Endpoint Protection

 View Only

  • 1.  Device Control Functionality in SEP

    Posted Mar 28, 2016 03:22 AM

    Hi all , I need to know if we can achieve this via the Device control in SEP.

     

    For USB blocking – to allow only smartphone file transfers of pictures using a common hardware ID if possible.

     

    Is it possible that we can block all other functionalithy (i.e executing something) on USB except for allowing smartphone file transfer ?

     

    Any suggestions would ne helpful. Thanks



  • 2.  RE: Device Control Functionality in SEP

    Posted Mar 28, 2016 03:51 AM

    any 1 there ?



  • 3.  RE: Device Control Functionality in SEP

    Trusted Advisor
    Posted Mar 28, 2016 07:10 AM

    Hello,

    Device Control

    The Symantec Endpoint Protection client can help keep a computer protected against threats introduced through docked/synched mobile devices.  Depending on how the smart phone presents itself to the Operating System when plugged in over USB, it may be possible to create Device Control policies to block the device. Device blocking rules are defined under Policies - Application and Device Control in the Symantec Endpoint Protection Manager (SEPM) console, and new hardware devices can be added under Policies - Policy Components - Hardware Devices.

    To find the GUID or device ID string used by the hardware you can use the DevViewer.exe tool that comes with the SEP 11.0 CD. With some smart phones you may be able to select how the device should be mounted (as a USB Mass Storage device, Portable Device, Modem, etc.) - either in a popup menu on the phone when it is connected to the USB port, or as a configuration option within the phone settings - in these cases you may need to add several different hardware ID strings to your policies, depending on which modes you want to block or allow.

     

    Application Control

    Application Control policies can determine read and write access to files and folders, based on configurable wildcards or the type of device. To be able to use this type of detailed filtering with SEP the hardware device needs to be accessed using regular file read/write functionality within Windows; certain non-standard access methods (for example CD-burning) cannot be monitored by the SEP client. Depending on how the smart phone presents itself to the Operating System it may or may not be possible to use Application Control - typically if the hardware is mounted as a USB Mass Storage device and has a drive letter then Application Control will work, but if the device is mounted as a Portable Device or similar, or if it does not have a drive letter, then Application Control cannot be used.

    Application Control rules are defined under Policies - Application and Device Control in the Symantec Endpoint Protection Manager (SEPM) console.

    Check these Articles:

    Smart phones and Application and Device Control in Symantec Endpoint Protection

    https://support.symantec.com/en_US/article.TECH147791.html

    Block or allow devices in Endpoint Protection

    https://support.symantec.com/en_US/article.TECH175220.html

    Regards,



  • 4.  RE: Device Control Functionality in SEP

    Posted Mar 28, 2016 08:09 AM

    No. It's going to be all or nothing. You can't get this granular with device control.



  • 5.  RE: Device Control Functionality in SEP

    Posted Mar 28, 2016 08:52 AM

    Hi Mithun , thanks for sharing the article . I know what device and application control but I am looking for a specific answer like Brian gave above if we can achieve this or not.

     

    Thanks