of the administration console, select the Anti-Virus folder.
2. In the right hand side of the administration console window, select the Scheduled scan policy.
3. In the policy's shortcut menu, select Properties.
I M P L E M E N T A T I O N G U I D E
84
As a result, the Scheduled scan Properties window opens (see figure below).
Figure 40. The Scheduled scan Properties window
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
5. In the Mode drop-down list, select the start scan on demand mode. Available values:
Manually. Users can start a scan manually at a time convenient to them.
Daily. Scans take place every day at a specified time. In the Time field below, apply the start time using the
format HH:MM.
Weekly. Scans take place once a week on the specified day and time. In the Day drop-down list below,
select the day of the week, and in the Time field, apply the start time using the format HH:MM.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
85
CONFIGURING THE SCHEDULED UPDATES POLICY
To configure the Scheduled updates policy:
1. In the console tree, select the Anti-Virus folder.
2. In the right hand side of the administration console window, select the Scheduled updates policy.
3. In the policy's shortcut menu, select Properties.
As a result, the Scheduled updates Properties window opens (see figure below).
Figure 41. The Scheduled updates Properties window
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
I M P L E M E N T A T I O N G U I D E
86
5. In the Mode drop-down list, select the application database updates start mode. Available values:
Manually. Users can start a database update manually at a time convenient to them.
Daily. Application database updates take place every day at the specified time. In the Time field below,
apply the start time using the 24-hour format (HH:MM).
Weekly. Application database updates take place once a week on the specified day and time. In the Day
drop-down list below, select the day of the week, and in the Time field, apply the start time using the 24hour format (HH:MM).
CONFIGURING THE UPDATES BLOCKED WHEN ROAMING POLICY
To configure the Updates blocked when roaming policy:
1. In the console tree, select the Anti-Virus folder.
2. In the right hand side of the administration console, select the Updates blocked when roaming policy.
3. In the policy's shortcut menu, select Properties.
As a result, the Updates blocked when roaming Properties window opens (see figure below).
If you want to block automatic updates to the application database when the user's mobile device is in a
roaming zone, select the Enabled option on the Setting tab.
If you want to allow automatic updates to the application database when the user's mobile device is in a
roaming zone, select the Disabled option on the Setting tab.
If you want the user to configure any blocking of updates when roaming, select the Not specified option on the
Setting tab.
Figure 42. The Updates blocked when roaming Properties window
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
87
CONFIGURING THE SOURCE OF UPDATES POLICY
To configure the Source of updates policy:
1. In the folder structure of the administration console, select the Anti-Virus folder.
2. In the right hand side of the administration console window, select the Source of updates policy.
3. In the policy's shortcut menu, select Properties.
As a result, the Source of updates Properties window opens (see figure below).
Figure 43. The Source of update Properties window
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
I M P L E M E N T A T I O N G U I D E
88
5. In the Updates server field, indicate the address of the source of application database updates, from which the
updates will be downloaded to the mobile devices.
If you want application database updates to be downloaded from Kaspersky Lab update servers, this field needs
to indicate the following address: KL Servers.
If you want application database updates to be downloaded from any other update server, specify an HTTP
server, local or network folder. For instance, http://domain.com/index/.
The folder structure in the update source must be identical to the corresponding structure of Kaspersky Lab’s
update sever.
CONFIGURING THE BLOCK POLICY
To configure the Block policy:
1. In the folder structure of the administration console, select the Anti-Theft folder.
2. In the right hand side of the administration console window, select the Block policy.
3. In the policy's shortcut menu, select Properties.
As a result, the Block Properties window opens (see figure below).
4. If you want to enable remote blocking of the user's mobile device, select the Enabled option on the Setting tab.
If you want to disable the Block function, select the Disabled option on the Setting tab.
If you want the user to enable or disable the Block function, select the Not Configured option on the Setting
tab.
Figure 44. The Block Properties window
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
89
CONFIGURING THE DISPLAY OF TEXT WHEN DEVICE IS BLOCKED POLICY
To configure the Display of text when device is blocked policy:
1. In the folder structure of the administration console, select the Anti-Theft folder.
2. In the right hand side of the administration console window, select the Display of text when device is blocked
policy.
3. In the policy's shortcut menu, select Properties.
As a result, the Display text when device is blocked Properties window opens (see figure below).
Figure 45. The Display of text when device is blocked Properties window
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
I M P L E M E N T A T I O N G U I D E
90
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
5. In the Text when blocked field, enter the text to be displayed on the screen of the user's blocked device.
CONFIGURING THE DATA WIPE POLICY
To configure the Data Wipe policy:
1. In the folder structure of the administration console, select the Anti-Theft folder.
2. In the right hand side of the administration console window, select the Data Wipe policy.
3. In the policy's shortcut menu, select Properties.
As a result, the Data Wipe Properties window opens (see figure below).
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
Figure 46. The Date Wipe Properties window
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
91
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
When enabling the Data Wipe policy, you must apply at least one of its settings!
5. Check the Delete personal data box if you want Kaspersky Endpoint Security 8 for Smartphone to delete all
personal data (e.g. contacts, messages, photo gallery) from the mobile device by user command.
6. Check the Delete folders box if you want Kaspersky Endpoint Security 8 for Smartphone to delete the specified
folders from the user's mobile device.
CONFIGURING THE LIST OF FOLDERS FOR DELETION POLICY
To configure the List of folders for deletion policy:
1. In the folder structure of the administration console, select the Anti-Theft folder.
2. In the right hand side of the administration console window, select the List of folders for deletion policy.
3. In the policy's shortcut menu, select Properties.
As a result, the List of folders for deletion Properties window opens (see figure below).
Figure 47. The List of folders for deletion Properties window
I M P L E M E N T A T I O N G U I D E
92
4. On the Setting tab, select one of the following options:
Not Configured. The user creates the List of folders for deletion on the mobile device.
Enabled. The List of folders for deletion can be created either by the user on the mobile device, or by the
administrator. With this setting, any List of folders for deletion added by the administrator cannot be edited
or deleted by the user.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
5. Press the Show button, and create a list of folders for deletion in the window that opens, using the Add and
Remove buttons.
CONFIGURING THE GPS FIND POLICY
To configure the GPS Find policy:
1. In the folder structure of the administration console, select the Anti-Theft folder.
2. In the right hand side of the administration console window, select the GPS Find policy.
3. In the policy's shortcut menu, select Properties.
As a result, the GPS Find Properties window opens (see figure below).
Figure 48. The GPS Find Properties window
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
93
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
5. In the Message to email address field, indicate the email address to which a message is to be sent containing
the geographical coordinates of the user's mobile device.
CONFIGURING THE SIM WATCH POLICY
To configure the SIM Watch policy:
1. In the folder structure of the administration console, select the Anti-Theft folder.
2. In the right hand side of the administration console window, select the SIM Watch policy.
3. In the policy's shortcut menu, select Properties.
As a result, the SIM Watch Properties window opens (see figure below).
Figure 49. The SIM Watch Properties window
I M P L E M E N T A T I O N G U I D E
94
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
When enabling the SIM Watch policy, you must apply at least one of its settings!
5. In the SMS to phone number field, indicate the telephone number to which, in the event of a change of SIM
card, an SMS is to be sent with the new telephone number of the SIM card that has been inserted. The phone
number may start with a digit or with a "+", and must contain digits only.
6. In the Message to email address field, indicate the email address to which a message should be sent
containing the new telephone number of the SIM card that has been inserted.
7. Enable the option to Block the telephone when the SIM card is replaced , if you want the application to block
a user mobile device when its SIM card is replaced or if the device is switched on without it. You can unblock
the device only by entering the secret code.
CONFIGURING THE BLOCKING USE OF ANTI-SPAM POLICY
To configure the Blocking use of Anti-Spam policy:
1. In the folder structure of the administration console, select the Anti-Spam
2. In the right hand side of the administration console window, select the Blocking use of Anti-Spam policy.
3. In the policy's shortcut menu, select Properties.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
95
As a result, the Blocking use of Anti-Spam Properties window opens (see figure below).
Figure 50. The Blocking use of Anti-Spam Properties window
4. If you want to prohibit the user from editing the Anti-Spam settings and from viewing the log for this component,
select the Enabled option on the Setting tab.
If you want to allow the user to use the Anti-Spam component, select the Disabled or Not Configured option
on the Setting tab.
CONFIGURING THE BLOCKING USE OF PRIVACY PROTECTION POLICY
To configure the Blocking use of Privacy Protection policy:
1. In the folder structure of the administration console, select the Privacy Protection folder.
2. In the right hand side of the administration console window, select the Blocking use of Privacy Protection
policy.
3. In the policy's shortcut menu, select Properties.
I M P L E M E N T A T I O N G U I D E
96
As a result, the Blocking use of Privacy Protection Properties window opens (see figure below).
Figure 51. The Blocking use of Privacy Protection Properties window
4. If you want to prohibit the user from editing the Privacy Protection settings and from viewing the log for this
component, select the Enabled option on the Setting tab.
If you want to allow the user to use the Privacy Protection component, select the Disabled or Not Configured
option on the Setting tab.
CONFIGURING THE BLOCKING ACCESS TO ENCRYPTED DATA POLICY
To configure the Blocking access to encrypted data policy:
1. In the Administration Console tree, select the Encryption folder.
2. In the right part of the administration console window, select the Blocking access to encrypted data policy.
3. In the policy's shortcut menu, select Properties.
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
97
As a result, the Blocking access to encrypted data Properties window opens (see figure below).
Figure 52. The Automatic data encryption Properties window
4. On the Setting tab, select one of the following options:
Not Configured. The user is allowed to edit the application settings on the mobile device. The application
will operate according to the settings applied by the user.
Enabled. The policy is enabled. The user is prohibited from editing the application settings on the mobile
device. The top left corner of the screen of the mobile device will display a "lock".
The application will operate according to the settings applied by the policy. When this option is set, you can
configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
5. In the Block access drop-down list, select the time interval after which access to encrypted data is
automatically blocked. The function is automatically activated after the mobile device switches to energy-saving
mode.
I M P L E M E N T A T I O N G U I D E
98
CONFIGURING THE LIST OF FOLDERS FOR ENCRYPTION POLICY
To configure the List of folders for deletion policy, perform the following actions:
1. In the folder structure of the administration console, select the Encryption folder.
2. In the right hand side of the administration console window, select the List of folders for encryption policy.
3. In the policy's shortcut menu, select Properties.
As a result, the List of folders for encryption Properties window opens (see figure below).
4. On the Setting tab, select one of the following options:
Not Configured. The user creates the List of folders for encryption on the mobile device.
Enabled. The List of folders for encryption can be created either by the user on the mobile device, or by the
administrator. With this setting, the List of folders for encryption added by the administrator cannot be
edited or deleted by the user.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
5. Press the Show button, and create a list of folders for encryption in the window that opens, using the Add and
Remove buttons.
Figure 53. The List of folders for encryption Properties window
D E P L O Y I N G T H E A P P L I C A T I O N T H R O U G H MS S C M D M
99
CONFIGURING THE FIREWALL MODE POLICY
To configure the Firewall mode policy:
1. In the Administration Console tree, select the Firewall folder.
2. In the right hand side of the administration console window, select the Firewall mode policy.
3. In the policy's shortcut menu, select Properties.
As a result, the Firewall mode Properties window opens (see figure below).
Figure 54. The Firewall mode Properties window
4. On the Setting tab, select one of the following options:
Not Configured. The component / function is enabled on the user's mobile device. The settings defined by
the policy are accessible for editing by the user on the mobile device.
The component / function will operate according to the settings defined by the user.
Enabled. The component / function is enabled on the user's mobile device. The settings defined by the
policy are not accessible for editing by the user on the mobile device. The top left corner of the screen of
the mobile device will display a "lock".
The component / function will operate according to the settings defined by the policy. When this option is
set, you can configure the settings of the policy.
Off. The component / function defined by the policy is disabled on the user's mobile device. There is no
access for changing the settings. The top left corner of the screen of the mobile device will display a "lock".
I M P L E M E N T A T I O N G U I D E
100
5. In the Mode drop-down list, select the Firewall's security level. Available values:
Off. The Firewall is switched off. All network activity is allowed.
Minimum protection. The Firewall blocks all incoming connections. Any outgoing connections are allowed.
Maximum protection. The Firewall blocks all incoming connections. Outgoing connections under the SSH
/ HTTP / HTTPS / IMAP / SMTP / POP3 protocols are allowed.
Block all. The Firewall blocks all network activity except application database updates and the functioning
of Mobile Device Manager.
CONFIGURING THE FIREWALL NOTIFICATIONS POLICY
To configure the Firewall notifications policy:
1. In the administration console tree, select the Firewall folder.
2. In the right hand side of the administration console window, select the Firewall notifications policy.
3. In the policy's shortcut menu, select Properties.
As a result, the Firewall notifications Properties window opens (see figure below).
Figure 55. The Firewall notifications Properties window
Loading...