Smart phones and Application and Device Control in Symantec Endpoint Protection
|Article:TECH147791|||||Created: 2011-01-10|||||Updated: 2013-01-31|||||Article URL http://www.symantec.com/docs/TECH147791|
Can I block or manage smart phones with the Application and Device Control (ADC) policies in Symantec Endpoint Protection (SEP) 11.0 or 12.1? For instance: we have firewalls and gateway security products to keep malicious files out of the network at its perimeter. I also wish to prevent end users for connecting their mobile devices to their desktop computers and synching in potential threats.
Symantec also recommends defending devices like smart phones with their own mobile security product. See Symantec Mobile Security for more details on how to protect Android and Windows Mobile devices.
The Symantec Endpoint Protection client can help keep a computer protected against threats introduced through docked/synched mobile devices. Depending on how the smart phone presents itself to the Operating System when plugged in over USB, it may be possible to create Device Control policies to block the device. Device blocking rules are defined under Policies - Application and Device Control in the Symantec Endpoint Protection Manager (SEPM) console, and new hardware devices can be added under Policies - Policy Components - Hardware Devices.
To find the GUID or device ID string used by the hardware you can use the DevViewer.exe tool that comes with the SEP 11.0 CD. With some smart phones you may be able to select how the device should be mounted (as a USB Mass Storage device, Portable Device, Modem, etc.) - either in a popup menu on the phone when it is connected to the USB port, or as a configuration option within the phone settings - in these cases you may need to add several different hardware ID strings to your policies, depending on which modes you want to block or allow.
Application Control policies can determine read and write access to files and folders, based on configurable wildcards or the type of device. To be able to use this type of detailed filtering with SEP the hardware device needs to be accessed using regular file read/write functionality within Windows; certain non-standard access methods (for example CD-burning) cannot be monitored by the SEP client. Depending on how the smart phone presents itself to the Operating System it may or may not be possible to use Application Control - typically if the hardware is mounted as a USB Mass Storage device and has a drive letter then Application Control will work, but if the device is mounted as a Portable Device or similar, or if it does not have a drive letter, then Application Control cannot be used.
Application Control rules are defined under Policies - Application and Device Control in the Symantec Endpoint Protection Manager (SEPM) console.
This article may also apply to mp3 players or other similar devices, which can mount as either a standard USB Mass Storage device or (when using vendor-specific drivers) as a non-standard device type.
Article URL http://www.symantec.com/docs/TECH147791