Smart phones and Application and Device Control in Endpoint Protection
search cancel

Smart phones and Application and Device Control in Endpoint Protection

book

Article ID: 153095

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Blocking or managing smart phones with the Application and Device Control (ADC) policies in Symantec Endpoint Protection (SEP).  For example: Firewalls and gateway security products protect against malicious files by keeping them out of the network at its perimeter.  Optionally, prevent end users for connecting their mobile devices to their desktop computers and synching in potential threats. 

Resolution

Important Note

Symantec also recommends defending devices like smart phones with their own mobile security product.  See  Symantec Mobile Security for more details on how to protect Android and Windows Mobile devices.

 

Device Control

The Symantec Endpoint Protection client can help keep a computer protected against threats introduced through docked/synched mobile devices.  Depending on how the smart phone presents itself to the Operating System when plugged in over USB, it may be possible to create Device Control policies to block the device. Device blocking rules are defined under Policies - Application and Device Control in the Symantec Endpoint Protection Manager (SEPM) console, and new hardware devices can be added under Policies - Policy Components - Hardware Devices.

To find the GUID or device ID string used by the hardware, use the DevViewer.exe tool that comes with the SEP install files in the tools folder. With some smart phones select how the device should be mounted (as a USB Mass Storage device, Portable Device, Modem, etc.) - either in a popup menu on the phone when it is connected to the USB port, or as a configuration option within the phone settings - in some of these cases add several different hardware ID strings to the policies, depending on which modes to block or allow.

 

Application Control

Application Control policies can determine read and write access to files and folders, based on configurable wildcards or the type of device. To be able to use this type of detailed filtering with SEP the hardware device needs to be accessed using regular file read/write functionality within Windows; certain nonstandard access methods (for example CD-burning) cannot be monitored by the SEP client. Depending on how the smart phone presents itself to the Operating System it may or may not be possible to use Application Control - typically if the hardware is mounted as a USB Mass Storage device and has a drive letter then Application Control will work, but if the device is mounted as a Portable Device or similar, or if it does not have a drive letter, then Application Control cannot be used.

Application Control rules are defined under Policies - Application and Device Control in the Symantec Endpoint Protection Manager (SEPM) console.

This article may also apply to mp3 players or other similar devices, which can mount as either a standard USB Mass Storage device or (when using vendor-specific drivers) as a nonstandard device type.