GravityZone Deployment Guide

7/24/2019 GravityZone Deployment Guide

1/28

GRAVITYZONE

Deployment GuideVLE Environment


2/28

2

LEGAL NOTICE

All rights reserved. No part of this document may be reproduced or transmitted in any form

or by any means, electronic or mechanical, including photocopying, recording, or by anyinformation storage and retrieval system, without written permission from an authorizedrepresentative of Bitdefender. The inclusion of brief quotations in reviews may be possibleonly with the mention of the quoted source. The content cannot be modified in any way.

Warning and Disclaimer. This product and its documentation are protected by copyright. Theinformation in this document is provided on an as is basis, without warranty. Although everyprecaution has been taken in the preparation of this document, the authors will not have anyliability to any person or entity with respect to any loss or damage caused or alleged to becaused directly or indirectly by the information contained in this work.

Trademarks. Trademark names may appear in this document. All registered and unregisteredtrademarks in this document are the sole property of their respective owners, and arerespectfully acknowledged.

Copyright 2013 Bitdefender


3/28

3

Table of Content

1. Introduction ....................................................................................................................... 4

2. Deployment Prerequisites ................................................................................................. 5

3. Deploying GravityZone Cluster ......................................................................................... 6

3.1. Cluster Architecture ................................................................................................... 6

3.2. Configuring the GravityZone VA ................................................................................. 7

3.3. Creating the GravityZone Cluster ............................................................................... 9

3.3.1. Creating the Database Server Role .................................................................... 9

3.3.2. Creating a Web Console Role ........................................................................... 10

3.3.3. Creating a Update Server Role ......................................................................... 10

3.3.4. Creating a Communication Server Role ............................................................ 11

3.3.5.

Configuring GravityZone Load Balancing .......................................................... 11

3.3.6. Configuring the External MDM Address ............................................................ 13

4. Control Center Configuration........................................................................................... 14

4.1. Setup ....................................................................................................................... 14

4.2. Integrations .............................................................................................................. 16

4.2.1. Active Directory Integration ............................................................................... 16

4.2.2. Virtualization Integrations .................................................................................. 17

4.3. Accounts .................................................................................................................. 19

4.4.

Settings .................................................................................................................... 21

4.5. Update ..................................................................................................................... 23

4.6. Certificates ............................................................................................................... 25

4.7. License .................................................................................................................... 27

4.8. Alerts and Notifications ............................................................................................ 28


4/28

4

1. Introduction

The purpose of this document is to assist Bitdefender customers with the GravityZonedeployment in their IT infrastructure which may present similarities to the scenario on whichthe document is based on. This document is not replacing the GravityZone AdministratorsGuide or the GravityZone Quick Start guide, and is rather a natural extension of thosedocuments, providing other details and insights, focusing on the deployment and overallconfiguration processes. For a detailed overview of the GravityZone features, please reviewthe Administrators Guide.

This document contains a deployment example of a GravityZone cluster running in the mostcomplex architecture, designed to be used by very large enterprise organizations. Thisexample is most eloquent for the solutions scalability, load-balancing and high-availability

capabilities.

IMPORTANT: Bitdefenders Professional Services team is providing this document as-is asa courtesy to its potential or existing customers and it is not to be reviewed as a replacementfor Professional Services assistance. Bitdefender is not offering support for this document andthe accuracy of the information presented in this document is solely the authors responsibility.

Terms and Acronyms

This document uses the following terms and acronyms:

GravityZone Server Role - a software package used primarily to provide a single networkservice. The server roles available in the GravityZone architecture are: Database Server,Communication Server, Web Console, Update Server

GravityZone Server Instancea virtual machine running one or more GravityZone serverroles

GravityZone Clustera collection of multiple GravityZone instances pooled together forhorizontal scalability purposes

GZGravityZone

MDMMobile Device Management

EPSEndpoint Security, the Antimalware agent used by GravityZone to protect physicaldevices

SVESecurity for Virtualized Environments, the module used by GravityZone to protectvirtualized environments using a centralized scanning approach


5/28

5

2. Deployment Prerequisites

The following steps must be completed before moving forward to the product deployment:

Register for a GravityZone trial on theBitdefender Enterprise website.After you enroll inthe GravityZone trial you will receive license keys for each GravityZone service.

Download the GravityZone VA corresponding to your virtualized environment

Make sure you have available the administrative credentials for every environment youwant to integrate GravityZone Control Center with: Active Directory, vCenter Server,XenServer

Reserve the necessary amount of IP addresses to be used by this GravityZonedeployment. Every virtual appliance part of the GravityZone product requires either staticIP addresses or DHCP reservations for IP addresses.

Create DNS entries for every machine that will be part of GravityZone.

Check for hardware resource availability, based on the hardware requirements datapresented in the GravityZone Administrator Guide

Create an email account in your organizations email server for GravityZone to use forsending out email notifications to its users
http://enterprise.bitdefender.com/solutions-and-services/enterprises/GravityZone.htmlhttp://enterprise.bitdefender.com/solutions-and-services/enterprises/GravityZone.htmlhttp://enterprise.bitdefender.com/solutions-and-services/enterprises/GravityZone.html


6/28

6

3. Deploying GravityZone Cluster

3.1. Cluster Architecture

The current GravityZone cluster deployment model is presented as an example that may beused by a very large enterprise environment, allowing the reader to understand theGravityZone architecture and its horizontal scalability.

For deployments that focus on protecting less than 15.000 endpoints, GravityZone is deployedas a single instance with all GravityZone server roles installed on the same virtual machine.

With deployments that target to protect up to 50.000 endpoints, GravityZone is deployed in a 3instance cluster. The GravityZone cluster is built using 3 server instances, each instancecontaining one of the following roles: Database Server, Communication Server, Web Server +Update Server.

The present document is focused and contains the necessary steps that need to becompleted by an organization deploying GravityZone to protect more than 50.000 endpoints inan environment containing physical systems, virtual machines and mobile devices.


7/28

7

3.2. Configuring the GravityZone VA

The following configuration steps are common for every new GravityZone Virtual Applianceand they are the pre-requisite for every new instance added to the GravityZone cluster.

a.

Import the GravityZone Virtual appliance once for every GravityZone server instancethat you want to create.

b. Edit virtual machine settings and define CPU and RAM memory according to the role ithas in the GravityZone deployment.

c. Upon the first boot of a new virtual machine, you are required to configure thepassword for the built-in bdadminsystem administrator account:

d. Login to the CLI menu using the bdadmin account password.

e. From the Appliance Options menu, configure the following options:


8/28

8

- Option 1 Configure Hostname and Domain Settings.

Each GravityZone instance needs to be configured with a hostname that is resolved by theorganizations DNS and can also be added into the organization s Active Directory.

- Option2 Configure Network settings.

The appliance can be configured to automatically receive the network settings from a DHCPserver or can have the network settings configured manually. If the DHCP configurations areused, make sure the IP address is reserved and will not be changed upon renewal.

- Option 3 Configure Proxy Settings.

Each GravityZone instance requires Internet connectivity during the initial configuration. If theInternet access is routed through a proxy server, configure its address as shown in theexample below.

- Option 4 Configure Language.

This setting controls the CLI language and can be configured to English, French, Spanish orGerman.


9/28

9

- Option 6 Configure Update Server.

During the initial configuration, every new GravityZone machine requires Internet access forthe Bitdefender repositories and update servers. If such access cannot be configured, you canconfigure a separate Bitdefender local update server in your organizations DMZ to mirror ourrepositories and update servers. Using that DMZ local update server, you can configure everyGravityZone machine to access it and download updates from there.

3.3. Creating the GravityZone Cluster

For the current deployment scenario, the GravityZone server cluster is created using 6 serverinstances, covering the following roles:

- Database Server Role1 instance

- Web Console Role2 instances

- Communication Server Role2 instances

- Update Server Role1 instance

The GravityZone cluster provides load balancing and high-availability capabilities that can beconfigured for the two front-end server roles, Web Console and Communication Server. If thebuilt-in load balancer software (HAproxy) is used, the GravityZone cluster will need anotherinstance added to host this role. The load balancing configuration is further explained insection3.3.5 Configuring GravityZone Load Balancing.

3.3.1. Creating the Database Server Role

The first role to be installed in a new GravityZone cluster is the Database Server role. Toinstall this role, follow the next steps:

a.

Create a new GravityZone instance and login to the Appliance Options menu.b. Choose option 5 Install/Modify Rolesand then option 1 Add or Remove Roles.

c. Select Database Serverrole by pressing space and then start the role installation.

After creating a new database server in a new GravityZone cluster the other server roles willregister with the Database Server role so that they can be added in the newly created cluster.


10/28

10

3.3.2. Creating a Web Console Role

To create a new Web Server role, follow the next steps:

a. Create a new GravityZone instance and login to the Appliance Options menu.

b.

Choose option 7 Configure Databaseaddress

c. Go back to the Appliance Options menu and select option 5 Install/Modify Rolesthenselect the Web Consolerole by pressing space and start the role installation.

For the current deployment scenario, the recommended GravityZone cluster architecturecontains two Web Console instances, so you will need to follow the above procedure twice.

3.3.3. Creating a Update Server Role

To create a new Update Server role, follow the next steps:


b. Choose option 7 Configure Databaseaddress.

c. Go back to the Appliance Options menu and select option 5 Install/Modify Rolesthenselect the Update Serverrole by pressing space and start the role installation.


11/28

11

3.3.4. Creating a Communication Server Role

To create a new Communication Server role, follow the next steps:


b.

Choose option 7 Configure Databaseaddressc. Go back to the Appliance Options menu and select option 5 Install/Modify Rolesthen

select the Communication Server role by pressing space and start the role installation.

For the current deployment scenario, the recommended GravityZone cluster architecturecontains two Communication Server instances, so you will need to follow the above proceduretwice.

3.3.5. Configuring GravityZone Load Balancing

In the GravityZone cluster, the role balancer (server role) provides high availability and loadbalancing functionality for the two front-end server roles, Web Console and CommunicationServer. For configuring a role balancer server role, GravityZone provides a built-in load

balancer configured by using HAproxy. Alternatively, if the customer already has a differentload balancer in his environment, GravityZone can be instructed to use that appliance.

To configure GravityZone built-in load balancer role, follow the next steps:


b. Choose option 7 Configure Databaseaddress.

c. Go back to the Appliance Options menu, select option 6 Configure Role Balancersandthen option2 Use the built-in balancers. On the next window select the Web ConsoleBalancer and Communication Server Balancer options.

To configure GravityZone to use an existing (external) load balancer, you need to configurethat load balancer to execute TCP load balancing for two ports on the public IP address ordomain name assigned to it. On those ports the load balancer receives requests designatedfor the Web Console roles and Communication Server roles, forwarding them internally tothose servers.


12/28

12

For example:

External Web Server address on LB:- https://ws.domain.com:4444

Internal Web Server addresses (as configured on the respective GZ instances)- ws1.domain.local:443

-ws2.domain.local:443

External Communication Server address on LB:- https://cs.domain.com:8888

Internal Communication Server addresses (as configured on the respective GZinstances)- ecs1.domain.local:8443- ecs2.domain.local:8443

After the external load balancer is configured, follow the next steps:

1. Login to the Database Server instance Appliance Options menu.

2.

Select option 6 Configure Role Balancers and then option 1 Use external balancers.3. Fill in the external Web Server and Communication Server addresses configured onthe external load balancer

Note: If at any point, due to scalability considerations and environment growth, you decide toadd more Web Console instances or Communication Server roles, after you configure themas new instances in the GravityZone cluster, you need to add their addresses to the externalload balancer configuration.


13/28

13

3.3.6. Configuring the External MDM Address

GravityZone contains the Security for Mobile Devices module allowing the GravityZoneadministrator to manage the usersmobile devices. The management capabilities for mobiledevices are handled exclusively over the Internet and for that reason the GravityZone

Communication Server has to be configured with an external network address from which itreceives communication from the managed mobile devices.

To facilitate this communication, the infrastructure administrators have to configure a NAT ruleon the border firewall to correlate the external address with the internal communication serveraddress.

If the configured Communication Server load balancing address is already configured as anexternal address, that address can be used.

The External MDM Address is configured in the GravityZone cluster following the next steps:

1. Login to the Database Server instance Appliance Options menu.2. Select option 6 Configure Communication Server and then option2 Configure MDM

Server external address3. Fill in the external Web Server and Communication Server addresses configured on

the external load balancer


14/28

14

4. Control Center Configuration

Once you finish configuring the GravityZone cluster, you will need to setup the GravityZone

Control Center. During the initial setup of Control Center, you are required to configure theroot level account, allowing you to do all configurations related to:

Integrations setup

Email server connectivity and global proxy settings

Updates management

Security Certificates management

Administrator accounts management

Notification management

4.1. SetupTo start the GravityZone Control Center setup:

a. Access the Control Center web interface. Open a web browser and access theconfigured IP address/domain name and port of the Web Console role balanceraddress.

b. Create the root account. During the creation of the root level account, GravityZone willregister with an existing MyBitdefender account and validate the license keys over theInternet.

- Login with your MyBitdefender account. If you dont have one, click I dont have a

MyBitdefender accountand you will be redirected to this portal where you will beable to create an account.


15/28

15

- Enter the product license keys to activate each GravityZone and click Next

- Configure the root level account name, email address and password

After the Root account has been created, GravityZone will automatically login to the root levelusing the created user.

Note:There can only be one root user per GravityZone cluster; other accounts with the samelevel of privileges cannot be created.


16/28

16

4.2. Integrations

GravityZone Control Center integrates with different parts of your environment so as tosimplify the deployment and management processes.

4.2.1. Active Directory Integration

The AD integration allows administrators to manage the physical environment and mobiledevices. For physical devices management, Control Center will replicate the Computers tree,including groups and OUs, populating the internal network inventory with the same structureand contents. With regards to Mobile devices management, Control Center will replicate fromAD the groups and OUs containing domain user accounts, allowing the administrators to bindmobile devices with user accounts and manage them centrally.

To activate the AD integration, follow the next steps:

- Go to the Integration menu and click the Active Directorytab.

-Check the Synchronize with Active Directory box then enter the domain name andthe administrative account (domain administrator account or member of DomainAdmins)

- Click Save and to initiate the first synchronization between Control Center and AD.The sync time will depend on the number of AD inventory objects: as anestimation, for more than 10k inventory objects, the synchronization will take forabout one minute.


17/28

17

4.2.2. Virtualization Integrations

The Control Center integration with VMware vCenter Server and Citrix XenServer can beconfigured from the Virtualization integrationstab.

a. vCenter Server integration

The vCenter Server integration allows the administrator to manage the virtualized environmentrunning on VMware vSphere. Control Center replicates both the Hosts and Clusters and VMsand Templates trees (including Resource Pools and VM folders), allowing the internal networkinventory to display the exact structure and contents of the vCenter inventory.

To activate the vCenter Server integration, follow the next steps:

- Go to the Integration menu and click the Virtualizationtab.

- Click theAdd (+) button and select vCenter Server

- On theAdd vCenter Serverconfiguration window, specify the name for thisintegration, Hostname or IP address of the target vCenter Server and connectionport.

Note: Change the port only if you configured a different listening port for vSphere clientconnections. For more details reviewVMware KB article 2031843

-Optionally, if you plan on using a vShield Endpoint integration to provide protectionto your virtual machines, specify the hostname or IP address and port for vShieldManager. GravityZone SVE will then use a vShield Endpoint integration to protectthe virtual machines of this vCenter server.

Note: Change the port only if you configured a different listening port for REST API calls onvShield Manager. For more details please refer to theVMware vShield Manager Quick StartGuide

- Enter the appropriate vCenter Server administrative credentials. If vCenter isintegrated with AD, you can check the Use credentials provided for Active Directorysynchronizationbox.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2031843http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2031843http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2031843http://www.vmware.com/pdf/vshield_51_quickstart.pdfhttp://www.vmware.com/pdf/vshield_51_quickstart.pdfhttp://www.vmware.com/pdf/vshield_51_quickstart.pdfhttp://www.vmware.com/pdf/vshield_51_quickstart.pdfhttp://www.vmware.com/pdf/vshield_51_quickstart.pdfhttp://www.vmware.com/pdf/vshield_51_quickstart.pdfhttp://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2031843


18/28

18

Click Saveand Control Center will synchronize with vCenter Server for the first time. If yourenvironment contains multiple instances of vCenter Server, repeat this operation for everyinstance.

b. XenServer Integration

The XenServer integration allows the administrator to manage the virtualized environmentrunning on Citrix XenServer. Control Center replicates both the VMs and Folders treesallowing the internal network inventory to display the exact structure and contents of theXenServer or Resource Pool inventory. If Resource Pools are used, make sure the integrationtarget for that pool is the XenServer pool master instance, to ensure a successful integration.

To activate the XenServer integration, follow the next steps:

- Go to the Integration menu and click the Virtualizationtab.

- Click theAdd (+) button and select XenServer

- On theAdd XenServerconfiguration window specify the name for this integration,Hostname or IP address of the target XenServer and connection port.

Note: Change the port only if you configured a different listening port for XenServercommunication. For more details review theCitrix XenServer Administrator Guide

- Enter the appropriate XenServer administrative credentials. Once the ADcredentials are validated by XenServer, you can check the Use credentialsprovided for Active Directory synchronizationbox.
http://support.citrix.com/servlet/KbServlet/download/32307-102-691300/reference.pdfhttp://support.citrix.com/servlet/KbServlet/download/32307-102-691300/reference.pdfhttp://support.citrix.com/servlet/KbServlet/download/32307-102-691300/reference.pdfhttp://support.citrix.com/servlet/KbServlet/download/32307-102-691300/reference.pdf


19/28

19

- Click Saveand Control Center will synchronize with XenServer for the first time.

If your environment contains multiple instances of XenServer or resource pools, repeat thisoperation for every instance.

4.3. Accounts

GravityZone is using two main account types:

- Root accountthis account allows the administrator to configure every optionpresented throughout Section 5 of the present document

-User accountwhen logged in with the user account, the administrator is able tohandle all the configuration-related tasks GravityZone can apply to the protectedenvironment: deploy the endpoint protection, issue configuration policies and tasks,review dashboard events and generate reports.

From the Accountsmenu, the root administrator can create, manage and delete Useraccounts.

By default, Control Center does not have any administrator accounts created. To create a newadministrator account, follow the next steps:

- Go to the Accountsmenu and click theAdd (+) button

- Select the user type.

Control Center is integrated with AD and allows the root administrator to (re)create existingAD users and provide them login privileges in Control Center. When this user type is used, theemail address and password are the same with the ones the user had in AD.

Note: As you start to type the user name in the Username textbox, the existing user accountwill be suggested. If the account you are trying to create has been recently created and doesnot appear as a suggested option, click the Force Resyncbutton, which will trigger an ondemand AD synchronization.

Alternatively the new user can be a Custom User, unrelated to AD. For this case a valid emailaddress and a password must be provided.


20/28

20

- Select the Role, Timezone and Control Center language for the new user.

In Control Center, a new user account can have an Administrator role (is allowed to use everyfeature of Control Center) or Reporter role (is only allowed to view the Dashboard section andgenerate reports). The rights are related to their managed environment.

- Select the Service type for this new account to manage. You can assignpermissions for a new user over Physical, Virtual Machines and Mobile devices, orjust on one or two services. After you select the service, click the Target link andchoose the groups to be managed by the user.

- Once ready, click the Savebutton to create the new user.


21/28

21

4.4. Settings

In the Settingsmenu you can configure the Control Center mail server connector and globalproxy settings.

a.

Mail Server connector

Control Center requires access to the organizations email server to gain the ability of sendingemail notifications and scheduled reports to its root and administrative accounts.

Important:The root account password recovery mechanism relies on the mail serverintegration. If GravityZone is not integrated with an email server, the password recoverymechanism will not work.

To configure the Mail Server connector, follow the next steps:

- Go to the Settingsmenu and click the Mail Server tab

- Activate the Mail Server Settings option and configure the mail server hostname or

IP address, connection port, encryption method for the connection, email accountand credentials for that email account

Note: The email account credentials are only required if your email server requiresauthentication

-Once ready, click the Save button.

b. Proxy Settings

GravityZone requires a permanent Internet connection to validate the license key anddownload product and signature definition updates. In case the Internet access is routedthrough a proxy server, the administrator needs to configure the correct proxy connectiondetails in this section.

- Go to the Settingsmenu and then click the Proxytab

- Activate the Use Proxy Settings option and configure the proxy address and port. Ifrequired by your proxy server, add the username and password.


22/28

22

- Once ready, click the Save button.

c.

Miscellaneous settings

- SVE Security Server image availability. Upon the initial GravityZone deployment,the SVE Security Server VM templates are not downloaded automatically. Fromthis section, administrators can instruct GravityZone to automatically download theSecurity Server VM template upon request, whenever required during adeployment task. Alternatively, you can download the templates in advance byusing the Update settings described in section4.5b Product Update.

- Concurrent deployments. This setting controls the number of endpointdeployments that can run simultaneously. For instance, if this value is set to 20 andthe administrator creates a deployment task for 100 targeted systems, GravityZone

will process only 20 installations at a time. The default value for this setting is 10.


23/28

23

4.5. Update

In the Updatemenu you can configure the local Update Server and the global Product Updatesettings for all Update Server roles included in the GravityZone cluster.

a.

Update Server

The GravityZone cluster is delivered with a local Bitdefender Update Server role.

The global Update Server settings need to be changed only if the administrator prefers tohave the update servers from the GravityZone cluster update from a different instance ofBitdefender Update Server that is already present in the environment

- Go to the Updatemenu and click the Update Server tab

- On this section you can configure a new Bitdefender local update server as thedefault download location for all the Update server roles within the GravityZoneCluster. In addition, you can set the update interval and the reporting proxies (virusreporting, crash submitter and license registration).

Note:Bitdefender recommends keeping the default settings in this section.

b. Product Update

In this section you can control the global product updates for the GravityZone clustermembers and for the Security Servers and Components Updates:

- Go to the Updatemenu and click the Product Updatetab

- When there is a new update available for GravityZone, the Update Now button isenabled allowing the administrator to trigger the GravityZone update for everyserver role deployed in the cluster.

Every time there is a new update available for GravityZone Cluster or one of its components,Control Center will send the administrator an email notification, as configured in theNotification area, which is covered in section4.8 Alerts and Notifications.

Note:Depending on the Internet connection speed, the update might take up to 10 minutes tocomplete.


24/28

24

- The Components Update section allows administrators to download the requiredendpoint components:

Endpoint Security Clientthe endpoint installer package used by EndpointSecurity to protect and manage Physical devices

Bitdefender Toolsthe endpoint installer package used by SVE to protect andmanage virtual machines

Security ServerVM template of Security Server, the centralized scanningcomponent of SVE offering remote scanning services to VMs protected byBitdefender Tools. Security Server comes in 4 available templates depending

on the environment it protects: VMware integrated with vShield Endpoint,VMware without vShield), XenServer and Hyper-V.

Note:Upon request, Bitdefender can deliver templates which can be used on any othervirtualized environment (e.g. KVM, Oracle VM etc.). For more details please contact theBitdefenderEnterprise Support team.

To save bandwidth and resource consumption, GravityZone will not automatically downloadthese packages. Depending on the specific needs of every protected environment, the productadministrator can download only the required components for his environment.
http://enterprise.bitdefender.com/support/contact-us.htmlhttp://enterprise.bitdefender.com/support/contact-us.htmlhttp://enterprise.bitdefender.com/support/contact-us.htmlhttp://enterprise.bitdefender.com/support/contact-us.html


25/28

25

Whenever Bitdefender releases a product update for one of its components, the availableversion for each product will be incremented and the administrator will have the option toinstall the package select that installer package and choose to update it. This action will onlyupdate the installer package stored by GravityZone and used for new product deployments.Existing deployed products are updating automatically using the live update mechanism.

4.6. Certificates

This section allows the administrator to replace the self-signed certificates available by defaulton all Web Console and Communication Server instances with valid certificates issued for theorganization. If the Security for Mobile Devices module is used to manage iOS mobiledevices, this section allows the administrator to create and add an Apple MDM PushNotifications certificate as well as to add iOS MDM Identity and Profile Signing / iOS MSMTrust Chain certificates.

a. Control Center Security (Web Console roles) and Communication Server certificates

-Click the corresponding certificate link

- Select the certificate typewith separate key or embedded key

- Select the certificate file and private key (if necessary). ClickAdd.

- Enter the password for the private key (if the key is encrypted).

- Save the settings.

b.

Apple MDM Push Certificate

- To start the process, clickApple MDM Push


26/28

26

- Create a new certificate signing request signed by Bitdefender and download itfrom your browser. If you already have a certificate signing request, choose thesecond option and you will be prompted to allow Bitdefender to sign your existingcertificate signing request. Click Next.

- Control Center redirects you to theApple Push Certificates Portal.Using theexisting certificate signing request, follow the steps on this portal and generateyour own push notifications certificate. When the process is finished, click Next.

- Add the generated push notifications certificate and click Finish
https://identity.apple.com/pushcert/https://identity.apple.com/pushcert/https://identity.apple.com/pushcert/https://identity.apple.com/pushcert/


27/28

27

c. iOS MDM Identity and Profile Signing / iOS MSM Trust Chain

- Click the corresponding certificate link

- Select the certificate typewith separate key or embedded key (if necessary)

- Select the certificate file and private key (if necessary). ClickAdd.

- Enter the password for the private key (if the key is encrypted).

- Save the certificate

Note:iOS MDM Identityand Profile Signing and Communication Servercertificates need to

be trusted by the iOS device in order for the iOS MDM Trust Chain Certificate to work. Thedevice needs the whole path to the Root certificate (if it's a self-signed certificate originatingwithin the company) or to an intermediate certificate issued by a major vendor so it can trustthese certificates. Please make a PEM file including all intermediate certificates up to the self-signed Root or company CA, depending on your PKI.

4.7. License

The Licensemenu from Control Center allows the administrator to change, add or removelicense keys for any module provided by GravityZone: Endpoint Security, SVE, Security forMobile Devices.

The existing entries are provided by the license keys used in the initial root account setup

covered in section4.1Setup


28/28

When keys need changing, you can simply type the new license key code in the Key textboxand click theAdd(+) button. Control Center always remembers the last configured key for amodule.

4.8.

Alerts and NotificationsEvery Control Center user can configure GravityZone to send out email notifications for eventsrelated to new updates available, detected malware outbreaks or licensing.

To configure these alerts, follow the next steps:

- Access the Notifications Areaas shown in the screenshot below

- Click See all notifications and hit the Settingsbutton

- In the Notifications Settingswindow you can configure which type of notifications

you want to receive by email and how long the notifications should be archived(zero means they will never be deleted).

For the Malware Outbreak notification, you can setup the percentage threshold of infectedsystems from the total of protected systems that will trigger this alert. The alert is triggered bydefault if 5% of your managed systems become infected.

- By default, the notifications are sent to the user account email address. However,other recipients can be defined in the Send also to textbox.

Documents

GravityZone Deployment Guide